WPA Specific Strategies, Stats and Lists
#1
Long time lurker here and I feel like I've searched and read enough the forum that this is (hopefully) not redundant, or at the very least there hasn't been comprehensive current discussion.

I've been researching WPA/WPA2 hashes lately much more than any other. As most know, WPA is a different beast than say MD5, both from the minimum character length and the H/s. I find most all of the stats and rules come from cracking leaked pw hash dumps, and those are a great insight in some respects, but are also misleading when applied to WPA. Obviously getting stats on a huge sample of 100,000 hashes on WPA is quite tough compared to a database dump of pw hashes, so I understand why the data mostly evolves around it.

But when trying to apply the strategies for testing a MD5 hash dump on WPA I feel like there are two main differences between what you'd find in a WPA password vs a personal account password, and hence why I get such poor results from the typical wordlists that work great on dumps.

1) The minimum key length is 8, and often times people can create pws of less than 8 characters on many web accounts.

2) The WPA key is designed to be shared. It seems rarer that a password would be the same on WPA that one used for their personal accounts. Even someone who lives alone must have someone come over at some point and want to connect to wifi. Not impossible, but much rarer. But also since it designed to be shared, and sometimes often, it seems to be simpler while still trying to make it seem secure. People who share their WPA also probably want it to not be weird, where people are like "what does 'soggynutz4U' mean?"

Along the lines of that, instead of something "Awesome1954" like you'd more in a DB dump, it would surprise me less to see something like "johnshouse" or "johnswifi" or "johnjohnjohn" or "myinternet123"

The problem is, I have a very limited sample to work with, so these are just initial findings and they might be off base, and before I spend too much time with such a theory and building new wordlists and rules I was hoping to get some insight from others who have likely way more experience. I figure there is no point in reinventing the wheel if others have data they are willing to share.

I'm just looking for input anyone is willing to give, from general observations to specific rules or wordlists they like... exclusively from a WPA perspective, unless of course your experience shows there is a greater overlap in personal passwords than WPA than mine does.

Speaking towards wordlists, which is backing up the "quality over quantity" the wise ones on here speak often of...
So far my best performing list is a smallish list of about 50M words. These were filtered from the most common leaked pw's of 8 characters or longer, with some permutations and such. It also includes names (first or last names) in various combos, and regular dictionary words in various combos.

I've tried a handful of wordlists supposedly geared towards WPA, which I think is mainly just 8 chars or more, not because they are tuned based on WPA patterns. This includes the 13GB one on torrent. That one is useless so far and is by far the largest I run tests through.

So far I haven't created any successful rules or special attacks unfortunately. Mostly I am working with building wordlists using combinator and testing those.
#2
I've found the local landline and mobile NPA NXX make up a lot of PSKs. You're also going to get hits based on things in the geography -- street names, local businesses, or landmarks in the area. You're right, people generally share these passwords, so they like to be pronounceable, easy to remember, and not embarrassing.

There aren't "strength meters" on most consumer routers, so the below char-sets and masks speak for themselves.

Here's some output from PACK using actual recoveries.

[+] Analyzing 100% (10737/10737) of passwords
[*] Length:
[+] 8: 54% (5896)
[+] 9: 15% (1659)
[+] 10: 13% (1493)
[+] 11: 04% (444)
[+] 12: 03% (425)
[+] 13: 02% (236)
[+] 20: 01% (193)
[+] 16: 01% (117)

[*] Character-set:
[+] numeric: 37% (3980)
[+] loweralphanum: 26% (2838)
[+] loweralpha: 24% (2637)
[+] upperalphanum: 05% (543)
[+] mixedalphanum: 02% (280)

[*] Simple Masks:
[+] digit: 37% (3980)
[+] string: 26% (2872)
[+] stringdigit: 20% (2163)
[+] othermask: 10% (1127)
[+] digitstring: 01% (188)
[+] digitstringdigit: 01% (143)
[+] stringdigitstring: 01% (134)

[*] Advanced Masks:
[+] ?d?d?d?d?d?d?d?d: 29% (3116)
[+] ?l?l?l?l?l?l?l?l: 09% (1028)
[+] ?l?l?l?l?l?l?l?l?l: 05% (566)
[+] ?l?l?l?l?l?l?l?l?l?l: 04% (448)
[+] ?d?d?d?d?d?d?d?d?d?d: 03% (387)
[+] ?l?l?l?l?l?l?d?d: 02% (271)

Visit http://wpa-sec.stanev.org/ and throw some hash power so we can get better stats.
#3
WPA is pretty difficult to "cold crack" due to the slow speed. You need to know about your target.
#4
Hawaii,

Thanks for the reply, that data is great, thanks for sharing, along with your site too... I hadn't seen it before. I will upload some hashes for sure. On the stats page it says the current round has over 3 years to complete though... is that how backlogged you are with hashes? If so, you've got a lot of hashes to audit my friend!

Epix, no doubt, totally agree. I wasn't talking speaking so much as to picking a target and focusing on it until it is cracked, but more in terms of general research and how to pick the low hanging fruit. The stats shared above give some great insight even though it is doesn't tell the whole picture (you only know what you know... the 85% that weren't cracked could paint a different picture of WPA key selection tendencies).

Edit: Hawaii, I misunderstood... I see you have a tool on their for distributed WPA checking. I will give it a whirl and let it run for a while when I have downtime on my rig. At first I thought you were asking just to add some hashes to add the to stats sample.
#5
For WPA first step is to see if WPS is on and try the WPSPIN script.
After that I check who is the ISP, normally you can tell from the name of the network. using that information you can find out (google or maybe you know someone with same provider) what kind of default WPA passwords the give their router. Then you try a bruteforce on that. fx i find that 10 digit hex is very normal.
After that dictionaries base on location language etc, but like epixoip said, then the best thing is to know your target. you can even try social engineering Smile
And yes stanevs website for standard WPA dictionary attack, support it when you can!
#6
Thanks. No doubt WPS is the weakest link... PIN cracking or MAC based algorithm. The latter is easy enough to try on all AP since there are only a few algorithms to test to see if they happen to an affected model without even going off the AP name or narrowing down based on the MAC's vendor. In terms of strictly a WPS brute force (ie: reaver) I find that APs are rarely as exploitable as they once were... at least not in a short time frame. Not to say one was focusing on single WPS enabled AP with a lot of time and persistence it can't be done, but it seems like most either have it turned off, are not allowing you to work in halves, or have rate limiting or MAC banning.

I've got some new ideas based on those stats and I'm going to build some new wordlists and see if I can get some better results tested against the darkircop handshakes available.
#7
This thread is quite comprehensive.

LINK
#8
Let's stay on discussion, try not getting caught up with WPS attacks or default key generation.

People also enter their PSK on a mobile device, which has constrained inputs. You can reduce the keyspace by basically dropping our special chars and can bang out a lot just using ?l?d, but the slow algo means wordlists and rules are more effective.

The stringdigit mask as the third popular + loweralphanum charset shows numeric padding, if the base word isn't 8 chars, people will just pad with a date or sequence of numbers. This follows regular selection rules though, not just specific to WPA aside from the minimum length.