Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Mesh Charts

Click for Mesh Charts

Extending the Crack

The obvious limitation of these techniques is the existence of the key within the dictionary file used for the attack. I hope that I never see WPA keys like "dinosaur" or "dictionary", which will be easily cracked by coWPAtty or aircrack-ng.

But something like "dinosaur52" or "D1cti0nary" would seem pretty secure at this point, right? They would at least be missed by a plain-jane sweep through the dictionary and would take a couple million years to straight brute force.

To extend the list of possible keys, we can use the legendary *NIX password cracking tool John the Ripper's wordlist mangling rules to generate permutations and common password additions from a simple dictionary file. These are then fed into either coWPAtty or aircrack-ng on the fly.

When using dictionary attacks, we don't need to worry about short passphrases making it through; coWPAtty and aircrack-ng are both smart enough to drop passphrases shorter than eight characters. In fact, it's smart to leave them in the dictionary file in case they become long enough as a result of John's word mangling rules.

Use John's default word mangling rules, then pipe that list to either coWPAtty or aircrack-ng using (this is done from /usr/local/john-1.7.2 in BackTrack v3, and from /pentest/password/john-1.7.2 in v2):

Some of the commands below have been formatted into multiple lines to fit our page. All commands should be entered on one line.

With coWPAtty:

./john --wordlist=password_list --rules --stdout 
| cowpatty -s ssid -f - -r capture_file

Or using aircrack-ng:

./john --wordlist=password_list --rules --stdout 
| aircrack-ng -e ssid -w - capture_file


./john --wordlist=password.lst --rules --stdout 
| aircrack-ng -e snb -w - Kismet-Jan-15-2008-1.dump

John comes with a built-in set of rules that is fairly limited, but uses a well documented "regex-esque" syntax that allows you to define your own rules.

For example, the default rules append only one number to the words in the dictionary. We can extend this by adding a couple of lines in john.conf to the end of the [List.Rules:Wordlist] section (line 262) that look like this:


This will append all numbers up to 999 onto the end of words in the dictionary file (so it'll now catch "dinosaur52").

Similarly, we can add a few lines to take care of the common letter-punctuation substitutions like substituting a "3" for "E" or a "1" for "l" (the third line applies both substitutions to the word).


We can take this one step further and add numbers to the end to catch things like "g1id355" with the following:


Obviously, these rules get pretty ugly and lengthy quickly, but they also transform a plain dictionary into a formidable weapon against supposedly secure passwords.

The Million Dollar Question

So, how long and cryptic does a passphrase really need to be? The straight answer is: as long and as cryptic as possible! With John's word mangling rules, we're systematically and intelligently attacking passphrases by incorporating common human substitutions and combinations with dictionary lists. Of course, there are some word-based passphrases that could slip through John's mangling rules. but all it takes is a combination of simple rules to catch that those as well.

The plane-jane wordlist that comes with coWPAtty contains 10,201 words. After default mangling with John, that number blossoms to 498,989. Adding our rules from above and that number climbs to 45,720,022. The more rules we add, the more the passphrase search space keeps expanding.

This is still a far-cry from the six quadrillion possible combinations out there. But what makes this dangerous is that we started with distinct set of possible passphrases and used a semi-human approach to making them more cryptic. So, chances are better that if we try 45 million intelligently generated passphrases, we might get lucky and find a winner.

It takes my system about five days to crank through 45 million passphrases. This isn't exactly lightning fast. But given the fact that I could have passively captured your key's hash, by the time you found out, it would be too late.

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2