# bruteforce 8 character (uppercase) password

Show 40 post(s) from this thread on one page
Page 3 of 3 First 123
• 05-19-2011, 12:01 PM
comaX
Re: bruteforce 8 character (uppercase) password
Quote:

Originally Posted by Barry
True, just shows you why wpa2 is such a bitch to crack. It would probably be easier to just watch someone enter the password on their laptop from a spy satellite.....

Or just ask politely ? But if you have a satellite, I'll take that too :P
• 05-19-2011, 12:46 PM
iliyapolak
Re: bruteforce 8 character (uppercase) password
Quote:

brute force and dictionary attacks are two very different things. A dictionary attack has nothing to do with enumerating every possible combination of characters, unless you generate a list of every possible combination. Even in that case that's still just a brute force list
Dictionary attack is more clever derivative of brute force attack.
• 05-20-2011, 04:10 PM
erhardm
Re: bruteforce 8 character (uppercase) password
Quote:

Originally Posted by Barry
Not if you know it's an 8 character all uppercase password. Then it's only 208872064576 combinations.

AFAIK this is how it's computed: (length of password)^(no. of characters) -> 8^26 = 302231454903657293676544 for uppercase/lowercase. It would be 91343852333181432387730302044767688728495783936 for uppercase+lowercase.

However I didn't computed that by hand(LOL) so I can't check if the number is actually correct, also I might used the wrong formula:)

Quote:

Originally Posted by iliyapolak
Dictionary attack is more clever derivative of brute force attack.

I see the dictionary attack a way of bruteforce the human behind the keyboard. You actually try every possible combination that the human would logically type.

The success of the bruteforce attack is computed by transversing all the search space and finding how much compute power is needed.

The success of the dictionary attack depends on the knowledge of the human that created that password. The better you know the human, the more chance of success.

Regards
• 05-20-2011, 05:43 PM
iliyapolak
Re: bruteforce 8 character (uppercase) password
Quote:

I see the dictionary attack a way of bruteforce the human behind the keyboard. You actually try every possible combination that the human would logically type.

The success of the bruteforce attack is computed by transversing all the search space and finding how much compute power is needed.

The success of the dictionary attack depends on the knowledge of the human that created that password. The better you know the human, the more chance of success.
Dictionary attack exploits the lack of knowledge what the randomness is in the field of cryptography.
For example by using weak passwords (words) which could be permutated easily or concatenated with a few digits adversary can easily guess the password.
• 05-20-2011, 05:48 PM
comaX
Re: bruteforce 8 character (uppercase) password
Quote:

Originally Posted by erhardm
AFAIK this is how it's computed: (length of password)^(no. of characters) -> 8^26 = 302231454903657293676544 for uppercase/lowercase. It would be 91343852333181432387730302044767688728495783936 for uppercase+lowercase.

There is 26 possibilities for each position, so you should have 26*26*26...*26, eight times. So i believe it's 26^8, which is 208827064576 as stated by Barry !
53459728531456 for uppercase and lowercase.
• 05-20-2011, 08:30 PM
erhardm
Re: bruteforce 8 character (uppercase) password
It seems my formula was wrong!

Well, it's not really that hard now to bruteforce 8 character uppercase/lowercase. Back in November 2010 when Amazon EC introduced GPU Instances I set up pyrit and did a test: ~45000PMK/s. If you use 8 instances that means ~360000PMK/s. It will cost you \$2700 and the work will be done in 162 hours!
Is it practical? Hm, there are a lot of other cheaper attack vectors to get in someone's network.

My best bet is dictionary based attack. A little research will help shrink the search space in orders of magnitude.

Regards
• 07-04-2011, 05:41 AM
anonhacktivistous51D
Re: bruteforce 8 character (uppercase) password
if i had a whopping great external hard drive is there a way i could use rainbow tables to crack a password like this any faster with bt5?
• 07-06-2011, 11:06 AM
erhardm
Re: bruteforce 8 character (uppercase) password
AFAIK theoretically you could use rainbow tables, but you have to create your own because the hash is salted with the name of the SSID. Would this be faster? I'm sure it wouldn't. You have a greater probability to crack the WPA using a dictionary attack.

Using pyrit's batch command , actually you create those rainbow tables based on the passwords in the database.

