User Tools

Site Tools


dcrack

dcrack

dcrack distributes WPA/2 PSK cracking across multiple servers.

Architecture

  • Server: It is the point of coordination for all cracking servers, aka clients.
  • Client: Cracking server. Reports back to the server. This one needs raw power.
  • User: sends commands to the server such as uploading wordlists, capture files, start cracking jobs and getting the status of the cracking jobs.

Getting started

A recent version Aircrack-ng and python is required on all systems.

Server set-up

Not much power or RAM is required for this system as it mostly receive commands from the user and communicates with clients.

./dcrack.py server

It will listen on port 1337 (TCP). Firewall rules are recommended to limit access to the server between the user(s) and the server and between the server and the cracking client(s).

Client set-up

This system needs raw power to be able to crack fast. RAM is irrelevant. It needs to be able to reach the server over the network.

./dcrack.py client <SERVER_IP>

Different systems will likely have different cracking speeds and the server adapts the workload (in this case, wordlists) to have all the systems finish at approximately the same time.

The client will first calculate its cracking speed and report it back to the server along with a client ID.

Cracking a capture file

Upload capture file

  ./dcrack.py cmd <SERVER_IP> cap <CAPTURE_FILENAME>

Capture file will be cleaned up too using wpaclean then uploaded. Take note of the BSSID as it will be required later on.

Upload wordlist

  ./dcrack.py cmd <SERVER_IP> dict <WORDLIST_PATH>

WPA passphrases must be between 8 and 63 characters long which means anything outside of that range will be removed. It will the compress and upload.

Run cracking job

  ./dcrack.py cmd <SERVER_IP> crack <BSSID>

Status

Now, query the status once in a while. Remember that the cracking clients report back to the server every 60 seconds (except when cracking is done).

  ./dcrack.py cmd <SERVER_IP> status

Protocol

Protocol used is HTTP. There isn't any authentication or encryption for now and thus it is recommended to only use it in a trusted network and use firewall rules to prevent unauthorized access.

Server

Server is mostly passive and responding to requests from clients (cracking servers) and commands from users.

Client worker

All requests from a worker start with /dcrack/worker.

Once initiated, the client will do a benchmark to get the average speed and report back to the server along with a client ID. In the following example, 14501464051314047435 is the client ID and it has an average speed of 3682:

GET /dcrack/worker/client/14501464051314047435/ping?speed=3682 HTTP/1.1

The server will respond 200 OK.

It will then poll the server for cracking jobs every 60 seconds and keep pinging the server with the information above. The polling look like the following

GET /dcrack/worker/client/14501464051314047435/getwork HTTP/1.1

The server will respond 200 OK and the JSON response may contain a few different possible answers:

  • Keep waiting
  • A job

Keep waiting

It contains the interval to wait in seconds for the next query. It looks like the following:

{"interval": "60"}

Job

The following JSON response adds 00:14:6C:7E:40:80 BSSID, a wordlist with the SHA1 of 1a15d1f10377829ead1fee8299f83f14d539f1e1 and what part of the dictionary to use by specifying the starting line of 0 and ending line of 233.

{"start": 0, "net": "00:14:6C:7E:40:80", "end": 233, "dict": "1a15d1f10377829ead1fee8299f83f14d539f1e1"}

Once receiving this request, the client will request the wordlist referenced by this hash as well as the PCAP capture file and start cracking. Once finished, it will send a request to the server with the results

Obtaining the wordlist

The following request will be sent and the server will send the GZIP-compressed file for 1a15d1f10377829ead1fee8299f83f14d539f1e1:

GET /dcrack/worker/dict/1a15d1f10377829ead1fee8299f83f14d539f1e1 HTTP/1.1
Obtaining the capture file

The client will request the capture file referencing its BSSID. In this case 00:14:6C:7E:40:80:

GET /dcrack/worker/cap/00:14:6C:7E:40:80 HTTP/1.1

The server will send the GZIPed-compressed file.

Sending results to server

In the following request, the client send the result of processing the BSSID 00:14:6C:7E:40:80. It also tells that the passphase is 12345678

GET /dcrack/worker/net/00:14:6C:7E:40:80/result?pass=12345678 HTTP/1.1

When the key isn't found, the following request will be sent indicating that passphrase for BSSID 00:14:6C:7E:40:80 wasn't found using the wordlist that has the SHA1 of 1a15d1f10377829ead1fee8299f83f14d539f1e1 and going through lines 0 to 233:

GET /dcrack/worker/net/00:14:6C:7E:40:80/result?wl=1a15d1f10377829ead1fee8299f83f14d539f1e1&start=0&end=233&found=0 HTTP/1.1

User

All requests from a user start with /dcrack/cmd.

Upload capture file

Capture file is cleaned up with wpaclean then compressed with gzip and uploaded using a POST request looking like this:

POST /dcrack/cmd/cap/create HTTP/1.1

The content of the POST request is the compressed capture file. Once successful, the server will respond 200 OK and “OK” as a response.

Uploading a wordlist

Wordlist is cleaned up, compressed in gzip and hashed. This part is done offline. Following that, it checks if the server already has the wordlist. If not, then it uploads it.

Check for wordlist existence

Using the following request, it checks if the server already has the wordlist based on its SHA1 hashsum:

GET /dcrack/cmd/dict/1a15d1f10377829ead1fee8299f83f14d539f1e1/status HTTP/1.1

If the server doesn't have it, it will answer “NO”.

Wordlist upload

Using a POST request, the wordlist is then uploaded:

POST /dcrack/cmd/dict/create HTTP/1.1

The server will respond OK if received correctly.

Setting the dictionary

In any case, it will tell the server to use a specific wordlist based on its hashsum using a request similar to this one:

GET /dcrack/cmd/dict/1a15d1f10377829ead1fee8299f83f14d539f1e1/set HTTP/1.1

The server will respond “OK” if successful.

Start a job

In the following request, the user requests to start processing BSSID :

GET /dcrack/cmd/net/00:14:6c:7e:40:80/crack HTTP/1.1

Server will respond with “OK”.

Get job status

Status of the job can be obtained by sending the following request:

GET /dcrack/cmd/status HTTP/1.1

The server's answer is JSON and shows the different client, their speed as well as the results of any job. In the following request, there is one client with a speed of 3682 keys/sec and the passphrase for BSSID 00:14:6C:7E:40:80 is 12345678:

{
  "clients": [
    3682
  ],
  "nets": [
    {
      "bssid": "00:14:6C:7E:40:80"
      "pass": "12345678"
    }
  ]
}

Remove BSSID

In the following request, the user asks to remove the BSSID 00:14:6c:7e:40:80:

GET /dcrack/cmd/net/00:14:6c:7e:40:80/remove HTTP/1.1

The server will respond “OK”.

Tips

  • In an untrusted network, use a SSH tunnel or any other protocol allowing authentication and prevents eavesdropping.
  • If the capture file contains multiple handshakes, the best one will be selected. However, manual selection is strongly recommended in that case. Check out our WPA Capture analysis tutorial. Make sure to include at least one beacon in the capture file. If the network is hidden, an association frame is required too.
dcrack.txt · Last modified: 2018/04/20 23:35 by mister_x