Documentation


WPA/WPA2 PSK Crackq

Version 0.16

NOTE: If you would like to add an ESSID (that's not in the list below) with a known (default) PSK generation algorithm, please contact our support team.


Posted on April 1, 2015 at 7:08 PM

Updated on May 5, 2016 at 11:10 PM


The following rules and brute-force attacks are used by the Crackq for WPA/WPA2 handshakes. Note that this document is being revised and updated regularly.

The Crackq implements a heuristic for optimal set of dictionary, brute-force and hybrid attacks based on ESSID and MAC (or BSSID) values. For example, if the submitted .hccap file contains the TP-LINK_XXXXX ESSID, where XXXXXX are the last 3 bytes of the MAC address, the Crackq will perform the following brute-force attacks, followed by dictionary and hybrid attacks if unsuccessful:

  • 8 digit brute-force
  • 8 upper-case hex characters brute-force, i.e., 0-9A-F
  • 10 character brute-force using the "2345678923456789ABCDEFGHJKLMNPQRSTUVWXYZ" charset (if the TP-LINK Easy Setup Assistant software was used to generate the password). This software ships with TP-LINK routers and helps users to perform the setup task by following step-by-step on-screen interactive instructions.

If the above attacks fail (meaning that the default password provided by the manufacturer was changed), the Crackq will perform dictionary and hybrid attacks to recover the password. The following represents the sets of attacks performed by the Crackq based on the ESSID and MAC values.

2WIREXXX

  • ESSID: 2WIREXXX where XXX are 3 digits

4G-Gateway

  • ESSID: 4G-Gateway-XXXX where XXXX are 4 upper-case hex characters

ATTXXX

  • ESSID: ATTXXX where XXX are 3 digits

BELLXXX

  • ESSID: BELLXXX where XXX are 3 digits

Belkin.XXXX

  • ESSID: Belkin.XXXX where XXXX are 4 upper-case hex characters

belkin.xxx

  • ESSID: belkin.xxx where xxx are the last 3 lower-case hex characters of the MAC address

BigPond

  • ESSID: BigPondXXXX where XXXX are 4 upper-case hex characters

DJAWEB_XXXXX

  • ESSID: DJAWEB_XXXXX where XXXXX are the last 5 upper-case hex characters of the MAC address

EE-BrightBox-xxxxxx

  • ESSID: EE-BrightBox-xxxxxx where xxxxxx are 6 lower-case alphanumeric characters

Fibertel WiFixxx

  • ESSID: Fibertel WiFixxx where xxx are 3 random digits

HOTBOX

  • ESSID: HOTBOX-xxxx where xxxx are 4 random digits

INFINITUMxxxx

  • ESSID: INFINITUMxxxx where xxx are the last 4 lower-case hex characters of the serial number

NETGEARXX

  • ESSID: NETGEARXX where XX are two 0-9 digits

ONOXXXX

  • ESSID: ONOXXXX where XXXX are the last 4 upper-case hex characters of the MAC address

Orange-XXXX

  • ESSID: Orange-XXXX where XXXX are 4 upper-case hex characters

Rogers

  • ESSID: RogersXXXXX where XXXXX are 5 digits

TP-LINK_Pocket_XXXX_MMMMMM

  • ESSID: TP-LINK_Pocket_XXXX_MMMMMM where XXXX is a 4-digit random value and MMMMMM represents the last 3 bytes (upper-case hex characters) of the MAC address

TP-LINK_XXXXXX

  • ESSID: TP-LINK_XXXXXX where XXXXXX are the last 3 bytes (upper-case hex characters) of the MAC address

TPG-XXXX

  • ESSID: TPG-XXXX where XXXX are 4 upper-case alphanumeric characters

Speedy-XXXXXX

  • ESSID: Speedy-XXXXXX where XXXXXX are 6 upper-case hex characters

VodafoneMobileWiFi

  • ESSID: VodafoneMobileWiFi-XXXXXX where XXXXXX are 6 digits

Non-default ESSID and unknown BSSID

These handshakes, where BSSID value does not match any known manufacturers, are not very common. The Crackq will perform the following attacks against these handshakes:

  • up to 10 digits brute-force
  • straight dictionary attacks
  • rule-based attacks using custom rules

The following ESSIDs have known character sets used for generating (default) pre-shared keys. However, these character sets require longer processing times (generally 20-30 hours depending on the charset) and are not supported by default. These long running jobs are charged per hour instead. Contact support for details.

