Aircrack-ng forum

General Category => General help => Topic started by: nooby22 on July 14, 2015, 08:17:37 pm

Title: WPA Wordlists - any suggestions
Post by: nooby22 on July 14, 2015, 08:17:37 pm
I am still a relative newbie so please bear with me. I was able to capture WPA handshakes from 2 APs. I ran aircrack (on kali linux) using 5 wordlist which ranged in size between approx 50kb to 150 mb. Password was not found using all wordlists. I also tried an online cracker at http://wpa.darkircop.org/ with no luck.

I noticed the wordlists I've been using all have words. I need passwords which are a random combination of letters and numbers, lowercase and uppercase, 10 characters long. My second question is, is there a way to get the modem/router vendor and/or model number from the MAC address?


PS On a side note, I was having a hard time capturing wpa handshakes but when I started using interface wlan0 instead of mon0, it worked right away! jus a tip for u guys...
Title: Re: WPA Wordlists - any suggestions
Post by: misterx on July 15, 2015, 02:55:38 am
1. Look in the FAQ, there might be wordlists that match that. Or use crunch.
2. Yes, partially. The first few bytes of the MAC tell you who is the manufacturer. It is possible to fingerprint based on how they respond to different types of frames (there was a talk about it years ago) but I don't think it's maintained or updated.
Title: Re: WPA Wordlists - any suggestions
Post by: Hosehead1 on August 30, 2015, 11:11:01 pm
Hello nooby22, I feel your pain! lol
I saw an access point named something like:
DG860AB1
I found that the default password was like this:
DG860A1CAAB1
In such cases you can make a small wordlist containing all the default passwords for routers starting with DB860A with "Cripple-Master". It also works on more than just the ARRIS model mentioned above! Check it out:
github.com/GuerrillaWarfare/Crippled
Title: Re: WPA Wordlists - any suggestions
Post by: kcdtv on August 31, 2015, 02:24:46 pm
 
Quote
is there a way to get the modem/router vendor and/or model number from the MAC address?
If the router as the WPS enabled, have a look in the PROBES especialy to the category "WPS". You may see there the serial number and the exact model (it depends, some devices shows a minimal information, others gives away a lot of data) 
You can do
Code: [Select]
sudo iw dev scanAnd you will get directly the information in the shell.
Check what I get : (http://pix.toile-libre.org/upload/original/1441030938.png)
The only thing this technicolor' router doesn't give away is just the WPA key  ;D

@ Hosehead1
  This repository seems to be down.
  According to this post crippled wpawpa2 default key generator/ (https://evilzone.org/scripting-languages/crippled-wpawpa2-default-key-generator/) the tool just included the algorithm revealed by Numlock in this PDF : Numlock PDF (http://www38.zippyshare.com/v/89004997/file.html)
  Numlock didn't make any PoC but it is quite easy to do manually or you can use this simple bash script to generate the default WPA key: blk.sh (https://www.wifi-libre.com/img/members/3/blk.zip)
  This webpage is quite interesting with a quite complete set of default WPA generators online : routerpwn (http://www.routerpwn.com) (and it includes this belkin generator )
 
  Do you have more information about this arris default WPA? I was not able to find something and i am interested. Thanks in advance  :)
Title: Re: WPA Wordlists - any suggestions
Post by: Hosehead1 on September 01, 2015, 03:47:33 am
Hello kcdtv,
Darn that page for going awol on us, I myself just downloaded Cripple-master only a few days ago!  Here is some text off it's (now missing) page:
----------------------------------
Susceptible "Modems":
1. DDW365  - DDW365[XXXX]XX
2. SBG6580 - SBG6580[XXXX]XX
3. U10C022 - U10C022[XXXX]XX
4. DDW3611 - DDW3611[XXXX]XX
5. DDW3612 - DDW3612[XXXX]XX
6. TG852G  - TG852G[XXXX]XX
7. DWG875  - DWG875[XXXX]XX
8. TG1672G - TG1672G[XXXX]XX - Proven, but not the highest success rate.
9. DVW3201B - DVW3201B[XXXX]XX - Proven, but not the highest success rate.

Belkin:
Vulnerable SSIDs:
1. Belkin.XXXX
2. Belkin_XXXXXX
3. belkin.xxxx
4. belkin.xxx

Vulnerable BSSIDs:
1. 94:44:52
2. 08:86:3B
3. EC:1A:59

Usage:
./crippled -e belkin.4e4 -b EC:1A:59:08:86:3B belkin

Generating all possible keys for belkin.4e4
Generated 8 keys for belkin.4e4
The file belkin.4e4.possible.keys has your generated keys.
----------------------------------

I saved the webpage, and could zip and upload the page plus the tool. (are noobs like me allowed to post download links here?)
Title: Re: WPA Wordlists - any suggestions
Post by: kcdtv on September 01, 2015, 12:59:06 pm
Damned!  :D
I am sure there is no problem to put a link  ;)
Anyway this text file that you saved from destruction is already telling us a lot :) with this list of device with this very bad key structure.
Thanks a lot!

Title: Re: WPA Wordlists - any suggestions
Post by: Hosehead1 on September 07, 2015, 10:56:15 pm
OK kcdtv I'm back. Here are download links for the Crippled-Master tool along with the saved webpage. It's about a 27.3 mb download:
http://filepi.com/i/aGpsT2g
but if that link dies you can get the same file from this other host:
http://www18.zippyshare.com/v/3PESEsdY/file.html
Title: Re: WPA Wordlists - any suggestions
Post by: kcdtv on September 10, 2015, 12:59:52 pm
Great! Thank you so much.  :)
Title: Re: WPA Wordlists - any suggestions
Post by: Hosehead1 on October 02, 2015, 06:48:47 am
Hello kcdtv,
Regarding your reply #3, I cannot get information to show in the terminal as you illustrate in the image. Exactly what steps are needed to get there?
and BTW, this:
iw dev scan
doesn't work for me in Kali 2.
Any help will be greatly appreciated!
Title: Re: WPA Wordlists - any suggestions
Post by: bobbyby on October 31, 2015, 08:30:12 pm
>iw dev scan

make sure dev is the device to use

iw wlan0 scan
Title: Re: WPA Wordlists - any suggestions
Post by: redspy on October 05, 2016, 03:31:06 pm
It seems the current location of the Crippled-Master tool on GitHub is: https://github.com/Konsole512/Crippled