Joining 2 dictionaries together without bruteforcing one side
#1
Hi guys, long time lurker, first time poster.
I have a question about dictionaries that has come up from some investigating netgear routers with WPA2-PSK.

The default SSID is often NETGEARXXX
The default password on these devices (at least where I live) is 2 english works with a 3 digit number on the end all in lower case.

The English language is reasonably small (around 1 million individual words)

Is there a way I can run 2 English dictionaries (the same dictionary!) against each other then add the numbers at the end

Ie:

Dictionary 1:
dog
cat
table

Dictionary 2:
dog
cat
table

To give an output like:

dogdog001
dogdog002
.
.
.
dogcat001
dogcat002
.
.
dogtable001
dogtable002
.
.

And so on.

at 500kh/s that my home rig is capable of with oclhashcat, I am expecting a total crack time of around 20 days---does this soudn correct?

Also is there a way to eliminate combinations that would not meet wpa rules of 8 character minimum to save on crack time?

Your help is greatly appreciated
#2
As far as I know, the keyspace is even more restricted for Netgear routers than you might think.

See: https://forum.hashkiller.co.uk/topic-view.aspx?t=2715

NETGEARXX - Adjective + Noun + 3 Digits

So it is recommended to use 2 very specific dicts (1st: adjectives, 2nd: nouns).

The speed will vary depending on attack mode.

There are many possibilities to join the 3 parts, for instance, -a 1 with rules (but you need to add each 3 digit number individually Sad with -k), combinator.exe and pipe it to oclHashcat or develop your own tool to join the 2 dicts + add digits from 000 - 999 (or whatever the range is) and again pipe it etc...

On the other hand, it usually doesn't make much sense to build a huge dict that has already everything combined (since it will be too huge and it needs too much unneeded preprocessing) etc.
#3
The Unified List Manager (http://unifiedlm.com) can do some of what the hashcat-utils can do, plus a lot of other useful functions.
#4
Hi,
first of all in my post i've used the attached adj.txt & noun.txt ( that's all what i've found Tongue )

Quote:$ wc -l adj.txt noun.txt
1830 adj.txt
2396 noun.txt
4226 total

1- i've combined adj.txt & noun.txt using combinator.bin from hashcat utils, and used a perl script to check if length of the result is >= 5 & <= 61 (cause wpa password is between 8 (5+3) and 64 (61+3) the 3 is the 3 digit number that we'll be adding them to the generated plains ), the command i've used:
Quote:$ ./combinator.bin adj.txt noun.txt | perl -ne'if (length($_) >= 5 && length($_) <= 61' > com.list
theoretically, there's 1830*2396 = 4384680 combination without applying the length rule, after using the length rule:
Quote:$ wc -l com.list
4384680 com.list
the result still the same cause the aren't any combined work < 6 and > 61 in my lists.
2- creating the rule that would append the ?d?d?d for every word from com.list.
i've used maskproccesor to create it:
Quote:$ ./mp32.bin "$"?d"$"?d"$"?d > 1000.rule
3- launching the attack:
Quote:./hashcat-cli32.bin -m 2500 -r 1000.rule com.list test.hccap

assuming that you're running the attack at speed of 500,000 h/s,
the time of running would be:
4384680000/(500000*3600) = 2.43 hour.
4384680000 is the number of plains that would be tested.
btw you could used the same attack by using hybrid attack mode, and piping the result of combinator.


Attached Files
.txt   noun.txt (Size: 17 KB / Downloads: 49)
.txt   adj.txt (Size: 14.65 KB / Downloads: 37)
#5
(11-23-2014, 11:15 AM)bsec Wrote: Hi,
first of all in my post i've used the attached adj.txt & noun.txt ( that's all what i've found Tongue )

Quote:$ wc -l adj.txt noun.txt
1830 adj.txt
2396 noun.txt
4226 total

1- i've combined adj.txt & noun.txt using combinator.bin from hashcat utils, and used a perl script to check if length of the result is >= 5 & <= 61 (cause wpa password is between 8 (5+3) and 64 (61+3) the 3 is the 3 digit number that we'll be adding them to the generated plains ), the command i've used:
Quote:$ ./combinator.bin adj.txt noun.txt | perl -ne'if (length($_) >= 6 && length($_) <= 61' > com.list
theoretically, there's 1830*2396 = 4384680 combination without applying the length rule, after using the length rule:
Quote:$ wc -l com.list
4384680 com.list
the result still the same cause the aren't any combined work < 6 and > 61 in my lists.
2- creating the rule that would append the ?d?d?d for every word from com.list.
i've used maskproccesor to create it:
Quote:$ ./mp32.bin "$"?d"$"?d"$"?d > 1000.rule
3- lunching the attack:
Quote:./hashcat-cli32.bin -m 2500 -r 1000.rule com.list test.hccap

assuming that you're running the attack at speed of 500,000 h/s,
the time of running would be:
4384680000/(500000*3600) = 2.43 hour.
4384680000 is the number of plains that would be tested.
btw you could used the same attack but using hybrid attacking mode, and piping the result of combinator.

This is really great.
Thank you so much for your input.
It's definitely much nicer than my solution which was:

1. combinator.exe adjectives.txt nouns.txt > mixedwords.txt
2. mp64.exe -1 0123456789 ?1?1?1 -o 3digits.txt
3. combinator.exe mixedwords.txt 3digits.txt > netgearpasswords.txt

As you can imagine, the resulting list would have been gargantuan!!!
#6
(11-23-2014, 01:06 PM)whattheflux Wrote:
(11-23-2014, 11:15 AM)bsec Wrote: Hi,
first of all in my post i've used the attached adj.txt & noun.txt ( that's all what i've found Tongue )

Quote:$ wc -l adj.txt noun.txt
1830 adj.txt
2396 noun.txt
4226 total

1- i've combined adj.txt & noun.txt using combinator.bin from hashcat utils, and used a perl script to check if length of the result is >= 5 & <= 61 (cause wpa password is between 8 (5+3) and 64 (61+3) the 3 is the 3 digit number that we'll be adding them to the generated plains ), the command i've used:
Quote:$ ./combinator.bin adj.txt noun.txt | perl -ne'if (length($_) >= 6 && length($_) <= 61' > com.list
theoretically, there's 1830*2396 = 4384680 combination without applying the length rule, after using the length rule:
Quote:$ wc -l com.list
4384680 com.list
the result still the same cause the aren't any combined work < 6 and > 61 in my lists.
2- creating the rule that would append the ?d?d?d for every word from com.list.
i've used maskproccesor to create it:
Quote:$ ./mp32.bin "$"?d"$"?d"$"?d > 1000.rule
3- lunching the attack:
Quote:./hashcat-cli32.bin -m 2500 -r 1000.rule com.list test.hccap

assuming that you're running the attack at speed of 500,000 h/s,
the time of running would be:
4384680000/(500000*3600) = 2.43 hour.
4384680000 is the number of plains that would be tested.
btw you could used the same attack but using hybrid attacking mode, and piping the result of combinator.

This is really great.
Thank you so much for your input.
It's definitely much nicer than my solution which was:

1. combinator.exe adjectives.txt nouns.txt > mixedwords.txt
2. mp64.exe -1 0123456789 ?1?1?1 -o 3digits.txt
3. combinator.exe mixedwords.txt 3digits.txt > netgearpasswords.txt

As you can imagine, the resulting list would have been gargantuan!!!
Glad for helping you, hope that you found the key.
#7
an alternative to the perl script, you can also use splitlen from hashcat-utilities to organize words by length.

Code:
combinator.bin adj.txt noun.txt > adj_noun.dict

Code:
splitlen.bin length/ < adj_noun.dict

Code:
wc -l length/*
       0 length/01
       0 length/02
       0 length/03
       0 length/04
     102 length/05
    4719 length/06
   33445 length/07
  113522 length/08
  239273 length/09
  365270 length/10
  472998 length/11
  546905 length/12
  563588 length/13
  528990 length/14
  452563 length/15
  353738 length/16
  260460 length/17
  177939 length/18
  114479 length/19
   69945 length/20
   40277 length/21
   22505 length/22
   11865 length/23
    6101 length/24
    3172 length/25
    1569 length/26
     743 length/27
     319 length/28
     119 length/29
      56 length/30
      12 length/31
       6 length/32
       0 length/33
       0 length/34
       0 length/35
       0 length/36
       0 length/37
       0 length/38
       0 length/39
       0 length/40
       0 length/41
       0 length/42
       0 length/43
       0 length/44
       0 length/45
       0 length/46
       0 length/47
       0 length/48
       0 length/49
       0 length/50
       0 length/51
       0 length/52
       0 length/53
       0 length/54
       0 length/55
       0 length/56
       0 length/57
       0 length/58
       0 length/59
       0 length/60
       0 length/61
       0 length/62
       0 length/63
       0 length/64
4384680 total

you can then delete all the files that have zero bytes.

my opinion is that netgear would not want their customers typing more than a 20 length passwords. that could be considered bad user-experience. 20+ length is not a big deal on computers but having to type that into your xbox, playstation, cell phone, TV, etc. is a pain, but that theory needs to be proven.
#8
instead of rules, you can use "-a 6" in hashcat. eg:

hashcat -a 6 -m 2500 blah.hccap netgear.dict ?d?d?d