06-13-2015, 11:03 AM
Long time lurker here and I feel like I've searched and read enough the forum that this is (hopefully) not redundant, or at the very least there hasn't been comprehensive current discussion.
I've been researching WPA/WPA2 hashes lately much more than any other. As most know, WPA is a different beast than say MD5, both from the minimum character length and the H/s. I find most all of the stats and rules come from cracking leaked pw hash dumps, and those are a great insight in some respects, but are also misleading when applied to WPA. Obviously getting stats on a huge sample of 100,000 hashes on WPA is quite tough compared to a database dump of pw hashes, so I understand why the data mostly evolves around it.
But when trying to apply the strategies for testing a MD5 hash dump on WPA I feel like there are two main differences between what you'd find in a WPA password vs a personal account password, and hence why I get such poor results from the typical wordlists that work great on dumps.
1) The minimum key length is 8, and often times people can create pws of less than 8 characters on many web accounts.
2) The WPA key is designed to be shared. It seems rarer that a password would be the same on WPA that one used for their personal accounts. Even someone who lives alone must have someone come over at some point and want to connect to wifi. Not impossible, but much rarer. But also since it designed to be shared, and sometimes often, it seems to be simpler while still trying to make it seem secure. People who share their WPA also probably want it to not be weird, where people are like "what does 'soggynutz4U' mean?"
Along the lines of that, instead of something "Awesome1954" like you'd more in a DB dump, it would surprise me less to see something like "johnshouse" or "johnswifi" or "johnjohnjohn" or "myinternet123"
The problem is, I have a very limited sample to work with, so these are just initial findings and they might be off base, and before I spend too much time with such a theory and building new wordlists and rules I was hoping to get some insight from others who have likely way more experience. I figure there is no point in reinventing the wheel if others have data they are willing to share.
I'm just looking for input anyone is willing to give, from general observations to specific rules or wordlists they like... exclusively from a WPA perspective, unless of course your experience shows there is a greater overlap in personal passwords than WPA than mine does.
Speaking towards wordlists, which is backing up the "quality over quantity" the wise ones on here speak often of...
So far my best performing list is a smallish list of about 50M words. These were filtered from the most common leaked pw's of 8 characters or longer, with some permutations and such. It also includes names (first or last names) in various combos, and regular dictionary words in various combos.
I've tried a handful of wordlists supposedly geared towards WPA, which I think is mainly just 8 chars or more, not because they are tuned based on WPA patterns. This includes the 13GB one on torrent. That one is useless so far and is by far the largest I run tests through.
So far I haven't created any successful rules or special attacks unfortunately. Mostly I am working with building wordlists using combinator and testing those.
I've been researching WPA/WPA2 hashes lately much more than any other. As most know, WPA is a different beast than say MD5, both from the minimum character length and the H/s. I find most all of the stats and rules come from cracking leaked pw hash dumps, and those are a great insight in some respects, but are also misleading when applied to WPA. Obviously getting stats on a huge sample of 100,000 hashes on WPA is quite tough compared to a database dump of pw hashes, so I understand why the data mostly evolves around it.
But when trying to apply the strategies for testing a MD5 hash dump on WPA I feel like there are two main differences between what you'd find in a WPA password vs a personal account password, and hence why I get such poor results from the typical wordlists that work great on dumps.
1) The minimum key length is 8, and often times people can create pws of less than 8 characters on many web accounts.
2) The WPA key is designed to be shared. It seems rarer that a password would be the same on WPA that one used for their personal accounts. Even someone who lives alone must have someone come over at some point and want to connect to wifi. Not impossible, but much rarer. But also since it designed to be shared, and sometimes often, it seems to be simpler while still trying to make it seem secure. People who share their WPA also probably want it to not be weird, where people are like "what does 'soggynutz4U' mean?"
Along the lines of that, instead of something "Awesome1954" like you'd more in a DB dump, it would surprise me less to see something like "johnshouse" or "johnswifi" or "johnjohnjohn" or "myinternet123"
The problem is, I have a very limited sample to work with, so these are just initial findings and they might be off base, and before I spend too much time with such a theory and building new wordlists and rules I was hoping to get some insight from others who have likely way more experience. I figure there is no point in reinventing the wheel if others have data they are willing to share.
I'm just looking for input anyone is willing to give, from general observations to specific rules or wordlists they like... exclusively from a WPA perspective, unless of course your experience shows there is a greater overlap in personal passwords than WPA than mine does.
Speaking towards wordlists, which is backing up the "quality over quantity" the wise ones on here speak often of...
So far my best performing list is a smallish list of about 50M words. These were filtered from the most common leaked pw's of 8 characters or longer, with some permutations and such. It also includes names (first or last names) in various combos, and regular dictionary words in various combos.
I've tried a handful of wordlists supposedly geared towards WPA, which I think is mainly just 8 chars or more, not because they are tuned based on WPA patterns. This includes the 13GB one on torrent. That one is useless so far and is by far the largest I run tests through.
So far I haven't created any successful rules or special attacks unfortunately. Mostly I am working with building wordlists using combinator and testing those.