Recently I have been a bit frustrated with cracking wireless keys and was looking for better ways to improve the speed.

I decided to setup a Amazon Ec2 cluster to give that a go at cracking WPA handshakes and also to improve general password cracking with John the Ripper.

It can be quite annoying gaining the handshake or hash whilst onsite on a client test and not having enough time or power to crack them.

I have done some playing around and managed to setup a dual cluster in Amazon. It wasn’t that easy to setup, but I wont get into detail in this post of how to do that.

The reason that the Amazon cloud cluster appeals to me is I can just power it on when I need it and only costs around $2 USD per hour whilst it is on. So a very cheap solution for cracking. I am currently using a cluster of just 2 systems, but you can increase this up to 20 systems.

I have created some comparisons between my laptop and the cluster. My laptop is a very good spec and fast system.

My laptop

8GB RAM – Intel i7 8 Core

Amazon EC2

22GB RAM 8 Core (2x cluster, so 16 cores)

WPA Cracking

Aircrack-ng

Aircrack is probably the most commonly used cracking tool for wireless PSK handshakes used with WPA/WPA2 etc. The issue is aircrack is only multi threaded and not multi core. So it wont utilise all that power you have. It will still run fast and is a great tool. Below are some stats on running aircrack on my laptop and on the cluster.

Aircrack running on my laptop

So we are getting 2,716 k/s which is still pretty fast on the laptop.

Aircrack running on Amazon cluster

So on the Amazon cluster we are getting 6,969 k/s – 7,1000 k/s – fast but not the increase you would expect from the cluster, only about 2x as fast. This is because it will not utilise all the cores available.

Pyrit

Pyrit will also crack WPA handshakes and the advantage of this is it supports multi core. So you can crack the PSK much quicker than aircrack.

Some Pyrit stats using the benchmark.

Pyrit running on my laptop (is utilising all 8x cores).

So you can see 2,346 PMKs/s using all 8 cores on my laptop… pretty fast!

Pyrit running on Amazon EC2 with all 16 cores in the cluster.

45,041 PMKs/s – so about 20x faster. Not bad hey!

Cracking the WPA PSK with Pyrit

On my laptop (using 8x cores)

 (speed varied between 1800 and 2300 PMKs)

On Amazon cluster (using 16x cores)

Speed varied between 24,000 PMKs and 50,000 PMKs but mostly sat around 49,000 – pretty fast! at least 10-20x faster than the laptop and 4-8x faster than running aircrack on the cluster.

Password Cracking With John The Ripper

My laptop (no MPI support installed)

We are getting 2,944K c/s. Not bad for a laptop.

My Laptop (with MPI support installed using 8x cores)

9,59K c/s on the same laptop once MPI support installed using 8x cores

Amazon EC2 (with MPI support installed using 16 cores)

On the cluster we are getting 23,273K c/s – Pretty impressive!

Wordlists and Using John/Crunch

One of the big issues I find with trying to brute force the WPA handshakes is always wordlists. I have a massive collection of wordlists, but generally I don’t have that much success when trying to reveal the key. Most wordlists are mixed character length, so running a standard wordlist that has passwords between 4-7 characters is a waste of time when the WPA key will be 8 characters or more.

What I have done recently is harness the power of John or Crunch and feed that into Aircrack etc, so I don’t have to use wordlists.

John The Ripper

What you can do is feed John’s power into Aircrack. So you will not need a wordlist. You can also lock John down further by setting the min/max length or character sets, this will save you time in any password cracking you try.

The below command will feed John into Aircrack without using a wordlist.

john –incremental=All –stdout | aircrack-ng -b 00:FE:F4:23:BD:A0 -w – handshake.cap

Ideally we want to lock John down more, if you suspect it is a pin code and not a word you could use –incremental=digits etc. But we really want to set the min/max key lengths as what is the point of testing from 0-7 characters if they will not be there?.

Edit john.conf and copy a existing section and edit it accordingly.

Now we would call the custom setting like this

john –incremental=Alnum8 –stdout | aircrack-ng -b 00:FE:F4:23:BD:A0 -w – handshake.cap

This will only test for 8 character passwords. Quite often if I don’t have much luck cracking the wireless key, I will at least ask the client for the length so I can drill it down more.

Crunch

You can also use Crunch to create wordlists on the fly and feed these into Aircrack.

For example

crunch 8 8 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng -b 00:FE:F4:23:BD:A0 -w – handshake.cap

Thiswill test a min length or 8 and max length of 8 characters. a-z upper and lowercase, numeric 0-9. You can also add other characters such as !$% etc. You can also set the format, so if you know it ends in 1234 you could do -t @@@@1234 and it will only match where the @ symbols are.

Here you will see the above feeding into Aircrack. Obviously this is still going to take a LONG time as so many combinations.

For this demo I setup my AP with a weak 8 character key. Lets say we know this is comm something, useful if you think it is the company name on a test. So lets run crunch and match everything after comm and lets assume it is all lowercase.

So we will run this. This will try comm then all lowercase characters to crack digits 5,6,7,8

crunch 8 8 abcdefghijklmnopqrstuvwxyz -t comm@@@@ | aircrack-ng -b 00:FE:F4:23:BD:A0 -w – handshake.cap

As we can see below it cracked the key. It was commonxx, this only took 39 seconds as we limited the options right down.

You can also feed John or Crunch into Pyrit in just the same way and crack even faster. The below example was over 4x faster than Aircrack on the same cluster.

crunch 8 8 abcdefghijklmnopqrstuvwxyz -t comm@@@@ | pyrit -r handshake.cap -i – -b 00:FE:F4:23:BD:A0 attack_passthrough

Other handy scripts for Wordlist generation I use.

A Python script called generate. This is an excellent script if you want to generate combinations of a company name. i.e swapping E = 3, 0 for 0, Uppercase etc.

You can download this here:

http://average-coder.blogspot.com/2011/09/password-combination-generator.html

So if our company name is commonexploits you would do this.

python generate.py commonexploits |tee cxwords.txt

This will create a file called cxwords.txt with 331,776 combinations. You can tweak the script combinations to reduce or increase this.

For example you will get these results.

Also I use an old perl script called Wordlist50 that is very similar to Crunch and also custom length/character wordlists to be created.

You can download it here:

http://packetstormsecurity.org/files/32120/wordlist50.pl.html