Any Other ways of cracking Wpa2
#1
Question 
I'm a complete newbie in here so bear with me please . 
So I'm tring to crack this cap file (I dont know if is allowed to share files in here ). so far I didn't have any luck with the wordlists attack . but if the wifi I'm tryng to crack has the default password which is 16 digits of A-Z and 0-9 .it will take an eternity . so is there any other way . Ive seen a post here about default routers but I didnt understand nothing . 

so is there any other way around ?
Reply
#2
Welcome to the forum! Do you know the brand name and model of the router?

The other way around it, is to find the keygen algorithm for it. This can be possible for certain brands that kindly include the keygen in their firmware. It's still a matter of reverse engineering the algo, but that's definitely possible.
Reply
#3
if its an old router with WPS enabled and no security checked then you can run pixiedust on it and crack it within 2 hours locally typically. Pixiedust also has a keygen for WPS Keys and can sometimes generate the proper 8 digit code within seconds.

Otherwise, you need to do as drsnooker said and find a keygen for something of that length or start bruteforcing.
Reply
#4
The cap file looks like a "wpaclean"ed dump file.

Sometimes (if a CLIENT is weak) you can get good information from it.
Try this example from here and you know what I mean:
https://github.com/evilsocket/pwnagotchi...-598597214

For best results, avoid tools that strip or modify capture files.
As of today there is absolutely no need to clean or to merge dump files.
Every state of the art conversion tool is able to get the information from raw (uncleaned) dump files, e.g os independent:
https://github.com/s77rt/multicapconverter
https://hashcat.net/cap2hashcat/
Reply
#5
(07-30-2024, 01:16 AM)drsnooker Wrote: Welcome to the forum! Do you know the brand name and model of the router?

The other way around it, is to find the keygen algorithm for it. This can be possible for certain brands that kindly include the keygen in their firmware. It's still a matter of reverse engineering the algo, but that's definitely possible.

Thanks ! I think its a ZTE F680 . but I have no idea on how to find this keygen.
Reply
#6
(07-30-2024, 07:42 AM)ZerBea Wrote: The cap file looks like a "wpaclean"ed dump file.

Sometimes (if a CLIENT is weak) you can get good information from it.
Try this example from here and you know what I mean:
https://github.com/evilsocket/pwnagotchi...-598597214

For best results, avoid tools that strip or modify capture files.
As of today there is absolutely no need to clean or to merge dump files.
Every state of the art conversion tool is able to get the information from raw (uncleaned) dump files, e.g os independent:
https://github.com/s77rt/multicapconverter
https://hashcat.net/cap2hashcat/

I had to clean it . the original cap file was 30mb , the hashcat converter limits conversions to 20mb max . and the hcxtools didn't want to be installed on my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) linux for some reason, so I couldn't use it , so I used wireshark to clean it .
Reply
#7
That explains the cleaned dump file. Thanks.
"...and the hcxtools didn't want to be installed..."
That is interesting, because hcxtools are part of k_a_l_i Linux:
https://www.k_a_l_i.org/tools/hcxtools/
Please remove the 3 "_" from the Link. I've inserted them to prevent that the robot change k_a_l_i to The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali)
Reply
#8
(07-30-2024, 05:27 PM)ZerBea Wrote: That explains the cleaned dump file. Thanks.
"...and the hcxtools didn't want to be installed..."
That is interesting, because hcxtools are part of k_a_l_i Linux:
https://www.k_a_l_i.org/tools/hcxtools/
Please remove the 3 "_" from the Link. I've inserted them to prevent that the robot change k_a_l_i to The-Distribution-Which-Does-Not-Handle-OpenCL-Well (The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali))

oh I didn't knew that , but I already convert the cap file now cracking it is the main problem .
Reply
#9
The uncleaned file sometimes contains the brand name and model (and even serial numbers) hence that can be important.
16 char password is not reasonable to brute force within a lifetime.

I looked on the MarocTelekom website and found:
https://www.iam.ma/particulier/catalogue...ments-adsl

A few of those models could have included a keygen in their firmware. But if you think it's ZTE, you are out of luck. They have never included a keygen (and I've looked at about 100 of them)
You might want to examine the uncleaned file to confirm the brand name.
Reply
#10
@Brian
...but I already convert the cap file now cracking it is the main problem.

A successful attack should always start "on the air":
request all information from the AP
request all information from all the CLIENTs connected to the AP
make sure you use tools (e.g. angryoxide https://github.com/Ragnt/AngryOxide) which are able to request all this information (injecting hundreds of stupid DEAUTHENTICATIONs to get a 4way handshake is far away from that).


If the cap has been recorded and it has been converted to a hc22000 file, it's too late to get this information. It is gone forever.
Now you have to run a mask attack if the PSK use a small pattern,
you have to use a keygen if the algo is know or
you have to brute force it (not feasible on 16 a-zA-Z09).

As @drsnooker wrote: analyze the uncleaned traffic to get more information.
As I worte: make sure the dump file contains all information you can get.
Reply