Questions about WPA Cracker

How much does all this cost?

return

We offer two different WPA cracking modes at two different prices. You can run your job against half of our CPU cluster for $17 US, or you can run it against the entire cluster for $35 US. The half-mode will take at most 40 minutes to exhaust the entire 136 million word dictionary file (but hopefully we'd find your password before that), where as the full-mode will take at most 20 minutes. This compares to an average run time of 5 days on a contemporary desktop machine, much longer on a laptop.

Additionally, we now offer an extended English dictionary of 284 million words, only available in full-cluster mode, for $40 US at a maximum run time of 55 minutes.

The price list for ZIP cracking modes varies from $34US to $102US, depending on the character set and maximum length of the password that you would like to brute force.

What if you don't find my password?

return

The job costs the same whether we find your password or not. You're paying for either the recovery (which is most often the case), or the knowledge that if you were to build an exhaustive 135 million word dictionary file and run your handshake against it for five days, you'd find nothing.

Aren't there rainbow tables now?

return

Yes, the Church Of Wifi has put a large rainbow table collection online. However, there are a few ways in which this collection has not met our needs. The first is that since each handshake is salted with the ESSID of the network, you have to build a unique set of rainbow tables for each network that you'd potentially like to audit. The Church Of Wifi has gone to heroic efforts to build tables for the 1000 most popular ESSIDs, but we find that this is often not enough. If someone has enabled WPA encryption on their wireless network, chances are that they've changed their ESSID to something that's not very common as well.

Additionally, since they had to build so many sets, they had to limit the size of their dictionary in order to keep the resulting tables manageable. We feel that 1,000,000 words is really not large enough to do a comprehensive search, and that the way the dictionary was constructed discounts some of the specifics for WPA network password requirements. WPA Cracker provides a service that can crack the PSK of a network with any ESSID, using a dictionary that is several orders of magnitude larger.

Do you use the OpenWall dictionary?

return

While the OpenWall project has done an excellent job of pushing the envelope on password cracking, in our experience the OpenWall dictionaries were tailored more specifically for Unix logins than for WPA networks. Our dictionary was meticulously compiled with WPA cracking in mind, and includes word combinations, phrases, numbers, symbols, and elite speak. It has worked quite well for us, and now we're hoping that it can be helpful for you.

What are your dictionary options?

return

We currently have dictionaries in two languages, English and German. Both languages allow for either half or full cluster jobs, at $17US or $35US respectively.

The standard English dictionary is 136 million words, and there is also an "extended" dictionary that is an additional 284 million words. The "extended" dictionary is not a superset of the "standard" dictionary. This is to say that the words in the "standard" dictionary are not also in the "extended" dictionary. The former contains the 136 million words that we find are most likely for cracking success, so we recommend only trying the "extended" dictionary where the "standard" dictionary has failed.

For other tough jobs, you might try the "digits" dictionary, which contains all 100 million permutations of passwords composed of 8-character long digits ([0-9]{8}).

Finally, if you'd like to fire off one job that will incorporate everything, you can use the "aggregate" dictionary, which is simply the combination of the standard, extended, and digits dictionaries into a single 520 million word dictionary.

What kind of payment do you accept?

return

We use Amazon Payments. All you need is a normal account with Amazon.com, and you can use it to pay us with a credit card.

How do I capture a WPA handshake?

return

We recommend checking out the aircrack-ng tutorial.

You support ZIP cracking now? What's that about?

return

Yeah, well, why not? A number of people were asking for it, so we've added support for ZIP file brute forcing. These are not dictionary attacks, but actual brute forcing modes that will attempt every variation of a character set for a maximum length password. Just like the WPA modes, we can perform attacks on our cluster in a matter of minutes or hours that would take weeks or months on a single contemporary machine.

We'll probably be adding support for cracking other formats as well. Please let us know if there are other specific formats that you would find valuable.

What do I do if my pcap is greater than 10MB?

return

You'll need to use Wireshark or something else to export only the handshake to a smaller file. Remember to leave at least one beacon for your target network in there, though, so that the handshake remains associated with the ESSID you're targeting.

What kind of information do you collect from me?

return

All we need is a pcap file with a WPA handshake in it, the ESSID of the network, and an email address to send the results to.

How do I contact you people?

return

Send an email to moxie@thoughtcrime.org

But I use WPA2 so it's cool right?

return

Actually, while WPA2 introduced CCMP mode as a replacement for the problematic TKIP, when run with authentication based on Pre-Shared Keys (PSK), it is still vulnerable to dictionary attacks. Our service works against both WPA and WPA2 when PSK is being used.