(09/01/2011 05:38 PM)ZiNgA BuRgA Wrote:  WPA was made to fix problems in WEP.
I doubt a rainbow table would work - you're not cracking a hash.

If it's not a dictionary, you could try a hybrid attack if your app supports it.  Beyond that, try passwords they're likely to use.

Does WPA use passwords though?  I thought they just used hex formatted keys, not passwords...

(09/01/2011 05:29 PM)Barcelona Wrote:   lol ive only bruteforced a rar file

Must've been the easiest RAR (ie crappiest password).  RAR encryption is relatively secure.

well it took a day lol and the password was "thepiratebay" i was pissed when i saw that the password was in the description of the torrent

(09/01/2011 05:38 PM)ZiNgA BuRgA Wrote:  WPA was made to fix problems in WEP.
I doubt a rainbow table would work - you're not cracking a hash.

If it's not a dictionary, you could try a hybrid attack if your app supports it.  Beyond that, try passwords they're likely to use.

Does WPA use passwords though?  I thought they just used hex formatted keys, not passwords...

(09/01/2011 05:29 PM)Barcelona Wrote:   lol ive only bruteforced a rar file

Must've been the easiest RAR (ie crappiest password).  RAR encryption is relatively secure.

It actually is a hash, but it's salted by the ssid, which is why rainbow tables only work with common ssid's such as Netgear or Linksys. This one was Mark423 :/ What's a hybrid attack? Aircrack encodes the password with the salt and compares it to the hash captured in the 4-way handshake. I've got it to work other times :/

Quote:Problem is, it's a very slow process. Each passphrase is hashed 4096 times with SHA-1 and 256 bits of the output is the resulting hash. This is then compared to the hash generated in the initial key exchange. Alot of computing power is required for this. My dopey little P3/700 laptop only tests about 12 passphrases/second.

To complicate matters, the key hash can be different depending on the network it's implimented on. The SSID and the SSID length is seeded into the passphrase hash. This means that the passphrase of 'password' will be hashed differently on a network with the SSID of 'linksys' than it will on a network with the SSID of 'default'.

Source
EDIT: John the Ripper(JtR) takes a wordlist provided, and adds numbers and substitutes symbols for letters etc, which is what I'm running now. Is that a hybrid attack?

If it's a 2wire router, the passwords are all 10 digit numerical phrases by default, etc 1234567890 could be a default password. I would suggest a brute force of numbers between 0000000000-9999999999 as a starting point for 2wire routers. Though that might take a while, unless the password started with a 0 or a 1...

(09/01/2011 08:12 PM)trademark91 Wrote:  If it's a 2wire router, the passwords are all 10 digit numerical phrases by default, etc 1234567890 could be a default password. I would suggest a brute force of numbers between 0000000000-9999999999 as a starting point for 2wire routers. Though that might take a while, unless the password started with a 0 or a 1...

or a bruteforce Hexadecimal from 0000000000 to FFFFFFFFFF sounds logical if this fails

but if its encrypted with wpa-tkip, then it will take a while, cause those can have personal passwords

I have noooo idea what router it is :/

It's been 16 hours and the hybrid attack with a small 10mb list is only at 24%, this is one of my smaller lists lol