Dictionary File Vs. On-the-fly Processing
I initially posted in the "Benefits of Time-Memory Trade-off" thread but that thread's gone off in a different direction so I'm starting a new one.
In the previous thread, theprez98 showed how he got better results from creating a dictionary file than doing on-the-fly generation of combinations.
My response was as follows:
I've written an algorithm for generating all the combinations for an N-length word (e.g. aaaaaaaa, aaaaaaab, aaaaaaac .... zzzzzzzz). I'll provide this code so people can test how long it takes to create the dictionary file. Next you can use aircrack-ng to see how long it takes to crack a WPA whose passphrase is zzzzzzzz.My initial reaction to your findings is that there must be some bad programming going on behind the scenes.
Here are the two options we're considering:
Option 1: Run an algorithm which produces combinations, and write each combination to a dictionary file, then execute a program that processes each word in the dictionary file to see if it's the correct password.
Option 2: Run an algorithm which produces combinations, and process each word to see if it's the correct password.
The code for Option 1 would work as follows:
If we look at the second option however, it's far simpler:Code:FileHandle f = CreateFile("dict.txt"); for loop (blah blah) { CreateNextCombination(); WriteCombinationToFile(f); } CloseFile(f); FileHandle f = OpenFile("dict.txt"); for loop (blah blah) { ReadCombinationFromFile(); TestCombinationToSeeIfCorrect(); }
I would expect this shorter code to run way way way faster because it doesn't have to execute hundreds (if not thousands) of instructions just to read and write from a file.Code:for loop (blah blah) { CreateNextCombination(); TestCombinationToSeeIfCorrect(); }
If Option 1 is working out faster for you, then there's a BIG problem with how the second one is coded. BIG BIG BIG problem.
Actually I'd like to prove this. How about I create a dictionary file that has every combination of lowercase four-letter words (aaaa, aaab, aaac, aaad, up to zzzz). I'll use aircrack-ng to try out this password file on a WPA handshake. Next thing I'll do is download the source code for aircrack-ng and alter it so that instead of reading a word from a file, it simply calculates on-the-fly.
I'll calculate how long it takes to produce the dictionary file and also crack the password, and I'll compare this to the "on-the-fly" version. My prediction is that the latter will be a hell of a lot faster. If it isn't a hell of a lot faster it would go against every morsel of computer knowledge I have.
At the moment I'm working on changing the aircrack-ng source code so that instead of reading from a file, it uses my algorithm to test combinations on-the-fly.
My alteration of aircrack-ng will have two benefits:
1) You won't need a ridiculous amount of hard disk space to store the dictionary file.
2) It should be much faster because you won't have to read from the hard disk.
It's getting late here now so I'll finish it off tomorrow and post my results.
As far as I remember this is already possible with aircrack-ng. You can simply pipe the output of for example crunch into aircrack-ng instead of using a dictionary.Originally Posted by Virchanza
EDIT: At least this approach works with john the ripper.
-Monkeys are like nature's humans.
Along with this, a beneficial functionality would be a user prompted (or supplied) set of known characters. I'm thinking the below for example (note, no idea what the aircrack syntax is, but -c could be the trigger for input prompts):
Or, maybe something like this:Code:aircrack-ng -c eaopl.cap Enter number of characters for passphrase: 8 Enter possible characters (u,U,1,!): u,U Enter known character string: SKY
It would then compute every possibly upper and lower case passphrase combination beginning with SKY.Code:aircrack-ng -c eaopl.cap Enter number of characters for passphrase: 8 Enter possible characters (u,U,1,!): u,U Enter known characters with asteriks in the place of unknowns: SKY*****
Dunno, just an idea.
Let us know if you do, I'd be interested in following it.
I've successfully added an on-the-fly generator to Aircrack.
To give myself as little work to do as possible, and also to alter the workings of the program as little as possible, I changed the part of the code that actually reads the word from the dictionary file.
In "aircrack-ng.c", the dictionary file is opened using "fopen". From there, each word is read from the dictionary file using "fgets". I decided to commandeer the "fgets" call so that instead of reading a word from a file, it consults an on-the-fly generator to get the next word.
The generator I've built into it currently has the following options:
1) What is the minimum length of the password? 3
2) What is the maximum length of the password? 12
3) Do you want to use all the ASCII characters (Y/N)? N
If not, 4) Specify the characters to use: abcdefghijklmnoprstuvwxyz
Can anyone think of more useful options to add to the generator?
I have a favour to ask, if someone would be so kind. I currently don't have access to a WPA access point; so could someone please e-mail me a capture file that contains a handshake for a known password? I can use this capture file to test whether the generator actually works properly with Aircrack. It doesn't matter what the ESSID is, the funkier the better. Please e-mail it to me at VIRTUAL at LAVABIT dot COM.
Presently here's the code I have for generating the combinations. I rushed it in a few hours so it's a little thrown together and by no means finished, but here's a taste nonetheless:
Comments, questions, suggestions, corrections welcomed.Code:Primitive code removed, I'll post better code shortly.
Originally posted by Virchanza
There's one in the aircrack-ng test folder.I have a favour to ask, if someone would be so kind. I currently don't have access to a WPA access point; so could someone please e-mail me a capture file that contains a handshake for a known password?
/pentest/wireless/aircrack-ng/test/
The passphrase is “biscotte”.
Argh you beat me to it! haha...yea there's a test one in there.
Dude, if this works, this is a cool friggin addition to aircrack. I'd like to test it now but it will have to wait until tonight.
My only question right now is:
Does this include capitals?4) Specify the characters to use: abcdefghijklmnoprstuvwxyz
I posted an algorithm here a few weeks ago for giving all the permutations of uppercase and lowercase but there's no need for that when you can simply specify all the characters as follows:
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ
I'm gonna see if I can crack "biscotte" with it. I'll post back in a half hour or so and let you know how it went.
Gotcha, cool. Yeah please let us know how it goes.
Works perfectly, I used the on-the-fly generator to crack "biscotte" just there.
Do you think people will find this useful? I mean it's still gonna take a ridiculously long amount of time to crack an 8-letter password...
It'd be nice to enhance it so that many computers can work together on cracking. For instance, let's say that there's one billion combinations to try, and that you have one hundred computers. Each computer would have an ID in the range 0 to 99. Computer 0 would work on the first ten million combinations, Computer 1 on the second ten million, Computer 3 on the third ten million.
After that, somebody can work on making a bot that takes control of computers all over the world so we can have a million or so machines working on cracking it (YES, that's a joke)
I'll clean up the code I have at the moment and then make the source code available.
Again if anyone has any suggests just throw them out there.
I'd find it useful and would appreciate very much the source.
How long did it take to break the biscotte? What was your kps?
Posting Permissions
