Date: Thu, 6 Sep 2018 08:36:32 +0200 From: "JohnyKrekan" <krekan@...nykrekan.com> To: <john-users@...ts.openwall.com> Subject: Re: Questions regarding WPA Password audit Hello, Thank you for posting link to those really big wordlists, I will try to contact admin, because it is easyer to ask than to make my own test how many password from my smaller wordlist is located in this big one. I am giving you a few example of as you call it (wild passwords:-). In my research I have found some using reaver (in the days when people loved WPS:-) and which would be hard to break using cracking methods 1. Two were from cracked Belkin routers and were generated by cracked router itself password1: h6sp-3kje-bpu6 password2: uskg-7lgo-nkwg The other example of wild password is renesis1986. This could be cracked with year mutation in EWSA enabled. other not easy password which maybe could be cracked is ritope222 Others that probably are uncrackable in real time: Hatebreed147fg91... DafkddXHtZrKkHUzbxiPgmmHFMXOeRhDnLFIpYtWGNEsdhNKkMHRxVhafEVdQKH MatejLucia2507@ 42s4tGQt The time that I need to test 1000000000 WPA-PSK passwords using all my hardware is about 100 minutes. Johny Krekan ----- Original Message ----- Sent: Wednesday, September 05, 2018 6:25 PM Subject: Re: [john-users] Questions regarding WPA Password audit Hi, On 05/09/2018 10:34, JohnyKrekan wrote: > Hello, I would like to ask questions regarding WPA password strength > audit. > 1. What steps or how many password you would try against a single WPA-PSK > hash to mark this hash "strong enough" when your search will not find the > right one. > my test consist of following steps: > 1. All 8+ words from lcommon languages. > 2. Two well known WPA wordlists which can be downloaded as torrent (approx > 13 gb in size - see > https://forums.hak5.org/topic/29308-13gb-44gb-compressed-wpa-wpa2-word-list-982963904-words/ I would also add weakpass_2_wifi from https://weakpass.com/download (I strongly suspect this list already includes the other lists linked above, but you can mail the admin to be sure) > 3. All 8 digit numbers (I have found that many routers use 8 digit decimal > numbers) > 4. Slovakian (my nation) wordlist using password mutation rules (like > adding numbers, changing cases, also I use those rules on common English > wordlist...) > The mentioned rules are generating about 600 derived password from each > word. > After passing these steps with no success, the password is considered "not > so weak". I would phrase this a bit more nuanced as: strong enough to not be cracked by a skilled attacker <if you believe yourself to be skilled> with access to <insert your hardware resources/ monetary cost to run on a rented system here> in <insert the time you took for this here> > Questions: > 1. What other steps would you recommend to add to this password audit > process? I would like to have a large list of wpa passwords that are actually used in the wild, generate a statistics file with these and run your cracker for let's say a week. If someone has these, I'm intrested :) (Most list I found are just normal wordlists with passwords < 8 and > 63 removed from them, not actually wpa keys that people (or tools) come up with. > 2. Have you encountered that 8 or 10 character hexadecimal numbers are > used as WPA passwords? If yes what is the character case? Small or > capital? > Thanx for any suggestions. > Johny Krekan Regards, Jens Timmerman
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.