10 years to crack a 13 character password?
#1
Hey guys,


Just created an account, apologies if this isn't the correct forum to be posting in. Lately I have been experimenting with oclHashcat and cracking WPA2 passwords with The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux.

I have an older Linksys E2500 test router that I have setup. The password is 13 characters, it uses ONLY Uppercase letters and Numbers. No special characters or lowercase letters. I have captured the handshake and have a capture file.

I am using a Nvidia 680GTX as the GPU. I am using Windows 10 64bit with the latest GPU drivers and using a hashcat GUI. When I use wordlists it runs at about 28,600 or so H/S I believe. It tears through word lists without any issues.

However I decided I wanted to learn how brute-forcing works and some of the techniques that go along with it. One in particular is the masking type of attack. I have read the wiki several times on this attack, and I have created a mask file for hashcat to use. 

Upon executing the task it gets up to about 28,800 H/S like normal, but hashcat estimates somewhere in the ballpark of 10 years to crack. My mask file looks like: ?u?d,?l?l?l?l?l?l?l?l?l?l?l?l?1


If I read the wiki correct, the mask file I wrote would mean, uppercase letters and numbers, 13 characters.  On the GUI I use for hashcat it gives me the option to key in the how many characters it would attack, like 1-8 or 1-13. Since I know the password is 13 I just put in 13-13.

Am I doing something wrong? Is my graphics card too old? Finally, if I am doing everything correctly, is 10 years about what it would really take? Additionally, is there anymore information I can offer that would help me locate my issue (if any)

Thank you!
#2
That's not quite how specifying a mask works. IF you don't know which characters are in which positions, you want something more like this -- first definiting a custom character set, and then using it:

-2 ?u?d ?2?2?2?2?2?2?2?2?2?2?2?2?2

I used "2" here for legibility; you can specify up to four custom character sets.

More info here:

https://hashcat.net/wiki/doku.php?id=mask_attack
~
#3
(11-15-2016, 09:07 PM)royce Wrote: That's not quite how specifying a mask works. IF you don't know which characters are in which positions, you want something more like this -- first definiting a custom character set, and then using it:

-2 ?u?d ?2?2?2?2?2?2?2?2?2?2?2?2?2

I used "2" here for legibility; you can specify up to four custom character sets.

More info here:

https://hashcat.net/wiki/doku.php?id=mask_attack

Thank you for the prompt response Royce! I think I understand what you are saying. My Syntax was essentially wrong? And that is correct, I am running under the assumption that we do not know what characters are in what spot. The only think we know is that the password is 13 characters and consists of Uppercase letters and numbers in a random order.

So essentially, in the second character set box, I would put -2 ?u?d ?2?2?2?2?2?2?2?2?2?2?2?2?2 

I think the GUI I used grayed out the character set boxes when I added a mask file. So I just put that line into the mask file (minus the -2 part and added a comma to separate the ?2) I will try that again when I get home from work and see what the results are. I thought I had done that at one point, but it still mentioned that it would take 5-10 years to complete.
#4
36 ^ 13 is a huge keyspace to brute force on WPA and at 28,800 H/s it won't happen, even if you go at 1 million h/s still won't happen, unless the key is very near the beginning.

Oh and it's way way over 10 years, more like millions of years, hashcat won't show what it is when higher than 10 years.

You can easily work it out.

36 ^ 13 / 28,800 / 60 / 60 / 24 / 365 = over 187 million years to cover the whole keyspace.


(note: ' ^ ' = to the power of)
#5
(11-15-2016, 08:06 PM)potentshadow Wrote: Hey guys,


Just created an account, apologies if this isn't the correct forum to be posting in. Lately I have been experimenting with oclHashcat and cracking WPA2 passwords with The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux.

I have an older Linksys E2500 test router that I have setup. The password is 13 characters, it uses ONLY Uppercase letters and Numbers. No special characters or lowercase letters. I have captured the handshake and have a capture file.

I am using a Nvidia 680GTX as the GPU. I am using Windows 10 64bit with the latest GPU drivers and using a hashcat GUI. When I use wordlists it runs at about 28,600 or so H/S I believe. It tears through word lists without any issues.

However I decided I wanted to learn how brute-forcing works and some of the techniques that go along with it. One in particular is the masking type of attack. I have read the wiki several times on this attack, and I have created a mask file for hashcat to use. 

Upon executing the task it gets up to about 28,800 H/S like normal, but hashcat estimates somewhere in the ballpark of 10 years to crack. My mask file looks like: ?u?d,?l?l?l?l?l?l?l?l?l?l?l?l?1


If I read the wiki correct, the mask file I wrote would mean, uppercase letters and numbers, 13 characters.  On the GUI I use for hashcat it gives me the option to key in the how many characters it would attack, like 1-8 or 1-13. Since I know the password is 13 I just put in 13-13.

Am I doing something wrong? Is my graphics card too old? Finally, if I am doing everything correctly, is 10 years about what it would really take? Additionally, is there anymore information I can offer that would help me locate my issue (if any)

Thank you!

For the E2500, you might not even need to go after the WPA2 key from a handshake.

Check this out:

http://www.computerworld.com/article/294...twork.html

Also, I know the E1000 was very susceptible to Reaver attacks.  I don't know about the E2500, but the situation could be similar.  If WPS is on, it would be WAY more efficient to attack WPS than any WPA2 password.

Also, are you absolutely certain that it is a 13 digit password and not a 14 digit password?
#6
Don't BF WPA if you don't have any information about how the key was generated (like some routers keys base on their mac address etc). Otherwise use wordlists + rules
#7
(11-16-2016, 01:23 AM)Pixel Wrote: 36 ^ 13 is a huge keyspace to brute force on WPA and at 28,800 H/s it won't happen, even if you go at 1 million h/s still won't happen, unless the key is very near the beginning.

Oh and it's way way over 10 years, more like millions of years, hashcat won't show what it is when higher than 10 years.

You can easily work it out.  

36 ^ 13 / 28,800 / 60 / 60 / 24 / 365 = over 187 million years to cover the whole keyspace.


(note: ' ^ '  = to the power of)

Haha I was always bad at math, but that makes plenty of sense. I don't know what I was thinking.

Quote:For the E2500, you might not even need to go after the WPA2 key from a handshake.

Check this out:

http://www.computerworld.com/article/294...twork.html

Also, I know the E1000 was very susceptible to Reaver attacks.  I don't know about the E2500, but the situation could be similar.  If WPS is on, it would be WAY more efficient to attack WPS than any WPA2 password.

Also, are you absolutely certain that it is a 13 digit password and not a 14 digit password?


Thank you sir, very interesting read. I will have to do some research on the web.

Quote:
Don't BF WPA if you don't have any information about how the key was generated (like some routers keys base on their mac address etc). Otherwise use wordlists + rules


Hi Atom! I was afraid someone would say that. So I suppose it takes some detective work before hand and seeing if there is any exploit for that particular router before you go in a BF something. I have no idea why I was under the impression that BF would be much quicker, and for that, I am sorry I took up Forum Space. So its true then, word lists are still the most effective method for the most part. Unless as you said, I have an idea how the password would have been generated.
#8
after that u do some home work like @devilsadvocate  and @atom recommended, if reaver and pixie dust aint working, u could use some online site which hold big wordlist and if it hits the password u will get a notification via mail and tells u what length is that, and if u wana recover it u will need to pay some money..
but first try to attack via reaver and pixie dust u might get lucky Smile