WPA/WPA2 pass cracking
Just wanted start a discussion on general suggestions on how to make WPA/WPA2 password cracking less sophisticated. How would you build your research if all you knew is AP's SSID?
I'm not sure what you mean by less sophisticated but it's pretty straight forward. WPA/WPA2 has to be 8-length or more, if you're trying to brute force you're more than likely not going to do anything more than 10-length or it'll take you years. Otherwise, you're going to need to do some research on the ISP for default passwords, or use common wordlist with rules.

I think you need to provide a little more information as to what you're trying to obtain in this conversation. Everything pertaining to making cracking less sophisticated is by running test and finding results in my opinion.
I apologise for not putting this in more sensible way, but I don't really know how to write it any better as it involves so many different things. One of which mentioned as research on the ISP. For example, if I was interested in Virgin Media, there is not much information about, but lots of guessing and false suggestions. They will do their best to hide any hick up they've done, routers they use, and I'm not even talking about password policies, etc.

I guess we could discuss this as a start.
Knowing ISP for particular AP can dramatically reduce keyspace to iterate through, but what methods you'd use if user changed SSID name to 'abracadabra'. How will you find ISP being used?
(12-14-2017, 10:14 AM)Kangaroot Wrote: Knowing ISP for particular AP can dramatically reduce keyspace to iterate through, but what methods you'd use if user changed SSID name to 'abracadabra'. How will you find ISP being used?

ISP's use specific Modems. When you do a generic wifi scan you can capture the MAC of any device in range. With any vendor lookup, it can tell you the brand of that modem/router you're seeing. 

Not sure about you but where I am located its pretty easy to define what a "changed" ESSID is related to its BSSID. We have two major ISP's and one uses PACE/Actiontec Modems, where as the competition uses Motorola/Arris. If it's an aftermarket Router then you can assume it's not going to use the default ISP's passphrases.

You might want to investigate WPS attacks first before jumping into WPA cracking basing on your questions. It's like an easy mode for harvesting password data. 

Also a quick search reveals these modems... Further investigating shows a serial which shows a Wifi ESSID and a false password showing the length. You should be able to figure out the rest, its not as hard as you think. But I hate doing someone else's job so I'mma leave the learning to you by searching the web.
I'm not a novice in the subject and not interested in hacking neighborhood. I just wanted to explore other people's methods.
An AP's SSID tells you nothing if that's *all* you have to go on. I suspect you already know this so not sure what you're expecting out of this discussion tbh. Sample data and lots of it seems the obvious entry point or else you're left with brute force.

Maybe take a read of this discussion: Keyspace List for WPA on Default Routers
Yes, Rico, I'm well aware of default router key spaces. I'm trying to find any methods may help to reveal progress when cracking password or show that different direction may be looked at.

I'm also talking about finding weaknesses in cryptographic algorithm to successfully using these weaknesses to decipher the password without knowing the secret key. Unfortunately, it seems that people possess this knowledge but not willing to share it in public.

Hope that make sense.
There is no "secret fast" method that people are keeping from you.
If brute forcing didn't work, try harder! ;-)
If you already tried harder, you might try other options:


b) Brute forcing WPS with reaver seemed to be popular (i personally never liked it, though)