Speed Up WPA Handshake Cracking With Keyspace Attacks

Published in

CyberScribers

2 min readSep 8, 2022

WPA handshakes are great but they’re useless if you can’t get a password from them. Most people use dictionary attacks or brute force for short passwords. A keyspace attack is similar to both. By analyzing known default passwords we can reverse engineer the password generation process, making it easier to guess the password. For example, the keyspace for NETGEARXX (ex. NETGEAR31) is adjective + noun + 3 digits (ex. magicalballoon311).

Equipment

Computer — What else are you using to crack passwords

GPU — optional but HIGHLY RECOMMENDED

Tools

Hashcat — an excellent password cracking tool

Known Keyspace — premade list here

Handshake File — can be pmkid instead

Looking For The Correct Keyspace

This should be the easiest part as the ESSID (name) of the WiFi usually gives it away. The name usually contains the router manufacturer and some random numbers or letters. You can find most online or in lists like soxrok2212’s list here.

Examples:

NETGEARXX — [adjective + noun + 3 Digits]

TP-LINK_#### — [0–9] — Len: 8

TP-LINK_###### — [0–9A-F] — Len: 8

Additional Preparation

Depending on the keyspace you may need to prepare a few more things. For example, the NETGEARXX keyspace requires an adjective wordlist and a noun wordlist. Getting them should be easy but hashcat is picky on what can be used. Using NETGEARXX as an example (again), hashcat does not allow two wordlists and three digits as input for cracking. However, hashcat does support a wordlist and digits or 2 wordlists. So to get around the limitation the two wordlists must be combined first or the noun wordlist must be combined with the digits. This step varies from router to router so it’s up to you to figure out what’s needed (soxrok2212’s list does include lots of workarounds).

Hashcat

If you’re here you should already know about hashcat, if not then you can find plenty of information on the hashcat website or in some tutorial online. Make sure your handshake is in hc22000 format or in a pmkid hash, make sure your input parameters are correct (soxrok2212’s list includes them) and you are off to the races.

Mitigations

If you read the article you should know by now that this attack works due to reverse engineering of default passwords. The easiest way to prevent keyspace attacks from working is to change the default password to a more secure password. However, lots of people are not very tech literate so a long term solution is for manufacturers to set more secure default passwords.

Happy Hacking~!