You have to understand how the hash of WPA is created. The PMK(Pairwise Master Key) is computed using the passphrase and the AP's SSID. When you use pyrit you compute the passphrase(from the dictionary file) with the SSID(that's why you have to specify the SSID in pyrit). The result will be a hash. But the PMK is not the value transmitted through air. It's PTK(Pairwise Transient Key) that is computed(another hash value) with a random number from the AP, a random number from the client station and the PMK which is transmitted and if PTK matches then it's assumed that the PMK was known for the client.

Rainbow tables will do the same, only it will use all the possible combinations to generate the hashes. If you know a little about hash functions, you know that there can be a problem: Hash collision. Theoretically it can happen that a hash value can be the same from different passphrases.
Another problem is that when you connect to an AP you have to input a passphrase, not a hash value, therefore you have to associate each hash value with a passphrase. Rainbow tables can do that, but this is actually the bruteforce attack on WPA. You have to code other drivers to connect to the AP with knowing only the hash value, not the passphrase. Also you have to make special tools for decrypting the traffic based on the hash value, not the passphrase.

Regards
• 07-06-2011, 03:56 PM
anonhacktivistous51D
Re: bruteforce 8 character (uppercase) password
Quote:

Originally Posted by erhardm
AFAIK theoretically you could use rainbow tables, but you have to create your own because the hash is salted with the name of the SSID. Would this be faster? I'm sure it wouldn't. You have a greater probability to crack the WPA using a dictionary attack.

Using pyrit's batch command , actually you create those rainbow tables based on the passwords in the database.

You have to understand how the hash of WPA is created. The PMK(Pairwise Master Key) is computed using the passphrase and the AP's SSID. When you use pyrit you compute the passphrase(from the dictionary file) with the SSID(that's why you have to specify the SSID in pyrit). The result will be a hash. But the PMK is not the value transmitted through air. It's PTK(Pairwise Transient Key) that is computed(another hash value) with a random number from the AP, a random number from the client station and the PMK which is transmitted and if PTK matches then it's assumed that the PMK was known for the client.

Rainbow tables will do the same, only it will use all the possible combinations to generate the hashes. If you know a little about hash functions, you know that there can be a problem: Hash collision. Theoretically it can happen that a hash value can be the same from different passphrases.
Another problem is that when you connect to an AP you have to input a passphrase, not a hash value, therefore you have to associate each hash value with a passphrase. Rainbow tables can do that, but this is actually the bruteforce attack on WPA. You have to code other drivers to connect to the AP with knowing only the hash value, not the passphrase. Also you have to make special tools for decrypting the traffic based on the hash value, not the passphrase.

Regards

Thanks erhardm nice answer, tbh I'm so incredibily new to all of this, I'm one of those dudes who read the advice about not starting with backtrack but couldn't resist (I'm gonna spend next weekend trying some of this Linux from Scratch malarky I think thats what I really need to get my head around next).

So a few months ago I started using Linux, met a dude at a party and was like "your into computers, I'm into freakin computers, I've just started using Linux you should to dude its awesome" and the guy pulls out his laptop with some killer freakin aerial and shows me BT4R2 in action (I go to freakin awesome parties some times) and I've been fascinated since then. Here's my problem thou, I go round to a friends and when offered the WPA2 key confidently say "no need dude I'll connect show how trust me" and as the pass phrase is a nice simple "Richard1" a good ol dictionary attack does the job. Now that was awesome properly awesome, however I have some frannoiends who don't use such a weak password obv, and my confident "I don't need your key I'm sure I can crack your network" have fallen flat.

My thoughts were I could compute the rainbow tables for an 8 char upper case password (they have sky broadband and I know the ESSID + BSSID) and stick this on an external hard-drive and smash the passphrase like that.

I really need a greater understanding of this Hash, PMK, SSID stuff but it seems like the best thing to do is if you know its an 8 char upper case password create the word list using crunch then use aircrack to try a dictionary attack using the word list. The only other thing I was kinda thinking was piping john into aircrack with John's output set to only uppercase letters, but I don't know how to create a char set for JTR.

ugh that is one ugly long as reply, I think I'll try and edit that down in a sec.
Show 40 post(s) from this thread on one page
Page 3 of 3 First 123