Ethical Hacking: Creating Wordlists

Understanding wordlist generation for WPA/WPA2 password cracking

Understanding the Fundamentals

In previous discussions about WPA and WPA2 security, we established that handshake packets contain crucial information for password verification. However, these packets don't provide enough data to directly recover or recalculate the original key.

Key Concept: Handshake packets allow us to verify if a password is correct, but don't contain the actual password.

This limitation leads us to a methodology called wordlist attack, which involves:

  1. Creating or obtaining a comprehensive list of potential passwords
  2. Using the captured handshake to verify each password
  3. Continuing this process until a valid password is found
Captured Handshake (.cap file) Wordlist (text file with passwords) Password Verification Try each password against handshake

Figure 1: The WPA/WPA2 password cracking process using wordlists

Creating Custom Wordlists with Crunch

While pre-made wordlists are available online, creating custom wordlists tailored to specific scenarios can significantly improve success rates. Crunch is a powerful tool that generates custom wordlists based on specified parameters.

Basic Crunch Syntax

crunch [min-length] [max-length] [character-set] [options]

The basic parameters include:

Example 1: Basic Wordlist Generation

Generate passwords between 6-8 characters using only lowercase a, b, c and numbers 1, 2:

crunch 6 8 abc12 -o wordlist.txt

This command generates approximately 448,000 passwords (about 4MB of data).

Example 2: Pattern-Based Generation

Generate 6-character passwords that start with 'A' and end with 'B':

crunch 6 6 -t A@@@@B abc12 -o pattern_wordlist.txt

In the pattern:

This pattern reduces the possible combinations to only 625 passwords, making the attack much faster.

Advanced Crunch Options

Option Description Example
-t [pattern] Define a pattern for generated passwords -t P@ssw@@d
-o [filename] Output to a file instead of stdout -o my_wordlist.txt
-p [charset] Generate passwords without repeating characters -p abcd1234
-s [startstring] Start at a specific string -s abc123
-b [size] Specify output file size (KB, MB, GB) -b 10MB
Wordlist Size Comparison Standard: abcd1234 (8 chars, length 8) = 16,777,216 passwords Pattern: A******B = 1,679,616 No repeats: 40,320 4 chars: 65,536 Reduced by fixed positions Reduced by eliminating repeats Reduced by smaller charset

Figure 2: Comparison of wordlist sizes with different strategies

Security Note: For ethical hacking purposes, only use these techniques on systems you own or have explicit permission to test.

Practical Tips for Effective Wordlist Creation

1. Narrow Down the Scope

If you have any information about the target password, use it to reduce the search space:

2. Target-Specific Wordlists

Consider creating wordlists based on:

3. Optimize for Space and Performance

Be mindful of wordlist size:

crunch 8 8 abcdefghijklmnopqrstuvwxyz -o wordlist.txt

This command would generate 208,827,064,576 passwords (nearly 2TB of data)!

Instead, use more targeted approaches:

crunch 8 8 -t P@ss%%%% 0123456789 -o wordlist.txt

This generates only 10,000 passwords that all start with "P@ss".

Additional Resources

Popular Pre-made Wordlists

Wordlist Generators and Tools