Bruteforce on 10 characters length WPA2 password
I'm trying to hack my own WPA2 network for learning purposes.
I have the
*.capfile generated by
aircrack-ngtools after a WPA handshake.
I've tested by including my own password and a bunch of incorrect passwords on a wordlist and
aircrack-ngcrack successfully. My password is 10 characters length, only uppercase letters and numbers, so I tried generating a wordlist with
crunch(10 characters length, uppercase and numbers only):
$ crunch 10 10 -f charset.lst ualpha-numeric -o wordlist.txt
But crunch weight estimation was stunning:
Crunch will now generate the following amount of data: 40217742840692736 bytes 38354628411 MB 37455691 GB 36577 TB 35 PB Crunch will now generate the following number of lines: 3656158440062976
The wordlist is incredibly big. And I generated the wordlist by having clues about the lenght and characters involved. If I didn't know that It'd be even bigger.
I guess I know believe that bruteforce attacks on non trivial passwords is impossible, at least with pre generated wordlists.
Is there a way to let
aircrack-ngincrementally crack the password with a given length and charset?
What other sane options do I have to attack my password?
I'd look at OCLHashcat, as it let's you brute force with specific character sets and doesn't need to generate the list beforehand.
I'm not sure what you mean by "incrementally" however, if you mean stopping and starting OHC will let you do that.
In terms of cracking WPA2, you've got 3 options.
- Dictionary attacks
- Reaver attack against WPS (most successful option in majority of cases)
- Taking a wrench to the person and beating their password out of them
Ok, perhaps two options if you're not really wanting that password.
Brute force, unless you know a lot about the password and it's incredibly stupid (i.e. you know for certain it's an 8 character set of numbers) is going to be a non-starter.
Don't forget, strictly speaking there "shouldn't" be a way to break the password, so if none of these options seem viable, it just means you've got decent security. There may not be an answer as to how you can do it.
john --stdout --incremental:all | aircrack-ng -e ESSID -w - /home/user/input_wpa.cap
Edit the john conf file to change from 8 to 10
I'm currently developing similar technologies. Aircrack-ng really is brilliant although it does have some limitations.
I have also attempted a brute force on my own wifi using crunch to generate passwords. and my findings are as such:
- You can pipe crunch directly into Aircrack-ng to eliminate the need to create a .txt file and use it simultaneously saving you processing power to perform calculations, the Syntax for this method in bash is as such:
./crunch <max> <min>(stick to 8 for now)
<options>(abcd1234..) can give partial [email protected]@@
| aircrack-ng -b [bssid] -w - [.cap file]
here you can see the standard format for piping into
aircrack-ngand some simple options.
Here is a working copy you can paste into terminal (below), I'll talk you through it a little.
From left to right:
- The name of the command
crunch, if this doesn't work straight away force execution by starting with
8 8is the max and min chars you're going to need as I'm sure you already know.
- Then a pipe symbol. This feeds the output directly into the file that
aircrack-ngis going to use as a dictionary
- Fill in Bssid's as you already know how to do in this format once your handshake has been established.
crunch 8 8 1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ -t [email protected]@@ | aircrack-ng -b 78:54:2E:28:E7:86 -w - thehak-01.cap
THE PROBLEM WITH THIS METHOD:
Using a permutation equation and using an expected 1000 combinations per second (this is what my actual output is) I have calculated that testing each of the generated combinations will take 77.8 years
You could try using John the Ripper to generate the passwords and then pipe them to Aircrack-ng. John has a mode called INCREMENTAL where you can define what type of passwords it generates and you dont have to stome them on file as you are piping it to aircrack, and it has resume capabilities.
This thread is from a year or two ago but i would recommend using reaver.
reaver -i (your intnerface/wlan0mon) -b (BSSID/MAC address) -vv
Might take a few hours (4 - 12 possibly) but to get pass with wordlist is extremely lucky with wpa2.
If you get rate limiting error try
reaver -i (wlan0mon) -b (Mac address) -d 30 -vv -dh-small
If you still get the Rate Limiting error don't bother, move on. Although, never give up.