WPA/WPA2 PSK Crackq

Version 0.16


Posted on April 1, 2015 at 7:08 PM

Updated on August 23, 2015 at 15:10 PM


The following rules and brute-force attacks are performed by the Crackq for WPA/WPA2 handshakes. Note that this document is being revised and updated regularly.

The Crackq implements a heuristic for optimal set of dictionary, brute-force and hybrid attacks based on ESSID and MAC (or BSSID) values. For example, if the submitted .hccap file contains the TP-LINK_XXXXX ESSID, where XXXXXX are the last 3 bytes of the MAC address, the Crackq will perform the following brute-force attacks, followed by dictionary and hybrid attacks if unsuccessful:

  • 8 digit brute-force
  • 8 upper-case hex characters brute-force, i.e., 0-9A-F
  • 10 character brute-force using the "2345678923456789ABCDEFGHJKLMNPQRSTUVWXYZ" charset (if the TP-LINK Easy Setup Assistant software was used to generate the password). This software ships with TP-LINK routers and helps users to perform the setup task by following step-by-step on-screen interactive instructions.

If the above attacks fail (meaning that the default password provided by the manufacturer was changed), the Crackq will perform dictionary and hybrid attacks to recover the password. The following represents the sets of attacks performed by the Crackq based on the ESSID and MAC values.

2WIREXXX

  • ESSID: 2WIREXXX where XXX are 3 digits

ATTXXX

  • ESSID: ATTXXX where XXX are 3 digits

BELLXXX

  • ESSID: BELLXXX where XXX are 3 digits

Belkin.XXXX

  • ESSID: Belkin.XXXX where XXXX are 4 upper-case hex characters

belkin.xxx

  • ESSID: belkin.xxx where xxx are the last 3 lower-case hex characters of the MAC address

DJAWEB_XXXXX

  • ESSID: DJAWEB_XXXXX where XXXXX are the last 5 upper-case hex characters of the MAC address

EE-BrightBox-xxxxxx

  • ESSID: EE-BrightBox-xxxxxx where xxxxxx are 6 lower-case alphanumeric characters

INFINITUMxxxx

  • ESSID: INFINITUMxxxx where xxx are the last 4 lower-case hex characters of the serial number

NETGEARXX

  • ESSID: NETGEARXX where XX are two 0-9 digits

ONOXXXX

  • ESSID: ONOXXXX where XXXX are the last 4 upper-case hex characters of the MAC address

Orange-XXXX

  • ESSID: Orange-XXXX where XXXX are 4 upper-case hex characters

TP-LINK_Pocket_XXXX_MMMMMM

  • ESSID: TP-LINK_Pocket_XXXX_MMMMMM where XXXX is a 4-digit random value and MMMMMM represents the last 3 bytes (upper-case hex characters) of the MAC address

TP-LINK_XXXXXX

  • ESSID: TP-LINK_XXXXXX where XXXXXX are the last 3 bytes (upper-case hex characters) of the MAC address

TPG-XXXX

  • ESSID: TPG-XXXX where XXXX are 4 upper-case alphanumeric characters

Non-default ESSID and unknown BSSID

These handshakes, where BSSID value does not match any known manufacturers, are not very common. The Crackq will perform the following attacks against these handshakes:

  • up to 10 digits brute-force
  • straight dictionary attacks
  • rule-based attacks using custom rules

The following ESSIDs have known character sets used for generating (default) pre-shared keys. However, these character sets require longer processing times (generally 20-30 hours depending on the charset) and are not supported by default. These long running jobs are charged per hour instead. Contact support for details.

TALKTALK-XXXXXX*

  • ESSID: TALKTALK-XXXXXX where XXXXXX are the last 3 bytes (6 upper-case hex characters) of the BSSID

UPCXXXXXX*

  • ESSID: UPCXXXXXX where XXXXXXX are seven 0-9 digits

BTHub3-XXXX BTHub4-XXXX BTHub5-XXXX*

  • ESSID: BTHub[345]-XXXX where XXXX is 4 upper-case alphanumeric characters

* These ESSIDs require longer processing times and are not supported by default. Contact support for details.

Updates

  1. 03/06/2017: We're switching to cryptocurrency only. Bitcoin and Ethereum are accepted with support for more cryptocurrencies coming up.
  2. 30/05/2016: Added HOTBOX-xxxx to the list of default ESSIDs. See the full list here.
  3. 28/05/2016: We're now accepting Ether as the payment option (ethereum.org)!
  4. 05/05/2016: Added 4G-Gateway-XXXX to the list of default ESSIDs. See the full list here.
  5. 27/02/2016: Added RogersXXXXX to the list of default ESSIDs. See the full list here.
  6. 26/02/2016: Stand-alone Windows client binary v0.4 can be downloaded from here.
  7. 26/02/2016: Crackq client v0.4 is released. Added support for MYSQL 4.1+ (double SHA1) hashes.
  8. 20/10/2015: Added Speedy-XXXXXX and Fibertel WiFixxx to our default WPA list.
  9. 16/09/2015: Added support for password protected PDF files. Currently versions 1.4 - 1.6 are supported.
  10. 01/09/2015: Added EE-BrightBox-xxxxxx and TPG-XXXX to the list of default ESSIDs. See the full list here.
  11. 26/05/2015: Added support for PHPass (Wordpress, Joomla and phpBB3) hashes.
  12. 13/04/2015: WPA/WPA2 rules and brute-force attacks supported by Crackq hashcrack.org/crackq/page?n=wpa.