Help to BruteForce WPA
#1
Good morning all,

Long time lurker - first time posting. I've recently got a new Sky router from sky simply to update my old one, after giving me fibre FOC. Post is quite long, apologies for this and I thank you in advance if you have had patience to read and help.

I haven't changed any WPA/2 passwords as of yet as I have found this system to be quite secure so far. I have tried both bully and reaver attacks through virtual machines running BackTrack 5 R3 & The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux, as well as a fully native installation on a Dell Latitude D420, using the inbuilt wireless adapter, as well as an Alfa one I purchased a few months back.

I was able to crack my last sky router with Reaver but this one seems to be protected against the WPS attacks, so now I am trying to crack it using a brute force attack.

I originally was using a combination of 'crunch' and Aircrack-ng, which allowed for the codes to be generated whilst cracking, meaning a ridiculously sized file was not necessary to work from as a word list.

As I know my Sky router has the original passkey, I know this is only uppercase alphabetical which is no longer or shorter than eight characters long. Now as I know this code will work from AAAAAAAA to ZZZZZZZZ like this;

AAAAAAAA
AAAAAAAB
AAAAAAAC
--
ZZZZZZZX
ZZZZZZZY
ZZZZZZZZ

^ Start, to finish respectively; I used the following options with crunch & aircrack;

./crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ -t ,,,,,,,,|aircrack-ng -w- -b MACADDRESSHERE '/root/CAPFILEHERE.cap'

As well as running on a separate machine in the reverse order, by adding the '-i' flag.

Considering I'm running that on what I regard to be a fast computer (8 core FX8350, clocked to 4.8ghz, 16gb ram, SSD, Asus 990FX Sabertooth mobo), it still only manages an absolute max of around 10,000 keys/s.

I thought there must be a faster way, which is when I discovered hashcat. Now I don't have the exact code to hand, but I used the code -m 2500 and cracking uppercase alphabetical only. This is being done on two identical X3D HD7850 2GB cards, overclocked, I can achieve around 120,000 h/s, running under windows 8.1.

What I am looking to do is run the same code on the WPA .cap with handshake included by running so any two characters are not the same together in each password tested.

ie; instead of AAAAAAAA, make the code stop it from duplicating the same letter next to eachother;

ABABABAB
ABABABAC
ABABABAD
--
GHGHGHGH
GHGHGHGI
GHGHGHGL

I saw a similar post mentioning mp64 and some other information, but as far as my oclHashcat folder (v 1.01) I cannot see mp64 anywhere or how to get it. I'm looking to do this as I've noticed on my last three routers (could be coincidence) but there has not been the same character next to eachother in each passcode. This should cut down the amount of keys to test also. Currently 8 characters with 26 possibilities puts 8 to the power of 26 working out to 208billion or so possible keys. Which appears with my setup will run for 26 days.

Is this a plausible way to cut down the hashing time, or does anyone have any other suggestions?

Could someone please help point me in the right direction? I hope I've explained this well enough! Any questions please feel free to ask, and apologies in advance if I've been unclear.

I look forward to the help!

Many thanks,

Sam
#2
The up-to-date version of maskprocessor can always be downloaded from: https://hashcat.net/wiki/doku.php?id=maskprocessor
You can use this as mp64.exe -q 2 ?u?u?u?u?u?u?u?u to:
1. create a dict (might use a lot of disk)
2. pipe it to oclHashcat (no disk usage at all, stdin mode)

Also always do a benchmark b4 running a specific hash mode, e.g.
oclHashcat -m 2500 -b

and see how fast it is, then use the -u and -n values in your command line.

I know that the mask attack in oclHashcat currently has no -q option, but anyway if you didn't read it yet, this wiki page http://hashcat.net/wiki/doku.php?id=mask_attack is very helpful to understand the basics about masks (also to understand them better how to use masks w/ maskprocessor etc).

Hope this helps
#3
I would prefer to pipe in all honesty. Does that mean the same, using the physical pipe 'key' on the keyboard '|'

And I am assuming I'm able to pipe under windows the same as mentioned in the original post like piping from crunch to aircrack?

Example from original post:

./crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ -t ,,,,,,,,|aircrack-ng -w- -b MACADDRESSHERE '/root/CAPFILEHERE.cap'

So how would I pipe it to Hashcat from mp64?:

mp64.exe -q 2 ?u?u?u?u?u?u?u?u | oclHashcat64.exe --hash-type 2500 wpa.hccap

Sorry to be a pain.

Many thanks,
#4
Hi,

I've just carried out my own question piping from MP64 to Hashcat, and its listed my devices, and given the text;

"Starting attack in stdin mode..."

But there's no interface like shown in normal hashcat, like I can't see [S]tatus [P]ause [B]ypass etc...

Is there something I can change to see what is actually happining?

Many thanks.

EDIT:

It seems to be quicker by a few thousand K/Hashes too. But it only showed me the speed etc (like you'd normally see when you press S for status) when I keyed CTRL + C to cancel.
#5
mp64.exe -q 2 ?u?u?u?u?u?u?u?u | oclHashcat64.exe -m 2500 -u 4096 -n 32 --status --status-timer 3 wpa.hccap

And it will show you the status every 3 seconds...
Please remember you use stdin mode, therefore your key presses cannot be "read" by oclHashcat, since the standard input is already in use (by the pipe).
#6
You'll need to add parameter --status / --status-timer=N to your command for minimal details.

You do know that piping crunch or mask processor to hashcat greatly! reduces your speed right?

Just use hashcat on it's own with the mask ?u?u?u?u?u?u?u?u
#7
(02-23-2014, 05:27 PM)Milzo Wrote: You'll need to add parameter --status / --status-timer=N to your command for minimal details.

You do know that piping crunch or mask processor to hashcat greatly! reduces your speed right?

Just use hashcat on it's own with the mask ?u?u?u?u?u?u?u?u

Well, you say this but hashcat on its own before achieved 120,000~ hash/sec this now is running at 158,000~ hash/sec.

I was using this mask before - but what about ensuring no two letters are duplicated next to eachother?

Thanks for the --status pointer!
#8
Sky routers have sequential letters in their keys like AABCDEFG

Using the flag -q 2 ,You'd miss the chance of hitting the key like the above example.

But if that's what your after -q 2 will make sure no letters are duplicated either side.

Increase your chances by raising the -q N
#9
E:\oclHashcat-1.01\oclHashcat64.exe: unknown option -- q
ERROR: invalid argument

-q doesn't seem to work alone on Hashcat? Only seems to in mp64?

Thanks for your pointers Milzo.

And in respect of your comment, how could I run exactly as I have with mp64 & Hashcat, alone in hashcat?? Ie no duplication for keys right next to eachother? Thanks,

EDIT:

Discovered the -q command can't be used with hash cat, only with mp64 piped to it. There is no slowdown whatsoever between hashcat with the ?u?u?u?u?u?u?u?u and MP64 running the same with -q 2 piping. The main negative is I don't believe it can be piped from MP64 to Hashcat and pause and resume, which is an issue. The computer with the fans whirring is too loud where it is to leave going overnight, so must be paused and resumed, which does not work with MP64.

Resuming hashcat on its own with -u 4096 & -n 160 which is now fully utilising two cards. Hash rate is sitting on 158,000~ hashes/sec.