brute force vs dictionary attacks

[yoma819]

Dear All
i am in the middle of trying to break into my bt homehub 2 router using SPA2 psk.
i have successfully got a handshake.
however i am having problems as the key that it comes with is by default a random 8 character upper case letters and numbers.
my questions are as follows:
1)when brute forcing do i need a dictionary file?
2)will the cracking program (aircrack or equivilent) have an option of only trying 8 character passwords?
many thanks
Yoma

[CKing]

You don't need a dictionary for a brute force attack. I would suggest using crunch to pipe the combinations to pyrit or aircrack IF an attack like this was feasible. 36 possible chars at 8 chars long results in 2 821 109 907 456 possible combinations. I would suggest having a friend set the WPA PSK password to something out of the dictionary. Then you can try every word out of the dictionary to find the password.

[Snayler]

I believe those passwords are hexadecimal. Meaning that we would have 4 294 967 296 possible combinations (16char^8).

[CKing]

I believe those passwords are hexadecimal. Meaning that we would have 4 294 967 296 possible combinations (16char^8).

Google seems to agree. Looks like an sha-1 is used to derive the key from the serial number. I stand corrected, 4 billion passwords would be feasible for a well equipped modern computer.

[purehate]

Google seems to agree. Looks like an sha-1 is used to derive the key from the serial number. I stand corrected, 4 billion passwords would be feasible for a well equipped modern computer.

At 100,000 keys per second it would still take 11 hours to do a 8 char hex bruteforce, So assuming a modern day cpu can do 3000-4000 keys per second I am not sure I would consider that feasible.

[CKing]

At 100,000 keys per second it would still take 11 hours to do a 8 char hex bruteforce, So assuming a modern day cpu can do 3000-4000 keys per second I am not sure I would consider that feasible.

What if we were to throw a gtx 295 or similar into the mix? My ballpark estimate is 2 to 2 1/2 days. I consider that feasible considering that this is a standard setup that most people accept as secure(their website makes the claim that its "almost impossible to crack") My viewpoint is that any gamer skiddie with a decent gpu can move to his new flat and have almost guaranteed access to one of these default setups, since I gather that this is fairly common AP across the pond(would the op like to enlighten us?) I would actually consider this a fairly significant security risk.

sources
The New BT Home Hub

[yoma819]

since I gather that this is fairly common AP across the pond(would the op like to enlighten us?) I would actually consider this a fairly significant security risk.

yes this is an incredibly common AP here over the pond infact in my average housing area HALF of all AP are BT homehubs.
all with wpa encryption.

the time it would take is feasable but how do i pipe crunch to aircrack and how would i tell it to produce only 8 character hex keys?

the key is the default one on the homehub, in this case i feel i dont need to get a friend to set it as i can remain unbiased.


cheers
Yoma

[CKing]

I dont suggest aircrack, what sort of hardware are you running? A powerful GPU will be the only thing making this attack feasible. In any case the crunch command would look something like this:

Code:

./crunch 8 8 1234567890ABCDEF

This will create all 8 char passwords with hex chars.

[Tokiopop]

./crunch 8 8 1234567890ABCDEF

EXACTLY what I'm looking for! TY!



But how exactly would you use this? Just put this where you would normal, say, use JTR?

[yoma819]

i am using hardware that will take 52 hours to crack the key!
which is not a problem as the laptop in question can just sit in the corner working away.
however would i have to first generate a wordslist using crunch or can i get crunch to basically directly feed the keys into aircrack without the need for the use of a large dictionary?
how big would this dictionary be?
cheers
yoma