Re: WPA-PSK audit

From: kevin horvath (kevin.horvath@gmail.com)
Date: Fri Jan 04 2008 - 12:38:43 EST

• Next message: Alexander Klimov: "Re: IPS Testing"
• Previous message: espen@multigeeks.com: "Re: Generate passwords by bruteforce"
• In reply to: Joshua Wright: "Re: WPA-PSK audit"
• Next in thread: Matthew Leeds: "Re[2]: WPA-PSK audit"
• Reply: Matthew Leeds: "Re[2]: WPA-PSK audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

various tools can be used to attack wpa-psk such as aircrack-ng,
cowpatty, and Cain & Abel. All of these tools use a dictionary attack
as Josh mentioned using the SSID as sort of a salt. The ability to
crack it depends upon your dictionary list and the strength of
passphrase itself. The time it takes to crack the psk (if you do have
it in dictionary) depends on your computing resources and where it is
in your dictionary file. To help speed this up you can use cowpatty
and the pre hashed files from the church of wifi or generate your own
off your own dictionary file. You will have to do the latter if the
SSID you are auditing is not in the top 1000 ssids from wiggle anyways
(as that is what was used to precompute the churche of wifis prehashed
files). One alternative to this is using Cain&Abel to do a brute
force attack but this can take anywhere from a few hours to a few
years (your mileage may vary).

As Josh mentioned if an enterprise uses wpa-psk then that is a finding
in itself since it is a shared key. On assessments I like to watch
for probing clients to see if they are looking for default ssids and
then turn my ubiquiti card (or real ap) into ap mode with the default
ssid they are probing for and wait for them to connect to me (which
the wireless zero in windows does automatically). I then have a peer
to peer connection to then and then try to hack the laptop itself.
Once I can do that I can pull any wpa-keys or wep keys for any aps
they have in there preferred list. With that said I dont even need to
crack wpa itself just find an alternative way of getting the PMK.
This is also a good way of attacking wpa(2) enterprise as you can
steal client certificates and such this way.

Kevin

On Dec 28, 2007 9:05 PM, Joshua Wright <jwright@hasborg.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > I'd like to know of any existing tools designed to test the WPA-PSK
> > security mode. I know it's more secure than wep with TKIP and so on but
> > I wonder if there are any tools that are able to crack the WPA key
> > within a reasonable time limit - 2-3 hours? Any ideas and suggestions on
> > WPA security will be appreciated.
>
> I think it is unlikely that dictionary attacks will be effective against
> WPA/WPA2-PSK networks, as long as the passphrase is reasonable and not a
> dictionary word. That said, WPA/WPA2-PSK is not a suitable
> authentication mechanism for enterprise networks. Since the PSK is
> shared among all stations on the wireless network, every user with a
> workstation that has the PSK could conceivably know the PSK and share it
> with anyone else. Further, a stolen device could disclose the PSK for
> the network, compromising all later data exchanges.
>
> - -Josh
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iQIVAwUBR3WrfTWX3FIa1TkuAQIvbw//dCJMf/8GZTwUVmxN2uTSgyCM+vMCw8n4
> VedAtIw5bOGWNcMkL/jNrPd50S99HlWJfd6+7KDB94WQZ8r8Z51XCeS5X7aVOYED
> BVQ/SWTlgrJalUlgqCmsc1/k6dMzf+MSP5FKk4hE/nxLKxwSe4/AIxP7BZ4hgq3x
> mBDOMo2YC62LA21jM1ozmKXCKnfjzxufpTlUjrTnWc2V/boc83eWnGuxkTfMqmCw
> c+UhalVs/bCIQ1IvnxzW6GVzAPf/OLJO1FFXhXqGOW31Kpya4ce5nmoyCY7ngUm4
> YtdRD67fbU6wgdfsoDjQFZyQ7nPzPS1XQoDYJdbsunmVZwTR2BCdpzY42VE7tK0H
> ERQA7jSgfwKv15P1BPbkpOgNDMOjxrUYaZj8vdca6/5505XI0cmmqnG1U0g/SXHs
> 0SQ97I7ZyW+T74vDt1nxlerwThKCztGXpcfVJTZsVnXcs1+jlhsVvT0nIM6F+8Rn
> Aw8EaIQT4DLIWQXWcKerUv0Pq6E4hCTzlgI2MOXE+9/cBYVhqKF6AHNQDklN0ITc
> QB+u7+lwup0KjgJGWpWQo0gvpuA5i0LjavanmVPQca9iCq3Mt9Z1ZddYrAxVYQPx
> moBpbty6h62tPFws0MOvjjesy1cA1QviEymN/qKnUb3gTOVpK/EIDW8v0zS680Sz
> 4cMyUdCfe1I=
> =Zaw0
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Alexander Klimov: "Re: IPS Testing"
• Previous message: espen@multigeeks.com: "Re: Generate passwords by bruteforce"
• In reply to: Joshua Wright: "Re: WPA-PSK audit"
• Next in thread: Matthew Leeds: "Re[2]: WPA-PSK audit"
• Reply: Matthew Leeds: "Re[2]: WPA-PSK audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:18 EDT