Input data
EWSA includes an integrated network sniffer that supports AipPCap adapters from CASE Technologies, Inc. (Professional edition only); if you don't have one, you can use 3rd party software to capture the packets. The program also supports the following input data:
| • | tcpdump log |
| • | Tamos CommView log |
| • | PSPR log |
| • | Local Registry |
| • | Manual entry |
For more details on using the built-in sniffer and importing data from tcpdump and Tamos CommView logs, see Capturing network packets chapter.
Alternatively, you can import the data from PSPR log, where PSPR stands for Proactive System Password Recovery. When used on the computer with WZC (Wireless Zero Configuration), that program can save WPA-PSK password hash into the text file (press Export button on Misc Features | Wireless network page); EWSA can also dump password hashes from the local Registry itself (use Dump Windows WPAPSK hashes menu item). Please note that neither PSPR nor EWSA cannot extract hashes in the situation when wireless configuration is driven by 3rd party (vendor-supplied) utility instead of WZC.
Finally, you can add the password hash manually.
Program options
CPU Options
Here you can set the number of CPU(s) or cores to run the attack on (Processor utilization option). Press Auto detect to set this option automatically according to the number of processors you have installed. The Summary box shows more information on your operating system, machine name, user name (and whether you have Administrator privileges), CPU(s) name and speed.
Accelerators
Available devices box shows information about "compatible" video cards (or special hardware accelerators) EWSA can run the attack on. If multiple cards are installed, all of them are shown; select the one you want to get more information about, and look at Device info box; press Drivers info to get additional information about video drivers installed. For more information, consult with Hardware acceleration chapter.
Logging options
Select what kind of information you want to be printed by the program: regular messages, warnings, error messages.
Attack Settings
Word attack
This attack tries all possible variations of the given word, applying even more mutations than in dictionary attack with maximize efficiency option.
Dictionary attack - Dictionary options
Press Add to add dictionary file(s) to the list, Remove to remove the selected one(s), and Up/Down to change an order.
You can also set Ignore password if it is shorter than 8 or longer than 64 characters; with it, the program will check only those words (from the given wordlist) that are from 8 to 64 characters and so copmly with the wireless encryption standards.
Dictionary attack - Password mutation options
Here you select the name of the dictionary file, as well as the options that affect the speed and efficiency of the attack. See Dictionary mutations chapter for more details.
Mask attack
With the mask attack, you can check for passwords with the known/complex structure. In the Mask field, you can select the mask using the following options:
| • | ?? - the '?' symbol itself |
| • | ?c - small Latin character (from 'a' to 'z') |
| • | ?C - large Latin character (from 'A' to 'Z') |
| • | ?$ - one of the special characters (small set): !@#$%^&*()-_+= and space |
| • | ?@ - one of the special characters (large/complete set): !\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ and space |
| • | ?# - any printable character with the code from 0x20 to 0x7F |
| • | ?d - one digit (from 0 to 9) |
| • | ?d(min-max) - a number from min to max. |
| • | ?1..9(min-max) - min..max characters from custom set |
In order to use the last option, you should also create your (custom) own character set (below); each set has its own number.
For example, assume that you password is formed as follows:
- one capital letter
- from 3 to 5 small letters
- special character (from large set)
- from one to three digits
In that case, the mask is going to be (assuming that the custom charset containing all small letters is created; if it is the only one, it will have the number 1):
?C?1(3-5)?@?d(0-999)
Once the mask is properly set, you will see the Password total (the total number of passwords that fits into this mask), and Password range (first and last passwords to be checked):
Combination attack
This attach allows to test passwords that consist of two words, each of them taken from the dictionary (word list). Select the dictionaries in Dictionary 1 and Dictionary 2 fields (you can use the same file or different ones); and the additional options are:
| • | Check upper- and lower-case combination |
| • | Use word delimiters |
| • | Use extra mutations |
With the first option, the program will try to capitalize the first letter of each word, i.e. testing all four combinations. The second option (Use word delimiters) allows to set the different characters (like dash and underline, though you can set any other ones as well) to be used between words. Finally, you can apply extra mutations to all resulting passwords (Dictionary mutations options will be used). The program tries to estimate the total number of passwords instantly, but mutations will not be counted (it is virtually impossible to do that).