I was working with WPA passwords and ended up writing a couple of shell scripts that use Crunch to generate password lists. I thought the community might find them useful...
I like passing crunch output to aircrack-ng (it saves disk space and time), but I always forget the commands.
This script remembers the arguments so I don't have to.
- location of cap file,
- ESSID of access point,
- minimum length,
- maximum length,
- charset (typed)
- aircrack-ng's output
Note: Ctrl+C then Ctrl+Z will stop the script (not sure why.. oh well)
passthrough.sh is available here (pastebin)
Note: This is only for U.S. cities -- for now
I've found that phone numbers are a common password for access points. I considered creating every possible phone number for an area code ([areacode]####### -- 3 digit areacode, then 7 digit number), but that creates a LOT of numbers that aren't valid (and a lot of numbers in general).
This script uses an online database to find only valid areacodes and prefixes for whatever city you're searching for.
For example, If you type in 'chicago' as the city, it will find all areacodes + prefixes within that area -- not just 'guessing' but the actual prefixes used by the city. The script then uses Crunch to generate the last 4 digits.
The difference between generating all possible numbers and only numbers within valid prefixes can be a HUGE difference! In Albuquerque (one areacode), all possible numbers means 10,000,000 phone numbers; using this script, the valid list was shortened to 2,500,000 phone numbers. This script helped me avoid 7.5 million 'bad phone numbers'!.
Included a menu system to select phone number format, also fixed an error for cities with spaces in the name.
phone.sh now has the option to passthrough (pipe) to aircrack-ng. When prompted, enter an .CAP file containing the 4-way handshake, and the SSID of the access point, and the script will pipe all output to aircrack-ng in hopes of cracking the WPA key. This saves time and memory.
Bug fixed: When generating phone numbers without area codes, the script would sometimes generate duplicates. This has been resolved (sort/uniq removes any duplicates before generating).
- name of the city
- one of 5 telephone number formats:
- Do you want to pipe the results to aircrack-ng? (y/n)
- (if yes) Enter path to .CAP file and SSID of access point
- every possible valid phone number for that city is..
- ...saved to phone.txt if aircrack passthrough is not selected
- ...piped to aircrack-ng to crack a 4-way handshake instead.
Note: Ctrl+C works, but you have to wait for aircrack to exhaust the current list. (usually takes about 20 seconds).
phone.sh (5th revision) is available here (pastebin)
Feel free to expand/edit/fix these scripts as you see fit.