Saturday, 24 September 2011

Cracking WPA Without a Dictionary (Aircrack-ng + WordField)


Instead of using a dictionary on a WPA encrypted network, we can perform a bruteforce attack. Since this post I've written a better article on a much better bruteforce attack which will let you do this in 4-10 hours no matter how big the key is, it's here.

For key generation I will use a tool called WordField, which can be found here.

Usage of this tool is very simple:
wordfield [OPTION...] MINLENGTH [MAXLENGTH]
So running "wordfield -a -n 8 8" will output all possible alphanumeric strings which are 8 characters long.

I will be using the output from this tool as the input for aircrack-ng.
I will just assume that you know how to use aircrack-ng.

When a 4 way handshake has been saved with airodump-ng, the wpa network is now ready to crack. This is usually where a dictionary attack will be launched. But using this method, the dictionary will be generated in realtime against cracking the wpa key.

This is the command to do this, 
wordfield -a -n 8 10 | aircrack-ng -b -w - *.cap
This will pipe the output from wordfield into aircrack-ng. Also, please note that this is only really effective on weak keys, unless you have a lot of computational power.