NOTE: If you would like to add an ESSID (that's not in the list below) with a known (default) PSK generation algorithm, please contact our support team.
Posted on April 1, 2015 at 7:08 PM
Updated on May 5, 2016 at 11:10 PM
The following rules and brute-force attacks are used by the Crackq for WPA/WPA2 handshakes. Note that this document is being revised and updated regularly.
The Crackq implements a heuristic for optimal set of dictionary, brute-force and hybrid attacks based on ESSID and MAC (or BSSID) values. For example, if the submitted
.hccap file contains the TP-LINK_XXXXX ESSID, where XXXXXX are the last 3 bytes of the MAC address, the Crackq will perform the following brute-force attacks, followed by dictionary and hybrid attacks if unsuccessful:
If the above attacks fail (meaning that the default password provided by the manufacturer was changed), the Crackq will perform dictionary and hybrid attacks to recover the password. The following represents the sets of attacks performed by the Crackq based on the ESSID and MAC values.
These handshakes, where BSSID value does not match any known manufacturers, are not very common. The Crackq will perform the following attacks against these handshakes:
The following ESSIDs have known character sets used for generating (default) pre-shared keys. However, these character sets require longer processing times (generally 20-30 hours depending on the charset) and are not supported by default. These long running jobs are charged per hour instead. Contact support for details.
* These ESSIDs require longer processing times and are not supported by default. Contact support for details.
The format for the MD5-based Unix crypt(3) hash algorithm is
SALT is 0-8 characters drawn from
CHECKSUM is 22 characters long drawn from the same charset as
SALT. For example,
$1$abcdefgh$WSwV3CmjYt3iE5AlESn9Z. is a valid hash with salt
abcdefgh and checksum
The following rules and brute-force attacks are used by the Crackq for MD5CRYPT hashes:
DES-based Unix crypt(3) algorithm is still supported by many Unix flavors for legacy purposes. The hash is 13 characters long drawn from
[0-9A-Za-z./]. The first 2 characters of the hash represent the salt with the remaining characters being the checksum. For example,
ffTEQtUBN6Glk is a valid hash with salt
ff and checksum
To submit your DESCRYPT hash:
$ ./crackqcli.py -t descrypt descrypt_hash
The following rules and brute-force attacks are used by the Crackq for DESCRYPT hashes:
The following rules and brute-force attacks are used by the Crackq for NTLM hashes:
The following brute-force attacks are available as long-running jobs and are paid per hour:
Currently, only PDF versions 1.4 - 1.6 are supported. You can check the version of your PDF file by opening it in any text editor and checking that the first few characters (magic number) correspond to
The following rules and brute-force attacks are used by the Crackq for password-protected PDF files: