ELCOMSOFT.COM » Elcomsoft Wireless Security Auditor

Working with EWSA

Top  Previous  Next

Input data


EWSA (Professional edition only) includes an integrated network sniffer that supports AipPCap adapters, as well as most modern 'generic' consumer models. If you use AirPCap, you need to install its own drivers; with 3rd party adapters, you need to install the special/custom NDIS drivers bundled with the program.


The program also supports the following input data:


tcpdump log

Tamos CommView log

PSPR log

Local Registry

Manual entry


For more details on using the built-in sniffer and importing data from tcpdump and Tamos CommView logs, see Capturing network packets chapter.


Alternatively, you can import the data from PSPR log, where PSPR stands for Proactive System Password Recovery. When used on the computer with WZC (Wireless Zero Configuration), that program can save WPA-PSK password hash into the text file (press Export button on Misc Features | Wireless network page); EWSA can also dump password hashes from the local Registry itself (use Dump Windows WPAPSK hashes menu item). Please note that neither PSPR nor EWSA cannot extract hashes in the situation when wireless configuration is driven by 3rd party (vendor-supplied) utility instead of WZC.


Finally, you can add the password hash manually.


Program options


CPU Options


Here you can set the number of CPU(s) or cores to run the attack on (Processor utilization option). Press Auto detect to set this option automatically according to the number of processors you have installed. The Summary box shows more information on your operating system, machine name, user name (and whether you have Administrator privileges), CPU(s) name and speed.




Available devices box shows information about "compatible" video cards (or special hardware accelerators) EWSA can run the attack on. If multiple cards are installed, all of them are shown; select the one you want to get more information about, and look at Device info box; press Drivers info to get additional information about video drivers installed. For more information, consult with Hardware acceleration chapter.


Logging options


Select what kind of information you want to be printed by the program: regular messages, warnings, error messages.


Attack Settings


Word attack


This attack tries all possible variations of the given word, applying even more mutations than in dictionary attack with maximize efficiency option.


Dictionary attack - Dictionary options


Press Add to add dictionary file(s) to the list, Remove to remove the selected one(s), and Up/Down to change an order.


You can also set Ignore password if it is shorter than 8 or longer than 64 characters; with it, the program will check only those words (from the given wordlist) that are from 8 to 64 characters and so copmly with the wireless encryption standards.


Dictionary attack - Password mutation options


Here you select the name of the dictionary file, as well as the options that affect the speed and efficiency of the attack. See Dictionary mutations chapter for more details.


Mask attack


With the mask attack, you can check for passwords with the known/complex structure. In the Mask field, you can select the mask using the following options:


?? - the '?' symbol itself

?c - small Latin character (from 'a' to 'z')

?C - large Latin character (from 'A' to 'Z')

?$ - one of the special characters (small set): !@#$%^&*()-_+= and space

?@ - one of the special characters (large/complete set): !\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ and space

?# - any printable character with the code from 0x20 to 0x7F

?d - one digit (from 0 to 9)

?d(min-max) - a number from min to max.

?1..9(min-max) - min..max characters from custom set


In order to use the last option, you should also create your (custom) own character set (below); each set has its own number.


For example, assume that you password is formed as follows:


- one capital letter

- from 3 to 5 small letters

- special character (from large set)

- from one to three digits


In that case, the mask is going to be (assuming that the custom charset containing all small letters is created; if it is the only one, it will have the number 1):




Once the mask is properly set, you will see the Password total (the total number of passwords that fits into this mask), and Password range (first and last passwords to be checked):




Combination attack


This attack allows to test passwords that consist of two words, each of them taken from the dictionary (word list). Select the dictionaries in Dictionary 1 and Dictionary 2 fields (you can use the same file or different ones); and the additional options are:


Check upper- and lower-case combination

Use word delimiters

Use extra mutations


With the first option, the program will try to capitalize the first letter of each word, i.e. testing all four combinations. The second option (Use word delimiters) allows to set the different characters (like dash and underline, though you can set any other ones as well) to be used between words. Finally, you can apply extra mutations to all resulting passwords (Dictionary mutations options will be used). The program tries to estimate the total number of passwords instantly, but mutations will not be counted (it is virtually impossible to do that).


Hybrid attack


This attack is similar to Dictionary attack described above, but all mutations are set by the user. Here you can select one or more dictionaries (wordlists), as well as several mutation rules. The rules are set in *.rul files; here are the ones coming with the program:


Common.rul – common mutation rules

Dates.rul – date mutations

L33t.rul – l33t 'language'

Numbers.rul – manipulations with numbers


The actual contents of *.rul file starts with [Rules] section (all text before this tag is ignored). Maximum length of one rule is 256 bytes. Maximum length of the output word (generated by the rule) should not exceed 256 characters, too. One line can contain several rules (any ones but aN); they are processed from left to right.


The syntax of mutations is fully compatible with Passcape and InsidePro software, and partially compatible with John the Ripper:


:        Do nothing, use the original input word

{        Rotate left: password -> asswordp

}        Rotate right: password -> dpasswor

[        Delete the first character: password -> assword

]        Delete the last character: password -> passwor

c        Capitalize: password -> Password

C        Lowercase the first character, uppercase the rest: password -> pASSWORD

d        Duplicate: password -> passwordpassword

f        Reflect: password -> passworddrowssap

l        Convert to lowercase

q        Duplicate all symbols: password -> ppaasssswwoorrdd

r        Reverse: password -> drowssap

t        Toggle case of all characters: PassWord -> pASSwORD

u        Convert to uppercase

V        Vowels elite: password -> PaSSWoRD

v        Vowels noelite: password -> pASSWoRD


'N        Truncate the word to N character(s) length

<N        Reject the word if it is greater than N characters long. 0<=N<=35 (0,1,2,3,4,5,6,7,8,9,A,B,C..Z)

>N        Reject the word if it is less than N characters long. 0<=N<=35 (0,1,2,3,4,5,6,7,8,9,A,B,C..Z)

aN        Check all possible symbol cases for the word. N is a maximal length of the word to apply this rule for. This rule CANNOT be used in conjunction with other ones!

DN        Delete the character at position N

pN        Copy word N times. N = 3 .. 9

TN        Toggle case of the character at position N. N = 0 .. 9 for the position 0 - 9, N = A .. Z for the position 10 - 35

zN        Duplicate the first character of the word N times. N = 1 .. 9

ZN        Duplicate the last character of the word N times. N = 1 .. 9


$X        Add character X to the end of the word

^X        Insert character X at the beginning of the word

@X        Remove all characters X from the word

!X        Reject the word if it contains at least one character X

/X        Reject the word if it does not contain character X

(X        Reject the word if the first character is not X

)X        Reject the word if the last character is not X


%MX        Reject the word if it does not contain at least M instances of the character X

=NX        Reject the word if the character at position N is not equal to the X

iNX        Insert the character X in position N

oNX        Overwrite a character in position N with the character X

sXY        Replace all characters X with Y

xNM        Extract a substring of up to M characters length, starting from position N. M = 1 .. 9 for the length equal to 1 - 9, M = A .. Z for the length equal to 10 - 35



Get more information about Elcomsoft Wireless Security Auditor
Get full version of Elcomsoft Wireless Security Auditor

(c) 2016 ElcomSoft Co.Ltd.