WPA/WPA2 PSK Crackq
Posted on April 1, 2015 at 7:08 PM
Updated on August 23, 2015 at 15:10 PM
The following rules and brute-force attacks are performed by the Crackq for WPA/WPA2 handshakes. Note that this document is being revised and updated regularly.
The Crackq implements a heuristic for optimal set of dictionary, brute-force and hybrid attacks based on ESSID and MAC (or BSSID) values. For example, if the submitted
.hccap file contains the TP-LINK_XXXXX ESSID, where XXXXXX are the last 3 bytes of the MAC address, the Crackq will perform the following brute-force attacks, followed by dictionary and hybrid attacks if unsuccessful:
- 8 digit brute-force
- 8 upper-case hex characters brute-force, i.e., 0-9A-F
- 10 character brute-force using the "2345678923456789ABCDEFGHJKLMNPQRSTUVWXYZ" charset (if the TP-LINK Easy Setup Assistant software was used to generate the password). This software ships with TP-LINK routers and helps users to perform the setup task by following step-by-step on-screen interactive instructions.
If the above attacks fail (meaning that the default password provided by the manufacturer was changed), the Crackq will perform dictionary and hybrid attacks to recover the password. The following represents the sets of attacks performed by the Crackq based on the ESSID and MAC values.
- ESSID: 2WIREXXX where XXX are 3 digits
- ESSID: ATTXXX where XXX are 3 digits
- ESSID: BELLXXX where XXX are 3 digits
- ESSID: Belkin.XXXX where XXXX are 4 upper-case hex characters
- ESSID: belkin.xxx where xxx are the last 3 lower-case hex characters of the MAC address
- ESSID: DJAWEB_XXXXX where XXXXX are the last 5 upper-case hex characters of the MAC address
- ESSID: EE-BrightBox-xxxxxx where xxxxxx are 6 lower-case alphanumeric characters
- ESSID: INFINITUMxxxx where xxx are the last 4 lower-case hex characters of the serial number
- ESSID: NETGEARXX where XX are two 0-9 digits
- ESSID: ONOXXXX where XXXX are the last 4 upper-case hex characters of the MAC address
- ESSID: Orange-XXXX where XXXX are 4 upper-case hex characters
- ESSID: TP-LINK_Pocket_XXXX_MMMMMM where XXXX is a 4-digit random value and MMMMMM represents the last 3 bytes (upper-case hex characters) of the MAC address
- ESSID: TP-LINK_XXXXXX where XXXXXX are the last 3 bytes (upper-case hex characters) of the MAC address
- ESSID: TPG-XXXX where XXXX are 4 upper-case alphanumeric characters
Non-default ESSID and unknown BSSID
These handshakes, where BSSID value does not match any known manufacturers, are not very common. The Crackq will perform the following attacks against these handshakes:
- up to 10 digits brute-force
- straight dictionary attacks
- rule-based attacks using custom rules
The following ESSIDs have known character sets used for generating (default) pre-shared keys. However, these character sets require longer processing times (generally 20-30 hours depending on the charset) and are not supported by default. These long running jobs are charged per hour instead. Contact support for details.
- ESSID: TALKTALK-XXXXXX where XXXXXX are the last 3 bytes (6 upper-case hex characters) of the BSSID
- ESSID: UPCXXXXXX where XXXXXXX are seven 0-9 digits
BTHub3-XXXX BTHub4-XXXX BTHub5-XXXX*
- ESSID: BTHub-XXXX where XXXX is 4 upper-case alphanumeric characters
* These ESSIDs require longer processing times and are not supported by default. Contact support for details.