Question Can We Hack WPA or WPA2 Without Using a Dictionary?

Discussion in 'Xiaopan Support' started by Lutfil Irfan, 16 May 2013.

  1. Lutfil Irfan

    Lutfil Irfan Active Member

    Joined:
    11 May 2013
    Messages:
    6
    Likes Received:
    1
    can we hack wpa or wpa2 without using a dictionary ?
    if can ,, can give me some tips on how to do it ?
     
    • Like Like x 1
  2. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    Lutfil Irfan
    Don't make requesting threads use search before asking anything.
     
  3. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    seriously the ONLY way to do wpa and wpa2 is with a list or crunch PERIOD unless you somehow do a man in the middle... and sense you donno about wpa i will assume no ... personally i would use crunch see my postings on crunch its not a hard thing to use pipe it though pyrit and u can be done super fast
     
    • Like Like x 1
  4. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    vampiricbunny1800 dude
    How this CRUNCH thing works?
    1) I capture the file via any procedure it doesn't matter :wtf:
    2) Crunch 8 8 0123456789abcdefghijklmnopqrstuvwxyz
    Example: My password is ecru565699 how the crunch will find the password like that? some english and some numericals :eek:
    P.S how to use it with .cap file and what the hell is pyrit

    .:| Bunny Guide will be so helpful |:.
     
  5. Lutfil Irfan

    Lutfil Irfan Active Member

    Joined:
    11 May 2013
    Messages:
    6
    Likes Received:
    1
    thank you for the reply it help me btw :) @vampiric :)
     
  6. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    thatch cuz you have to pipe it though a another thing like cow patty air crack or whatever by it self its a random dic generator so if u want a dic thats 1000000000000000000000000 terabytes crunch can do it and take up 0 space..

    as for the how to with pyrit ===================

    /pentest/passwords/crunch/./crunch 8 8 ecru0123456789 -u | pyrit -i- -r <cap file> -e <ESSID> attack_passthrough
    ====================================
    it will now try every possible combination of those letters and numbers and if you type what i just said you will be done in about 2 min cuz that password is easy if you want more or longer type 8 15 or whatever as for the letters and numbers in the string the ecru0123456789 what you need to do here is have up to 15 if your word and or pass phrase requires more you need the little "how to" instruction that looks like this
    ==========================
    /pentest/password/crunch/./crunch 8 15 -f /pentest/password/crunch/charset.lst mixalpha-numeric-all-space -u | pyrit -i- -r (capfile) -e (bssid) attack_passthough
    =============================

    that will do every letter and number and space from 8 to 15 until you hit your password NO MATTER WHAT for special case's you need special however this is going to get you in the fact is the time issue..

    another words my computer alien-ware mx18 16 gigs of ram 256 gig ssd hdd quad core 1.5ghz vid card well that does about 5000pmk (with out video card drivers) if i could get that working i could pull about 256,000pmk to about 500,000 pmk u take that and figure there are

    Consider a password that is 6 letters long, made out of 26 letters of the alphabet. Repetition is allowed. How many possible passwords are there?
    Number of possible passwords = nr = 266 = 308,915,776

    and that is just for six so you can see the issue of time the good side is you will hit the password

    =============================
    ================================================================
    part 2 :::: most people are not really smart firstly where i live 12 out of 14 dont even use wpa .. just wep (yummy) 2ndly even the ones that do half the time make the huge security mistake of just useing there birthday credit card number phone number or a mix of bithdays .. so just numbers and sometimes numbers with / marks that is the first thing you willl wish to try

    then do a combo of 0123456789 and ABCDEF ( or hex) a remarkable % of people take a really good password such as "Dr@g0nBal1z" and turn it into :censored such as "44 72 40 67 30 6e 42 61 6c 31 7a" with no spaces you can see the obvious security flaw there but they figure the word is to easy to remember so to easy to guess a common misconception, however the string of crap is way longer and thus NOOOBODY is gonna guess that ...*buzz* wrong that is 100 times faster keep that stuff in mind when doing your pen testing​
    --- Double Post Merged, 19 May 2013, Original Post Date: 19 May 2013 ---
    please note and be smart enough not type actually type <essid> or <fred> the < > is just to mark where it go's for easy access
     
