Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Extending the Crack

The obvious limitation of these techniques is the existence of the key within the dictionary file used for the attack. I hope that I never see WPA keys like "dinosaur" or "dictionary", which will be easily cracked by coWPAtty or aircrack-ng.

But something like "dinosaur52" or "D1cti0nary" would seem pretty secure at this point, right? They would at least be missed by a plain-jane sweep through the dictionary and would take a couple million years to straight brute force.

To extend the list of possible keys, we can use the legendary *NIX password cracking tool John the Ripper's wordlist mangling rules to generate permutations and common password additions from a simple dictionary file. These are then fed into either coWPAtty or aircrack-ng on the fly.

When using dictionary attacks, we don't need to worry about short passphrases making it through; coWPAtty and aircrack-ng are both smart enough to drop passphrases shorter than eight characters. In fact, it's smart to leave them in the dictionary file in case they become long enough as a result of John's word mangling rules.

Use John's default word mangling rules, then pipe that list to either coWPAtty or aircrack-ng using (this is done from /usr/local/john-1.7.2 in BackTrack v3, and from /pentest/password/john-1.7.2 in v2):

Some of the commands below have been formatted into multiple lines to fit our page. All commands should be entered on one line.

With coWPAtty:

./john --wordlist=password_list --rules --stdout 
| cowpatty -s ssid -f - -r capture_file

Or using aircrack-ng:

./john --wordlist=password_list --rules --stdout 
| aircrack-ng -e ssid -w - capture_file


./john --wordlist=password.lst --rules --stdout 
| aircrack-ng -e snb -w - Kismet-Jan-15-2008-1.dump

John comes with a built-in set of rules that is fairly limited, but uses a well documented "regex-esque" syntax that allows you to define your own rules.

For example, the default rules append only one number to the words in the dictionary. We can extend this by adding a couple of lines in john.conf to the end of the [List.Rules:Wordlist] section (line 262) that look like this:


This will append all numbers up to 999 onto the end of words in the dictionary file (so it'll now catch "dinosaur52").

Similarly, we can add a few lines to take care of the common letter-punctuation substitutions like substituting a "3" for "E" or a "1" for "l" (the third line applies both substitutions to the word).


We can take this one step further and add numbers to the end to catch things like "g1id355" with the following:


Obviously, these rules get pretty ugly and lengthy quickly, but they also transform a plain dictionary into a formidable weapon against supposedly secure passwords.

The Million Dollar Question

So, how long and cryptic does a passphrase really need to be? The straight answer is: as long and as cryptic as possible! With John's word mangling rules, we're systematically and intelligently attacking passphrases by incorporating common human substitutions and combinations with dictionary lists. Of course, there are some word-based passphrases that could slip through John's mangling rules. but all it takes is a combination of simple rules to catch that those as well.

The plane-jane wordlist that comes with coWPAtty contains 10,201 words. After default mangling with John, that number blossoms to 498,989. Adding our rules from above and that number climbs to 45,720,022. The more rules we add, the more the passphrase search space keeps expanding.

This is still a far-cry from the six quadrillion possible combinations out there. But what makes this dangerous is that we started with distinct set of possible passphrases and used a semi-human approach to making them more cryptic. So, chances are better that if we try 45 million intelligently generated passphrases, we might get lucky and find a winner.

It takes my system about five days to crank through 45 million passphrases. This isn't exactly lightning fast. But given the fact that I could have passively captured your key's hash, by the time you found out, it would be too late.

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!


Over In The Forums

Continuation of the first thread which covered beta 1 through 3.Jan 25th: Beta 5 is now available. Changes since Beta 4:Code: 3790c8fe9a Updated docu...
Hi all!I have a problem that is driving me nuts! My RT AC-86U keeps dropping the internet connection. I've connected another router (not ASUS brand) t...
Hello,I have two ASUS RT-AC68U routers; one is set up as the main router and is connected to my ONT (Vodafone Portugal). The other router is an AI Mes...
I make beta versions of the next kamoj add-on.The beta has a lot more functions than the official 5.0 beta,but is also more tested and with fewer know...
Hello there are you going to support GT-AXE11000 by custom firmware?Thanks

Don't Miss These

  • 1
  • 2
  • 3