crunch dictionary wordlist for WPA handshake cracking

Despite the numerous vulnerabilities and cracking methods around WPA and its successor, a black hat might find themselves brute-forcing a handshake. If the most common list of passwords fails, (a dictionary attack that automated tools generally employ) the next to try is a list of valid phone numbers in that particular area, which can be easily generated.

Such attacks (KRACK) have been in use for a long time, but it appears that even WPA3, which was supposed to make them difficult, has its share of problems (dragonblood / password-partitioning) which can be exploited via a brute force attack of 8-chars password list – all that it takes is a $125 Amazon EC2 instance. More such vulnerabilities may become available as implementations of the standard become widespread.

These days, your router can be compromised in many ways, some even by state actors, and if you have an older router that is vulnerable there is little you can do apart from buying a new one and hope that it’s not affected. But what you can do is go through the exercise of trying to break into it so that you know what not to do when setting it up.

In North America, a large metropolitan area might have several area codes. For instance, New York City has 917 for all of NYC, 212, 332 and 646 for Manhattan and 347, 718 and 929 for outer boroughs (Bronx, Brooklyn, Queens, Staten Island). Toronto has 416, 437, 647 while its suburbs have 905, 289, and 365.

To create a wordlist (aka dictionary) of all the numbers in a particular area code, one could use “crunch” with this command (replacing “123” with the correct area code):

./crunch 10 10 -t 123%%%%%%% -o /root/123.txt

This could be repeated for all the area code overlays and then concatenated into an “all.txt” file:

cat 123.txt 456.txt 789.txt >> allareas.txt

That is rather large and could take a while to go through, depending of course on how fast and powerful the CPU is. Fortunately, there are a few number assignment restrictions that can significantly reduce the size of our dictionary/wordlist file.

In a North American telephone number, the first 3 digits are called the “area code” or NPA (aka ABC from ABC-DEF-GHIJ). The next three, i.e., DEF, are typically referred to as the prefix or “CO”, while the last four , i.e., GHIJ, are the “line number”.

We are interested in prefix / CO exceptions, as the NPA is given and fixed. For historical reasons however, the exceptions tend to be common to the NPA and CO. These are:

  • NXX - N from 2-9
  • XX above cannot be 11
  • 555-0100 through 555-0199 reserved for fictional use
  • 976 was assigned to pay per call; 950 is also “special service”
  • 900, 800 and all the other toll-free may also be reserved, although this is not so clear
  • the actual NPA cannot be used in the CO and neither can adjacent domestic area codes and overlays, or area codes reserved for future relief nearby
  • testing codes 958 and 959

It’s important to note that as requirements change and numbers get used up, some of the aforementioned rules may be “relaxed” or dropped altogether to free more phone numbers to allocate.

Of all the above, the most significant is the N from 2-9 (i.e., the exclusion of 0 and 1 as the first digit in the CO). These rules can be implemented in the following bash script:


#make sure " don't become curly or you will get 12 string length error
for areacode in 212 332 646 917
for fprfx in 2 3 4 5 6 7 8 9
crunch 10 10 -t $crunchstr >> /root/phonlist.txt

If you are only testing for a limited number of 3 digit COs (or prefixes), as it may be the case in a small town, you could replace the single digits in “fprfx” with your 3-digits prefixes while removing two “%” from the ‘crunchstr string assignment’.

We have posted such a wordlist using Toronto area codes (as there are fewer of them than NYC, in the example above) and posted it in our Google Drive in 7zip encrypted archive with the password consisting of our pseudonym having its last “o” written as the number “0”:

id  1VJmON_0ZFESBhuXNd2r8cNXoPfY1Hbw9

Such a dictionary file can be easily used in conjunction with automated tools such as wifite or besside-ng.

Such a word list can be further refined with the previously discussed rules using sed. This tool has a slightly different syntax in its GNU iteration than POSIX (the latter shown first).

sed 's/word-to-find//g' input.file > output.file

Gnu/sed syntax:

sed -i 's/word-to-find//g' input.file

The assumption for the above is limited time and resources, but if that is not the case, one can easily employ crunch “on the fly” and pipe it to their fav cracking tool:

crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

A long standing aircrack bug prevented a successful crack, which is why many suggest:

crunch 8 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 | pyrit -r xxx.cap -b xx:xx:xx:xx:xx:xx -i - attack_passthrough

A further refined attempt would involve (-d 4 limits unnecessary character repetitions):

crunch <MinPasswordLength> <MaxPasswordLength> <CharacterSetToBeUsed> -s <StartPoint> -d 4 | pyrit -e <APessid> -i - -o - passthrough | cowpatty -d - -r <Handshake.cap> -s <APessid>

Hashcat and newer options allow one to employ the video card (cuda) for even faster password cracking.

cudaHashcat-plus.bin -a 3 -m 2500 myrouter.hccap

Using a dictionary file helps in two ways: first, by restricting and narrowing down the passwords tested, it saves time and resources and secondly, by splitting a large dictionary file into smaller chunks, it is possible to better time manage password cracking, as it can be more easily stopped and restarted.

One could use, for instance the following lengths for min-max string:

  • 8 – numeric, dictionary files broken into 200,000 chunks
  • 9 – numeric, same as 8
  • 10 – numeric, same as 8
  • Common password – dictionaries

We added magnet links for as-of-yet still alive large wordlists (8.5, 4.5 GB) below.

To split files use (bytes is the size of the new lists):

split --bytes=10M /path/to/large_wordlist /path/to/small_wordlits/word_list_prefix 

To “zip”, use

for i in *; do tar -czf $i.tar.gz $i; done

Use scp and ssh to send them to the machine doing the cracking and ssh to issue the commands:

for i in *.tar.gz
    > do scp $i user@server:/path/to/wordlist/directory;
    > ssh user@server "tar zxvf /path/to/wordlist/directory/$i"
    > ssh user@server "nohup  aircrack-ng <parameter list> $i &" 
    > sleep 10m
    > ssh user@server "rm  /path/to/wordlist/directory/*"

To start and restart “on the fly” and also limit the number of times a character can appear next to itself, pass “–d 4” to crunch after the character set for example, make a not of where it stops, then on restart, add “-s <StartPoint> -d 4” instead.


If you are looking at all this from the perspective of securing your own router, consider using a long password (20 characters is not a bad idea), preferably with special characters and also change the router’s MAC address when changing the password. Keep your router updated to the latest firmware. Create a “guest” network and password for your guests and never share or keep your wi-fi password visible.

Sources / More info: cnac-PDF, wiki-npa, BashWhile_guide, bash_looping, gnu-sed, do-sed, m8GB, m4GB, stack-split, dragonblood-pdf, pcg-125wpa3, krack1, thn-krackdemo,


Popular posts from this blog