    • Like Like x 1
  7. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    vampiricbunny1800 man you're the shining star of the forum which brights always :p
    I am really down with this crunch thing believe me
    *if the password is 10 characters long do i need to use CRUNCH 10 10 (because most of the people here in UAE + myself are using 10 digits passwords).
    *handshakes gained from wepwap v1.5 script are workable with crunch?
    *I saw Kali Linux have crunch already installed on it + Pyrit

    I gonna try it now on my network for sure :dummy:
     
  8. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    yes its 10 10 for 10 words

    yes the handshake is the same cuz you take the handshake from the standard air-replay so its a normal handshake / cap file u would use with any dictionary however you are doing it with a digital dic that writes itself get it?

    yes kali linux has them already in it and its on my tech disk thrown in with all that other wondrous crap

    that simple have fun remember if you wanna speed it up put the letters you KNOW are in there till you work out the bugs such as password test1234 so 8 8 tes1234566789 and it will spell test1234 shortly test it out to see thats how i did it

    i am really not that good bro i spend 90% of my time feeling retarded i just happen to know the answer
     
  9. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    Now i understand why your signature is something very different "Help me i have no clue what i am talking about XD" you typed this because you mostly know everything but you're just messing with peepool :p

    Thanks for your kind guidline vampiricbunny1800 bro
    at the moment i am trying it and when i get succeed i will get back to you with a nice result :)
    anyway if i am using CRUNCH 10 10 0123456789abcdefghijklm-xyz how long it will take?
    *Mostly ppl of UAE are using 10 digits numerical passwords i am damn damn damn sure mostly their cell phone numbers :D
     
  10. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    ehhhhhhhhhhhhhh what is your pmk ? crunch is 1000 times faster than a dic attack that you get like 255 pmk with crunch you get 5000+ easy ...

    however that is billions of possibility's o_O so i donno 5 10 years ? to make i a bit more clear
    /////////////////////
    : from http://it.slashdot.org/story/12/06/08/0325242/how-many-seconds-would-it-take-to-crack-your-password :

    36^6 = 2,176,782,336 possible combinations
    0.0000224 seconds to crack (given by grc)
    2,176,782,336 / 0.0000224 ~= 97,200,000,000,000
    So, somebody is going to devote a supercomputer capable of trying 97.2 trillion passwords per second to cracking a password for some services
    For an idea of how big of a machine you'd need to try 97.2 trillion passwords per second, Toms had two high-end GPUs in SLI doing 1.5 billion per second, which means even with GPU acceration you'd need roughly 65,000 machines...
    //////
    or find a wps enabled wifi =) i suggest just numbers from 8-15 thats common or numbers and / or \ or both

    thanks for the complement but honestly i really have no idea what i'm doing most of the time
    --- Double Post Merged, 19 May 2013, Original Post Date: 19 May 2013 ---
    ======================
    note if you use a password crack service they use hash so you could get billions of passwords a second i'm sure they use 6-15 top of the line video cards with huge core's JUST for cracking you can make your own rainbow tables (aka hashing) however i did this with 1 essid and a small dic file (12 gigs) it took 5 weeks and you need to REDO this for each essid ....

    and if you wanna ask how to use rainbow tables somebody else had made i honestly dont know i'm trying to get that down now i cant get it to work
    not even for ntlm (aka windows passwords that are super easy to crack)
    ======================================

    id also like to point out that the last thing you want to do is run this on vmware again thats why i told you get my tech disk that is a usb or make your own the fact is you cannot seem to use vmware with a video card and you NEEED that video card if you want to use windows and not vmware try hashcat
    i get a easy 20=60k pmk with hashcat and i dont even know how to use it correctly i prefer pyrit i am just having trouble with drivers for backtrack
     
  11. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    vampiricbunny1800 bro you're awesome DUDE, this is the first time of my life that i am successful to do CRUNCH :D
    i just change the command little
    crunch 10 10 0123456789abcdefghijklmnopqrstuvwxyz -u | pyrit -i- -r bunny.cap -b AA:BB:CC:8D:EE:FF attack_passthrough
    when i was trying with -e <ESSID> command wasn't working at all so i change it to -b <BSSID> its working like charm now i don't know how long it will take but today i use crunch because of BUNNY BRO i am happy :D

    Have a look is it working now ;)
    [​IMG]
     
  12. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    ok essid or bssid both are ok it depends on how you do the cap i guess thats new to me i have never had that issue ....

    at 1446 pmk LONG ASS TIME remember i get 5000pmk's and even i would not that this i would want 400,000 pmk a sec + but still its a lot faster than the lame ass 200 pmk or for you prolly 120 pmk of a dic file now if you do this via your video card u will triple your pmk cuz of the gpu calculations

    just a suggestion cuz that looks like vmware (only can use processes)
    --- Double Post Merged, 19 May 2013, Original Post Date: 19 May 2013 ---
    fyi 92378 per letter (give or take) x 10 so 9.2378e+14
    769816666667 years i think i might have done that math wrong so if i did i'm sorry somebody feel free to correct me thats with 1200pmk's
    --- Double Post Merged, 19 May 2013 ---
    if you care you can use aircrack or cow patty this is what i have >>




    Piping crunch to Aircrack (2nd fastest) ( this is about 2300ish pmk)

    /pentest/passwords/crunch/./crunch 8 8 0123456789 -u | aircrack-ng <cap file> -e <ESSID> -w-

    Piping crunch to Pyrit (fastest) 9this is about 5000 pmk with no gpu

    /pentest/passwords/crunch/./crunch 8 8 0123456789 -u | pyrit -i- -r <cap file> -e <ESSID> attack_passthrough

    Piping crunch to COwPatty(extreamly slow 3000+words a second slower for me this is only about 1400 pmks )

    /pentest/passwords/crunch/./crunch 8 8 0123456789 -u | /usr/local/bin/cowpatty -2 -f- -r <cap file> -s <ESSID> -v
    ====================================================================

    you need to test on a password you know and is short for less time such as tes123456789 for test1234

    i i type abcdefgtest123456789 it will take 100 times as long it will start with aaaaaaaa then aaaaaaab and so forth so i start with tes123456789

    that way i start with tesaaaaa to tesaaaab so i get my answer faster speed test do that so u know for a password you have no idea on you are looking at months easy and thats at 5000 pmk with a little 1300 pmk thats like years
     
  13. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    Via video card how? no its not VMware but Kali Linux is installed on my HDD + Windows 8 via GRUB :)
    769816666667 years :eek:
    --- Double Post Merged, 19 May 2013 ---
    I know the password its madina5642712 because its my own network as i told you most of the people here are using numerical passwords so i can use crunch for numerical only but crunch need long long long time my dear :)
     
  14. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    Determine the peak-performance of the available hardware by computing dummy-results. For example:
    pyrit benchmark see if your video card shows up also​
    pyrit list_cores​
    if you cant make out past 100,000 pmk stick to easy attacks like 0-9 from 8 15 char or hex as i said before if u want to crack you need to spend major $$$$$$$ on a pc there is really NO way around this if you dont like that try >​
    ==================​
    =============\​
    for the record i have not used any of these so your on your own there​
    --- Double Post Merged, 20 May 2013, Original Post Date: 20 May 2013 ---
    please notice they use the same crappy 13 gig dic file most things use .... i used a 56 gig dic that had 10x the words they have and numbers and STILL have more luck pyrit

    so follow the steps i gave you
    --- Double Post Merged, 20 May 2013 ---
    i can teach you how to make a better dic file if you wanna do it that way however you will need at least 200 gigs of space (fyi)
     
    • Like Like x 1
  15. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    That would be nice of you bro if you help me making better dic file i have free space of 700 gees in my computer as i have 1TB HDD :D
    *I need 0123456789 & abcdefghijklmnopqrstuvwxyz dic file (but for the combine passwords i don't know what to do = ex: ecru565672)
    *I uploaded my .cap file at free wpa cracking website as you mentioned above, lets see what's the result :)
     
  16. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    i dont see the cap file but i dont have to crack it unless you know the pass that way i can crunch it in like seconds however i will see if i can find the how to make a better dic file and save space
    --- Double Post Merged, 20 May 2013, Original Post Date: 20 May 2013 ---
    airolib-ng wpa_db --import passwd [Passlst]

    airolib-ng wpa_db --import essid [File] #(Create file with Essid inside)# "echo [ESSID] > essid"

    airolib-ng wpa_db --stats
    airolib-ng wpa_db --clean all
    airolib-ng wpa_db --batch
    airolib-ng wpa_db --verify all
    now get your password files and do this
    at [File 1] [file 2] [file 3] >> [all files]
    pw-inspector -i all_in_one -o all_in_one -m 8 -M 63 && rm all_in_one_2
    sort [all files] | uniq > [All files].


    here is an example I use in BT5 for WPA:
    cat * > all_in_one_1
    cat all_in_one | sort -b -f -i -T "$(pwd)/" | uniq > all_in_one_2 && rm all_in_one_1
    pw-inspector -i all_in_one_2 -o all_in_one -m 8 -M 63 && rm all_in_one_2

    ================================
    you can thank aby$m for that info how you do it is you do the 8-63 that will ditch all bad passwords that dont matter cuts lots of junk out of the file then merg them all into one big file after you know they each have only 8-63 chr words..

    then do the uniq so it will take all duplicate words out..

    now look up as many dic files as you can i did about 200 and smooshed them start with the 13 gig and the 2 that come with bt 5 (just a suggestions ) i still like crunch its faster ... though you may try piping it though pyrit not airlib or aircrack maybe its faster tho prolly not much
     
  17. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    Dear vampiricbunny1800
    i will try it soon when i get to home but i am not sure whether i can do it or not however i am gonna try it - THANKS
    if i use CRUNCH 10 10 0123456789 its 265GB do you think it will be done 100% in 2 days?
    also thanks to Aby$m bro :)
     
    • Like Like x 1
  18. Aby$m

    Aby$m Well-Known Member
    Dev Team VIP

    Joined:
    25 Oct 2012
    Messages:
    153
    Likes Received:
    128
    I appreciate the gratitude :)

    I have given my guidance to vampricbunny1800, it is nice to see that VB is giving guidance back to the community, hopefully others can follow VB's example and share their knowledge with the community.
     
  19. vampiricbunny1800

    vampiricbunny1800 Well-Known Member
    Dev Team VIP

    Joined:
    8 Oct 2012
    Messages:
    242
    Likes Received:
    80
    i give full credit to aby$m for what i do know i wont lie

    as for being done in 2 days? i'm not sure if it runs non stop maybe .. i know i could do it and if you had a better video card you could to basicly its like this..

    if you wanna crack a wifi you dont know the password on be ready to spend major money on videocards u need like 8 in the same pc so that the gpu can eat though any issues you may have if not move on to a easy target if your pen testing

    if you know the password (cheat a little so it dont take so dang long ) just for the practice of it all you can try it 100 times in 2 days or 1000 or 1 what gets you better? i have ran thousands of simulations over months and months that is what i come up with...

    cracking = $
     
  20. ecrudragon

    ecrudragon Legendary ^_^
    VIP

    Joined:
    15 Apr 2013
    Messages:
    145
    Likes Received:
    33
    Dear vampiricbunny1800 & Mr. Aby$m

    I am stuck with Miss. Hashcat i don't know how to use it :( as i learn from Mr. Google Hashcat is giving you guesses right? as per John the ripper? also my oclhashcat-plus isn't working and showing these errors
    ahhhhhhhhhhhhhh hashcat and john the ripper is totally out of my mind, please advice

    [​IMG]
    [​IMG]
     

Share This Page

Loading...