WPA-PSK

Create custom wordlist to recover the cleartext passphrase from a captured WPA handshake or PMKID.

• Base wordlist
• Amplify
• Combine
  • Without separator - princeprocessor
  • With separator - hashcat
• Rules

Base wordlist

Create a small wordlist with a few simple words such as:

• company name, alias, acronym, previous name
• company location s.a. country, city, street
• words from the SSID name

Example:

evil
corp
evilcorp
EvilCorp
EC
washington
DC

In addition, add the following generic words to the custom wordlist:

wifi
wireless
mobile
mob
internet
network
net
password
pass
pwd
key
welcome

Amplify

Use hashcat to amplify the wordlist with capitalized words:

cat <base.lst> >> <amplified.lst>
hashcat -a 0 <base.lst> -j 'c' --stdout >> <amplified.lst>

See hashcat rule-based attack documentation for additional functions.

Combine

cat <amplified.txt> >> <combined.txt>

Without separator - princeprocessor

Use princeprocessor to combine words together and create a larger wordlist:

princeprocessor --elem-cnt-min=[MIN WORD] --elem-cnt-max=[MAX WORD] -o <combined.lst> <amplified.lst>

Example: ECwifi, EvilCorpInternet, …

With separator - hashcat

Use hashcat to combine words together with commonly used separators:

hashcat -a 1 <amplified.lst> <amplified.lst> -j '$@' --stdout >> <combined.lst>
hashcat -a 1 <amplified.lst> <amplified.lst> -j '$4' --stdout >> <combined.lst>
hashcat -a 1 <amplified.lst> <amplified.lst> -j '$-' --stdout >> <combined.lst>
hashcat -a 1 <amplified.lst> <amplified.lst> -j '$_' --stdout >> <combined.lst>

Example: Wifi4EvilCorp, Internet@EC, …

Rules

Finally, use hashcat to apply derivation rules:

hashcat -a 0 <combined.lst> -r <hashcat.rule> --stdout >> <rule.lst>

Recommendations:

• append-year-n-bang.rule: append year from 1950 to 2050 and also add a !
• unix-ninja-leetspeak.rule: common leetspeak
• efensive.rule: too many variations to explain