TALKTALK-XXXXXX*

  • ESSID: TALKTALK-XXXXXX where XXXXXX are the last 3 bytes (6 upper-case hex characters) of the BSSID

UPCXXXXXX*

  • ESSID: UPCXXXXXX where XXXXXXX are seven 0-9 digits

BTHub3-XXXX BTHub4-XXXX BTHub5-XXXX*

  • ESSID: BTHub[345]-XXXX where XXXX is 4 upper-case alphanumeric characters

* These ESSIDs require longer processing times and are not supported by default. Contact support for details.

MD5CRYPT


The format for the MD5-based Unix crypt(3) hash algorithm is $1$SALT$CHECKSUM where SALT is 0-8 characters drawn from [0-9A-Za-z./] and CHECKSUM is 22 characters long drawn from the same charset as SALT. For example, $1$abcdefgh$WSwV3CmjYt3iE5AlESn9Z. is a valid hash with salt abcdefgh and checksum WSwV3CmjYt3iE5AlESn9Z.

The following rules and brute-force attacks are used by the Crackq for MD5CRYPT hashes:

  • 6.3GB dictionary with custom rules
  • Full ASCII 5 chars brute-force
  • Up to 9 digits brute-force
  • 6 character brute-force using lower-case alphas, digits and the following symbols: !?#$%&@-_.
  • 7 lower-case alphas and digits brute-force

DESCRYPT


DES-based Unix crypt(3) algorithm is still supported by many Unix flavors for legacy purposes. The hash is 13 characters long drawn from [0-9A-Za-z./]. The first 2 characters of the hash represent the salt with the remaining characters being the checksum. For example, ffTEQtUBN6Glk is a valid hash with salt ff and checksum TEQtUBN6Glk.

To submit your DESCRYPT hash:

$ ./crackqcli.py -t descrypt descrypt_hash

The following rules and brute-force attacks are used by the Crackq for DESCRYPT hashes:

  • 6.3GB dictionary with custom rules
  • Full ASCII 6 chars brute-force
  • Up to 8 digits brute-force
  • 7 character brute-force using the following character set [a-zA-Z0-9!?#$%&@-_.]
  • 8 character brute-force using the follwoing mask AAAAAAAB where A is [a-zA-Z] and B is [a-z0-9] and symbols

NTLM


The following rules and brute-force attacks are used by the Crackq for NTLM hashes:

  • up to 12 digits brute-force
  • 6.3GB dictionary with custom rules
  • 8 character brute-force including upper- and lower-case alphas, digits and the following symbols: ?!#$&@\%-_'
  • 9 character brute-force where first 7 characters are lower-case alphanumerics followed by 2 upper- and lower-case alphas, digits and the following symbols: ?!#$&@\%-_'

The following brute-force attacks are available as long-running jobs and are paid per hour:

  • 8 ASCII (full charset) character brute-force
  • Runtime: ~7 hours
  • 9 character brute-force including upper- and lower-case alphas, digits and the following symbols: !?#$%&@-_.
  • Runtime: ~67 hours

PDF


Currently, only PDF versions 1.4 - 1.6 are supported. You can check the version of your PDF file by opening it in any text editor and checking that the first few characters (magic number) correspond to %PDF-1.4, %PDF-1.5 or %PDF-1.6.

The following rules and brute-force attacks are used by the Crackq for password-protected PDF files:

  • Up to 5 characters full ASCII brute-force
  • 6.3GB dictionary with custom rules

Updates

  1. 30/05/2016: Added HOTBOX-xxxx to the list of default ESSIDs. See the full list here.
  2. 28/05/2016: We're now accepting Ether as the payment option (ethereum.org)!
  3. 05/05/2016: Added 4G-Gateway-XXXX to the list of default ESSIDs. See the full list here.
  4. 27/02/2016: Added RogersXXXXX to the list of default ESSIDs. See the full list here.
  5. 26/02/2016: Stand-alone Windows client binary v0.4 can be downloaded from here.
  6. 26/02/2016: Crackq client v0.4 is released. Added support for MYSQL 4.1+ (double SHA1) hashes.
  7. 20/10/2015: Added Speedy-XXXXXX and Fibertel WiFixxx to our default WPA list.
  8. 16/09/2015: Added support for password protected PDF files. Currently versions 1.4 - 1.6 are supported.
  9. 01/09/2015: Added EE-BrightBox-xxxxxx and TPG-XXXX to the list of default ESSIDs. See the full list here.
  10. 26/05/2015: Added support for PHPass (Wordpress, Joomla and phpBB3) hashes.
  11. 13/04/2015: WPA/WPA2 rules and brute-force attacks supported by Crackq hashcrack.org/crackq/page?n=wpa.