Advanced Cracking Techniques, Part 1: Custom Dictionaries
How did it happen? How did your ultra-secure WPA password on your wireless network get broken into? Well, you might have just found yourself at the mercy of a cracker.
Crackers are malicious computer users who specialize in breaking into things. Whether it be passwords, logins, encryption, or whatever they choose, they are the masters of breaking into it.
What makes a cracker so special that they can crack passwords better than the next guy? A strong password is a strong password. If you have a 12-character password made up of some funky word that doesn't exist, then how could this be broken? On the average GPU, cracking a 12-character MD5 hash would be something you'd be sitting around waiting on for a while.
The truth is, it's just a person using their head, coupled with the utilization of a little bit more math than the last guy. Math and probablity is the name of the game when it comes to intense cracking. Today's Null Byte is going to demonstrate how to make custom tailored dictionaries to crack passwords that would otherwise be unattainable.
First, let's dive into advanced dictionary cracking techniques. For our specific example, we will be using WPA passwords. The only feasable way to crack a WPA password is via a dictionary, due to the time it takes to compute the hash.
In order to play on this and make the best dictionary possible, we need to look at some facts.
- WEP passwords used to have a minimum requirement of 10 characters, which is perfect for a phone number. That also makes a fairly complex password (in most cases), so people feel secure.
- People hate changing passwords. When WPA came around, people likely recycled thier phone number password from WEP, resulting in most using their phone numbers again.
To exploit this, a great technique would be to create a dictionary using only 10 digit phone numbers. Normally, this would be a huge dictionary, but let's use our brains.
The beginning 3 digits to every word in the dictionary should be your state's area code used at the beginning of a phone number. This is just pure logic. It will whittle an impossibly hard password down from the realm of impossible to possible. This means you are only processing 1,000,000 numbers, as opposed to 9,999,999,999. If the network is tricky, you could try adding "1" to the beginning of each word, which is the country code for the USA.
Python Phone Dictionary Maker
Here is some code I made to quickly create a dictionary tailored for what we need. Just replace the 000 next to the area code with yours:
f = open('dict.txt', 'w')
areacode = 000
number = 1000000
while number != 9999999:
number = number+1
Wow! It's really that easy. This dictionary will only take a few seconds to make, and run through. Sounds a lot better than running the hash through 10 billion words, doesn't it? Keep an eye out for the next Byte, where will will go over the special techniques involved in making an incredibly efficient bruteforce list.
Want more Null Byte?