Results 1 to 6 of 6

Thread: Cracking WPA-AES knowing part of the passphrase

  1. #1
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Default Cracking WPA-AES knowing part of the passphrase

    Hi,

    I am fairly new to wireless security and slowly but surely learning.

    A coworker gave me a challenge last week, he configured a wireless G router and the deal is if I manage to get into it I win 200$

    Here is the info I have and gathered over the week :

    - The router is a Dlink using WPA/AES
    - The passphrase lengh is 22 character
    - I already know 11 of those Caracter H?5?k?@?W?z?9?O?*?#?5?
    - the ? represent the character i don't have
    - I have the others character but not in the good order
    - the other character are &l0!a$a$=u that i need to find the order

    - Using airodump-ng i found the BSSID and a client BSSID connected to the router
    - With aireplay-ng I got the handshake and now have the cap file

    - I used Crunch to create a wordlist ( really huge )

    crunch 22 22 '&10!a$=u' -t h@5@k@@@W@z@9@O@*@#@5@ > /mnt/usb/listdump.txt

    and I am now bruteforcing using aircrack-ng and the dump from crunch as wordlist
    Is there any other step you would do to speedup the process knowing all those information ?

    one step I'd like to do is optimise my wordlist, I know the character are not used more then once, but i did not found a way to generate a wordlist with all those parameter

    Regards,

  2. #2
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    For word list construction I would suggest using your favorite word list maker and use it to mangle the variables "&l0!a$a$=u". Take this list and parse it with your known chars "H?5?k?@?W?z?9?O?*?#?5?" inserting your known chars between every other bit. You will probably need to create some script or program to do this, I doubt it would be too difficult but I haven't attempted to try this before so who knows. :-)

    You could look at the password from a slightly different perspective and perhaps narrow things down by crafting your word list using meta-information gleaned from what you can deduce based on observation of the password.

    H?5?k?@?W?z?9?O?*?#?5?
    &l0!a$a$=u

    Look for patterns and repetition, for instance, 5 is used twice once at the beginning of the PW and again at the end. $ is also used twice. I would make a bet that the pattern is significant, and in a misguided attempt to make the PW more secure, whoever made it tried to keep from repeating characters. This means that the $s are probably far away from each other and therefore close to the 5s.

    H?5?k?@?W?z?9?O?*?#?5?: 5s at opposite ends
    &l0!a$a$=u: as' and $s probably also at opposite ends.

    There seems to be another pattern, in order to create a more secure PW your friend used different cases and symbols (good) it also looks like he was fairly deterministic in his use of the shift key (bad) lets look at the pattern of use. (+=shift up, -=shift down)

    H?5?k?@?W?z?9?O?*?#?5? looks like -?+?+?-?-?+?+?-?-?-?+?
    &l0!a$a$=u looks like - + + - + - + - + +

    Just using my own preferences as a guide, I know I like to alternate holding down the shift key and pressing a key making me more inclined to use a +-+-+- pattern a#6Bm! and by the even distribution of + to - in your password (11+s to 10-s) id say that your friend did something similar.

    Finally lets look at the physical layout of key distribution. For this we need to make a few assumptions. I am betting your friend used a typical 108 char US keyboard with a number strip across the top. He is also a good typist (who works in IT and isn't? :-) and is right handed. Ill split the keyboard into zones
    A B C D Formatting is a little off, A over 123, B over 456, etc.
    1-[`123]-[456]-[789]-[0-=]

    2--[qwe]-[rty]--[uio]--[p[]\]

    3--[asd]--[fgh]--[jkl]---[;']

    4 --[z-x]-[cvb]--[nm,]--[./]

    H?5?k?@?W?z?9?O?*?#?5? becomes 3B,?,1B,?,3C,?,1A,?,2A,?,4A,?,1C,?,2C,?,1C,?,1A,?, 1B,?
    &l0!a$a$=u becomes 1C,3C,1D,1A,3A,1B,3A,1B,1D,2C

    Seeing some patterns popping up in there yet? Combine this with what you know about shift key distribution, and dual character distribution, add a dash of common sense and put it all together. Id probably get shot by a statistician or cryptanalysis expert for saying this, but if you can see the patterns you can "feel out" the password based on what you know about human nature. Im not saying that you can guess the answer off the top of your head by doing this, but its really the only good way I've found to tackle these behemoth 20-60 key PWs people seem so fond of today. If you can increase the chances of getting the PW by even a few % through analysis you can save hours cracking small PWs and shave months off the big ones.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  3. #3
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Default

    Really impressive analysis,

    Analysing patern into the password is something I did not even think, I will give it a try for sure !

    Thank you very much for your help, this is more then I was expecting

    i'll let you know if anything good come out of it.

    Regards,

  4. #4
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    This is the only thing i could think of when reading your post.

    xkcd - A Webcomic - Regular Expressions

    Its even better because im actually learning perl lmao
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Default

    haha I love xkcd :P

  6. #6
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Quote Originally Posted by vvpalin View Post
    This is the only thing i could think of when reading your post.

    xkcd - A Webcomic - Regular Expressions

    Its even better because im actually learning perl lmao
    LOL, it was probably a bit of overkill for this particular problem as brute forcing within the restricted char set should get the PW in 24 hours or better on a decent PC. Hell a GPU with some CUDA support like in the upcoming BT4 release could cut that down to 2 hours. Its really a brave new world out there for WiFi security, WPA is getting eaten alive by moores law.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •