cracking WPA

Document Sample
cracking WPA Powered By Docstoc
					Cracking WPA

                  What is WPA?
 Wi-Fi Protected Access - encryption for wireless networks

WEP has design flaws that allow 100% cracking given
enough time (usually 5-15 minutes).

      WPA - temporary fix for WEP's flaws; still uses RC4
      WPA2 - finalized WPA
        8 to 63 characters hashed 4096 times
        256 bits AES
             WPA-PSK Weaknesses
WPA-PSK still requires a 4-way handshake to authenticate a
wireless client. If using WPA-PSK as opposed to radius, this
handshake contains the passphrase as the PMK(pairwise
master key) in the form of a 256 bit hash created using the
SSID as the SALT and hashing the passphrase 4096 times.

Therefore, hashing our own passphrase and comparing it to
the captured PMK hash(brute forcing) will tell us if our
passphrase is the same as the passphrase needed to
connect to the WPA-PSK encrypted network.
                  Attack Outline
1. Record wireless traffic between client and AP
2. Disconnect the client to force a handshake or capture a
   handshake by waiting
3. Import pre-hashed word list( OR import a
   wordlist and create the hashes for them while importing
4. Crack the passphrase by comparing hashes with the
   hash captured in the handshake
                   Tools Needed
  Aircrack-ng - a set of tools for auditing wireless networks

      Airodump-ng --- wireless packet capture tool
      Aireplay-ng --- wireless packet injection tool
      Airolib-ng --- manage and create WPA/WPA2 pre-
      computed hashes

Note: Aircrack-ng must be compiled with support for sqlite
   make sqlite=true
   make sqlite=true install
     Compile Aircrack-ng for Ubuntu
Run the following commands in a terminal to install Aircrack
with support for sqlite for Ubuntu. The last two lines will be
needed if you had aircrack-ng installed via aptitude.

tar -xzf aircrack-ng-1.0.tar.gz
cd aircrack-ng-1.0
make sqlite=true
make sqlite=true install
ln -s /usr/local/bin/aircrack-ng /usr/bin/aircrack-ng
ln -s /usr/local/bin/airolib-ng /usr/bin/airolib-ng
              Resources Used
Pre-hashed 1,000,000 word list for top 1000 ESSIDs
Slides, Videos, Questions / Comments
      How to Prevent WPA Cracking
The only way to be 99% sure nobody will crack your WPA-
PSK passphrase is to use WPA with a radius server instead
of WPA-PSK! WPA with a radius server means the client has
to provide the correct username and password and accounts
can be locked after unsuccessful login attempts.

WPA-PSK can be strengthened by using a passphrase
longer than 30 characters, but with a fast enough computer
or a cloud computing network it is just a matter of time
before your passphrase is brute forced.

Shared By: