How to Speed up Dictionary Attack?


(Joshep) #1

Let us suppose a victim WiFi password is of 10 digits(containing only numbers) whose first two first two digits are fixed( let’s say 54) .
I succesfully created a word list using crunch(file size 1.1gb).
when i try to crack it using aircrack-ng it takes more than a day.
How do i test all the numbers within a couple of hours?

(Hardeep Singh) #2

One of the best way to crack the handshake at higher speed but lower cost is by renting Cloud GPU for :

  1. Cracking WPA2 Hash using HashCat
  2. Storing calculated hash using GenPMK and using CoWPAtty to crack at speed (possibly) at a million passphrases per second.

Read here for details about cracking WPA2 at a million passphrase/sec.

Here’s my suggestion for the setup you’d want to use:

  • Use Amazon EC2 server with the desired configuration. Use t2.micro on Kali/Ubuntu for starters.
  • Attach an elastic GPU to it. Choose wisely!
  • Import your hansdhake or hccap file via Amazon S3
  • Crack with Hashcat

You can save costs dramatically (upto 70%) if you use Amazon EC2’s Spot Instances. You can also save costs on GPU computational power.

GPU or GPU based instance is more expensive than simple CPU based instance

Amazon P3 Instance Pricing/Savings Chart

Here’s a little comparison chart for your per hour savings when using P3 GPU instances

Model On-Demand Price Spot Price Savings
p3.2xlarge $3.06/hr $1.2289 70%
p3.8xlarge $12.24/hr $3.672/hr 60%
p3.16xlarge $24.48 $7.3491/hr 70%

Amazon P3 Instances are made up of Nvidia Tesla V100 GPUs. Read more about P3 Instances here

Hashcat Benchmark on Amazon p3.16xlarge

Here’s an excerpt from Hashcat Benchmark on P3.16Xlarge

Hashmode: 2500 - WPA/WPA2

Speed.Dev.#1.....:   791.3 kH/s (51.59ms)
Speed.Dev.#2.....:   790.8 kH/s (51.56ms)
Speed.Dev.#3.....:   789.5 kH/s (51.75ms)
Speed.Dev.#4.....:   790.4 kH/s (51.58ms)
Speed.Dev.#5.....:   790.9 kH/s (51.65ms)
Speed.Dev.#6.....:   792.1 kH/s (51.48ms)
Speed.Dev.#7.....:   789.0 kH/s (51.72ms)
Speed.Dev.#8.....:   791.1 kH/s (51.55ms)
Speed.Dev.#*.....:  6325.0 kH/s

So according to Spot pricing, taking half hour extra for setup. You can crack around 6325000 * 60 * 60 = 22,770,000,000

A P3.16xLarge give you approximate 23 billion WPA2 Passphrases/hr worth of cracking speed at $10 for 1.5 hours of usage. Isn’t it cool?

Now of course you won’t spend that much for cracking your neighbours WiFi, but you get the idea.

if you are considering only numbers, P3 instances can do it quite swiftly. But you can use Crunch based dictionary to save some more time and effective cost :slight_smile:

(Joshep) #3

The file we created named “PYRIT_rootsh3ll” with the command

pyrit -o "PYRIT_rootsh3ll" -i "length08.txt" -e "rootsh3ll" passthrough

can we use it next time to crack other .cap files?

(Hardeep Singh) #4


remember that this pre generated PMK is exclusive to the exact SSID they were created for.
So if your SSID is “jeddywifi” then it’ll work for same SSID only. I have explained why this happens here: Why Rogue Access Points Cannot Sniff Cleartext WPA/2 Passphrase?

Read #3

(Joshep) #5

so that means after i cracked after i succesfully cracked jeddywifi…password
i can’t use the same pyrit file for cracking “joshepwifi” password?

(Hardeep Singh) #6

Right! This is the reason you can’t call a pre generated PMK, a Rainbow table. Since it is exclusive to the SSID used.

(Joshep) #7

I used pyrit to create the file and it is taking more than one day.
again there is left to try cowpatty.
when i try to crack password using aircrack-ng -w .txt .cap
it also takes more than one day…
so whats the point of using pyrit and cowpatty?

(Hardeep Singh) #8

Tools are already using 100% of the GPU power, so at that segment there’s no point in choosing one tool over another. Except your comfort or love for the tool can help you choose one.

Key here is anyhow you create the PMK for a generic SSID, example “NETGEAR” and use the PMK to crack the passphrases at far higher speed. It is one time calculation. no matter what tool you use. just get it done once.

Another key here is the cracking power that we discussed earlier.

Apart from just investing your time and money in cracking passwords, try learning some social engineering and learn HTML/CSS, nginx server handling, MySQL to trick the user to hand over the password to you him/herself :slight_smile:

or find another way to get you job done. brute-forcing is just not that effective for cracking WPA2.

(Joshep) #9

all you said above …
can we learn from the internet self or should we need to take classes?

(Hardeep Singh) #10

All from Internet. No need to join classes for basic stuff. Read this thread for initial push: I want to get into ethical hacking and pentesting. No prior experience. Where do I begin?