A few questions about cracking
#1
Hi -

I have some questions regarding cracking in general:

1. Does it make more sense to use several smaller dictionary files, or one or two large ones? Why? For example, using a single, gigantic dictionary list means that you would probably spend a lot of time in each letter. Is a linear approach (going from start to finish) statistically better or worse than it being randomized?

2. In other words, do dictionary lists go from start to finish, in the same order, each and every time, or can the words that are read from the dictionary file be randomized? What makes the most sense?

3. The way I understand WPA cracking is that one starts with Reaver. If unsuccessful, one should try a dictionary attack. And as a matter of last resort, a brute force attack. Is this correct?

4. Regarding dictionary attacks, there seem to be so many options available. Hashcat, Pyrit, coWPAtty, rainbow tables, dictionary files, etc..

I have spent several hours trying to figure out what is (currently) the best option, and it's still not clear to me. In terms of a dictionary attack, Hascat using regular dictionary files seems to be my best bet. Seeing as how Hashcat is GPU-accelerated and I have a GTX-690 (only one), this option seems to make sense for me. Am I wrong?

5. Which version of Hashcat should I get?

6. Finally; my understanding of the process of Hashcat is to obtain a handshake by de-authenticating a client (I can inject), taking that file and converting it here using the online tool (why is that hosted online and not a part of Hashcat itself? - just curious), and finally, to run Hashcat with my selected Dictionary files.

I thank anyone who takes the time to read and respond to this, I know it's a lot. Also, I apologize for my (likely) poorly-worded questions. I know so little that I probably don't know how to say what I'm trying to ask. There is still a lot of ambiguity surrounding these topics for me, and I'm trying to educate myself. If anyone can provide some answers, it would be greatly appreciated.
#2
1. Depends on what you are cracking. Human-generated passwords are predictable, and using a smaller set of "common" passwords will give spectacular results when working with human-generated hashes. If you are cracking _just_ one type of hash, then knowing what is likely to be there is best. On the other hand, randomly generated hashes might be best attacked with brute force, if they are not too long.

2. Dictionary files are read from the disk in order, but might not be checked exactly in order, depending (again) on the hash type being cracked. Sorting by length of password might be faster in certain cases.

3. Yes.

4. Probably, unless the password you are cracking is over 16 characters long. In that case, you will need to use the CPU version "hashcat".

5. Both oclHashcat and hashcat have uses. Get them both; use them both.

6. hashcat cracks many different hash formats. WPA is just one of them, and the methods for extracting the hash depend on how you are capturing it. By using a common format, hashcat is a more general-purpose tool. You must fit your input into its format.
#3
(06-01-2013, 12:17 PM)lukeman3000 Wrote: Hi -

Hello -

(06-01-2013, 12:17 PM)lukeman3000 Wrote: I have some questions regarding cracking in general:

I have some answers regarding cracking in general, but your questions all seem to be about WPA, so I'll give you answers regarding WPA cracking instead.

(06-01-2013, 12:17 PM)lukeman3000 Wrote: 1. Does it make more sense to use several smaller dictionary files, or one or two large ones? Why? For example, using a single, gigantic dictionary list means that you would probably spend a lot of time in each letter. Is a linear approach (going from start to finish) statistically better or worse than it being randomized?

Gigantic dictionaries never make sense. Using several smaller, probabilisticly-ordered wordlists is always the way to go. Randomized never makes sense, you want to try the most likely candidates first and taper off.

(06-01-2013, 12:17 PM)lukeman3000 Wrote: 2. In other words, do dictionary lists go from start to finish, in the same order, each and every time, or can the words that are read from the dictionary file be randomized? What makes the most sense?

The dictionaries go from start to finish in (roughly) the same order every time.

(06-01-2013, 12:17 PM)lukeman3000 Wrote: 3. The way I understand WPA cracking is that one starts with Reaver. If unsuccessful, one should try a dictionary attack. And as a matter of last resort, a brute force attack. Is this correct?

Pretty much, except brute forcing WPA does not make any sense unless the key is all digits. And even then you better have an idea of what the key is.

(06-01-2013, 12:17 PM)lukeman3000 Wrote: 4. Regarding dictionary attacks, there seem to be so many options available. Hashcat, Pyrit, coWPAtty, rainbow tables, dictionary files, etc..

Just use hashcat.

(06-01-2013, 12:17 PM)lukeman3000 Wrote: I have spent several hours trying to figure out what is (currently) the best option, and it's still not clear to me. In terms of a dictionary attack, Hascat using regular dictionary files seems to be my best bet. Seeing as how Hashcat is GPU-accelerated and I have a GTX-690 (only one), this option seems to make sense for me. Am I wrong?

No, you are not wrong.

(06-01-2013, 12:17 PM)lukeman3000 Wrote: 5. Which version of Hashcat should I get?

All of them.

(06-01-2013, 12:17 PM)lukeman3000 Wrote: 6. Finally; my understanding of the process of Hashcat is to obtain a handshake by de-authenticating a client (I can inject), taking that file and converting it here using the online tool (why is that hosted online and not a part of Hashcat itself? - just curious), and finally, to run Hashcat with my selected Dictionary files.

You don't have to use the online tool, you can download cap2hccap. The download link is provided on the page where you upload your cap. Otherwise, this is correct.
#4
Thanks for the replies. With a little work, I got hashcat up and running and it's going great with my GTX 690.

Any recommendations or suggestions for settings (such as GPU-Accel)? I have no idea what the settings mean and I'm in the process of educating myself. I'm just using defaults right now.

Also, if anyone has links to word lists, please share!
#5
It's mostly a personal setting. Set it as high as you want. The higher the faster the cracking but the slower the desktop.