Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Performing the Crack

The Wi-Fi Alliance was wise to implement an eight character minimum for WPA-PSK. Making the key that long essentially renders brute force methods useless. This is because the number of possible typeable character combinations for keys of an eight character length is just above six quadrillion (that's 948 or about 6 x 1015). So brute-force techniques won't be effective.

What we can do, however, is limit the list of possible passphrases by making educated guesses, compute the hashes of those guesses and check them against our captured key. This technique is referred to as a dictionary attack.

BackTrack 5 R3 comes with a few simple wordlists, which can simply be opened as text files. I looked within the list and did not see my test password "gilbert28" in the lists, so for purposes of demonstration I added it to the bottom. I know what you're going to say, what good is it if you simply add it to the bottom? We'll get to that later. If you don't want to experiment with the simple wordlists included on the BackTrack distro, there are plenty of wordlists around the 'net.

I used a downloaded wordlist containing 172,746 keys. With that list I could mount a dictionary attack on the captured WPA handshake using aircrack-ng. Aircrack-ng runs pretty fast on my attacking system (testing 172,746 keys took 3 minutes flat, that's 980 keys per second), and has native optimization for multiple processors. Even though it doesn't take a beefy system to run a WPA / WPA2 dictionary attack, I should note that I also ran this same attack on a Q8300 2.4 GHz quad-core and it finished the same list in one minute and 2 seconds, crunching 2,800 keys per second.

aircrack-ng attack

Start a dictionary attack against a WPA key with the following:

General Form:

aircrack-ng -e AP_SID -w dictionary_file capture_file

Example (BackTrack 5 R3):

aircrack-ng -e 9105GirardCh6 -w passwords2.txt Ch6-01.cap

Aircrack-ng shows the hex hashes of the keys as it tries them, which is nice since some attacks can take a long time. Figure 8 shows that Aircrack-ng took 3 minutes to find the test key "gilbert28".

Aircrack-ng, Key Found!

Figure 8: Aircrack-ng, Key Found!

Other Methods

If you've been paying attention, you know that I had to add this password to the end of my large dictionary file. The obvious limitation of these techniques is the existence of the key within the dictionary file used for the attack. WPA keys like "dinosaur" or "dictionary" can be easily cracked by aircrack-ng, but something like "dinosaur52" or "D1cti0nary" would not. They would at least be missed by a plain-jane sweep through the dictionary and would take a couple million years to straight brute-force.

Or not. It takes my laptop about 12 hours to crank through 45 million passphrases. This isn't exactly lightning fast. But things get a bit scarier when you look at the speed of cloud-based cracking services. That 12 hours it took above to crunch 45 million words can be done in way less than an hour via the cloud.

Cloud-based cracking services will retrieve the password for you, for a small fee, of course. One such service is All you do is provide the authentication handshake (the file we looked at with WireShark), the SSID, and your credit card and they do the rest. is also not limited to WPA2 passwords, they'll retrieve NTLM, SHA-512, MD5 and MSCHAPv2 (PPTP VPN) passphrases, too. The table below shows the pricing structure I was presented with for my WPA / WPA2 crack:

Price Dictionary size
Number of Words
Maximum Time
$17 604 M 1 Hour
$34 1,208 M 1 Hour
$68 2,416 M 1 Hour
$136 4,832 M 2 Hours
Table 2: WPA / WPA2 Cracking Prices

I made an executive decision and just went with the $17 cracking option, knowing full well that "gilbert28" was not complex enough to withstand a 604 Million Word search. As expected, returned my password in 524 seconds (just under 9 minutes) from the moment I clicked Submit Job. Returning My Password

Figure 9: Returning My Password

So do you really need a 64 character randomly-generated password to be safe from cracking? To answer that, I tried a second CloudCracker run. This time I used the default password that came with my NETGEAR router. Some NETGEAR routers (and Cisco Linksys' too) come with what look like easily-crackable default WPA passwords. So I submitted my default—classymoon359—to CloudCracker to see if what I suspected was true.

I had a feeling that the 604 M $17 dictionary wasn't going to do the job, so I bumped up to the 1,208 million word option for $34. Figure 10 showed that CloudCracker completed its work before the allotted hour was up, but failed to recover the password. We'll see why that was in a little while. fail

Figure 10: fail

If you don't want to spend the money on CloudCracker, there are other tools in the BackTrack distro that you can try. The original version of this article describes techniques using John the Ripper to generate permutations and common password additions to a dictionary file, that can then be fed into coWPAtty or aircrack-ng.

A more powerful alternative is also included in BackTrack 5. oclHashcat-plus uses the power of a graphics processor to speed up password cracking. My Q8300 quad-core machine sports a supported CUDA-enabled Nvidia 9800GT, so I downloaded the oclHashCat-plus binaries and fired them up in Windows 7 64-bit.

The first thing I decided to test was running a dictionary attack against the very same password and wordlist that I used for aircrack-ng. If you remember, this crack took a 62 seconds with the quad-core machine.

We will need the same 4-way handshake we used for aircrack-ng, but oclHashcat-plus accepts the WPA/WPA2 hashes in it's own “hccap” file. So we'll need to convert the .cap file to a format oclHashcat-plus can understand. The easiest way to do this is to go to If you're paranoid and don't want to give out the privileged information, you can also use other utilities to generate the file. With the new hccap file in hand, here are our commands:

oclHashcat-plus dictionary attack

Start a dictionary attack against a WPA key with the following:

General Form:

type dictionary_file | cudaHashcat-plus64.exe -m 2500 hash_file 

Example (BackTrack 5 R3):

type passwords2.txt | cudaHashcat-plus64.exe -m 2500 Ch6-01.hccap 

oclHashcat dictionary attack

Figure 11: oclHashcat dictionary attack

oclHashcat-plus, running on my 9800GT's GPU, retrieved my passphrase in just 17 seconds compared to the 62 seconds needed for aircrack-ng on the quad-core Q8300, that's an impressive improvment! Of course, this assumes my passphrase is in the wordlist I've downloaded, which it wasn't initially, I had to add it.

More Wireless

Win This!

Drobo 5N2

You could win a Drobo 5N2 NAS

Learn How!

Featured Sponsors

Top Ranked Routers

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hello guys!I have an RT-AC5300 running latest Merlin firmware. I just got it a few Days ago, configured Everything and I love it. How ever, I can't se...
Dear all,I have a case where there are 2 LANs that I would like to connect over internet via VPN. Each LAN has wired (and not wireless) router, that h...
I was thinking of a past exploit where the hard drives internal to printers and copiers where harvested for the information. What initiated this thoug...
Hi.I'm trying to use ipset to control groups of clients of my ASUS RT-AC68U, with FW 380.64_2, but, when I enter "ipset create MySet hash:mac" on the ...
On Asuswrt-Merlin, is it possible to use one VPN provider for client A and another VPN provider for client B ?

Don't Miss These

  • 1
  • 2
  • 3