Jump to content

WPA / WPA2 Security


Sector.Xero

Recommended Posts

I'm pen testing my home networks. I've noticed that there are alot of WPA / WPA2 cracks that involve capturing the handshake and running it against a dictionary.

Has there been any other attacks that have come out? I've been Googling it crappy results? Is there any other methods?

Link to comment
Share on other sites

There are wpa tables out there, but not like the general public is downloading terabytes of this info. Most people who have the storage for this also have the ability to do the cracking, so most home users arent going to benefit with trying to download them to their home desktops. Just too large for the average home users.

There is the http://www.wpacracker.com/ Darren reviewed which you can upload to and pay for the results, but their is a new ph33rbot from PureHate over at http://ph33rbot.com/wpa-password-cracker/ which does this as well. Both I think are pay for, with the one actually showing you most recently cracked keys, as the wpacracker.com one I dont think shows them to you until you pay for results, the other shows results for people who have paid I guess.

Link to comment
Share on other sites

I think he means by other methods instead of capturing the handshake. Answer, No. You HAVE to capture the handshake to crack the wireless encryption, the handshake is the only time the key is shared between the client and AP, which is what password crackers need. WPA encyption is pretty strong and really the only way to get in is if your is lame like "password" or "wireless" the greater the complexity of the password the harder it is to crack.

Link to comment
Share on other sites

Anyone is welcome to correct me.

I have cracked my own home WEP & WPA Network.

Only PSK can be cracked ( Pre-Shared Keys).

- Deauth a client

- Capture 4 way handshake as he reconnects

- Download a good dictionary file (eg passwords.txt)

The handshake is salted with the essid, so you can use a tool like airolib-ng to build your own database from your passwords.txt file and your targets essid. In turn instead of cracking at a rate of ~500keys/sec we can get to well over 100,000keys/sec & up to 300,000/sec has been reported.

My pc does 1 million keys in about 5-10 seconds compared to an hour the normal way.

Bottom line, if the password isn't in the dictionary it just doesn't work.

With TKIP its my understanding you can only inject packets, i think its 7 in total. But they could be malicious if someone was to be so devious. You cannot get a key form this.

Other methods?

What about Rogue AP. Setting up a fake access point to imitate the targets own, once they enter the key it gets passed in clear text because its not encrypted in anyway.

I havent tried this yet, but looks promising, Cracking WPA Without a Dicitonary

Link to comment
Share on other sites

No. The rogue access point wouldn't ask for the key, since it won't have one.

The page he linked to, from what I browsed over, doesnt just set up a rouge acces point, but impersonates their routers login page. Not that you should connect and then see it when you open a browser by default anyway, that would be a big red flag for me, like, why is my router redirecting internet access to its login page?

But anyway, you could probably do the same thing with jasegar + ettercap or something similar, clone the html from most common wifi routers, then serve them to anyone trying to reach their own router, kind of social engineer them into logging into their own router(giving you the password in the clear) then server fake pages that mimic the router and ask for them to set a new wep/wpa key, or whatever they choose, then capture that in the clear as well.

I dont think it would be too successfull though, because how many people see their routers login page as soon as they open a browser?

Link to comment
Share on other sites

Then again, how many people would go "Oh? Alright..." and put in their password... ;)

I bet that could be quite successful. Also, if they weren't allowed access until after, say a certain amount of time or login attempts, you might phish yourself multiple passwords. Just my thoughts...

Link to comment
Share on other sites

No. The rogue access point wouldn't ask for the key, since it won't have one.

Why would it not have one? You can use options to make the access point have a key, but its fake and it gets sent in clear text.

My understanding is you can make it look like anything, a router login, a wep/wpa login or a hotspot login

Look at Step #3 and go down to Picture C

http://fadzilmahfodh.blogspot.com/2009/07/...dictionary.html

Link to comment
Share on other sites

Why would it not have one? You can use options to make the access point have a key, but its fake and it gets sent in clear text.

My understanding is you can make it look like anything, a router login, a wep/wpa login or a hotspot login

Look at Step #3 and go down to Picture C

http://fadzilmahfodh.blogspot.com/2009/07/...dictionary.html

This may work at a public hotspot, maybe. Would most likely never work at a home or corp wireless network.

Link to comment
Share on other sites

This may work at a public hotspot, maybe. Would most likely never work at a home or corp wireless network.

You have a lot of faith in the public. Usually each household has 1 person who knows a little about PC's & Networking and that's it. They can follow simple and basic instructions to get the net working or install windows.

If your router asks you for the wep/wpa key and you as an average user want to use the internet, your going to trust that the router wants your wpa/wep key and think nothing of it.

As for hot spots, well again you put faith in the public. Imagine you make your own hotspot page that looks similar to the hotels website, with pictures, contact numbers etc and ask them to put in say

# Room Number

# Credit Card

# First Name

# Last Name

And then say that it will be 5$/hour or something, 2 or 3 out of 10 people will actually do that...

Link to comment
Share on other sites

Why would it not have one? You can use options to make the access point have a key, but its fake and it gets sent in clear text.

Okay, so you give your fake access point, called "Bob's home network" a fake password. You then set it to broadcast at a higher wattage than the real "Bob's home network". Now when Bob tries to connect to his network, your spoofed router is what he's going to connect to. The beginning of the four way handshake isn't going to be the same as his real access point because the password is different. The exercise stops right here. You're not going to get the correct password this way.

You have a lot of faith in the public. Usually each household has 1 person who knows a little about PC's & Networking and that's it. They can follow simple and basic instructions to get the net working or install windows.

If your router asks you for the wep/wpa key and you as an average user want to use the internet, your going to trust that the router wants your wpa/wep key and think nothing of it.

Usually in these cases it's only that one person that knows the password! I know my wife and our room mate have no clue what the password for our wifi is. Hell, I don't know what it is unless I look at the txt file on my thumb drive. It's hard to remember 64 random characters.

Now this might work for a public hotspot. But then most public hotspots are open to the world anyway. You'd have to be careful with how long you run the rogue access point though. It's going to break a lot of folks' connections. They are going to complain to the owners, and when they can't get a connection they're going to start messing with the real access point's config.

Link to comment
Share on other sites

I registered just for this post lulz

@ The Game, TKIP is just the encryption not the authentication, I believe you were thinking about RADIUS, which cannot be attack in the same manner as PSK, or perhaps LEAP/EAP

@Barry, what happens is:

The AP waits for a client to connect, upon connecting he can instantly browse the internet, except for one small problem, via some nice grep skills, the program intercepts the GET's Responses ans delivers a broken page along side a: "<script>window.open(blah)</script>" that has one input field and one message, "We're sorry, due to ongoing technical difficulty, we require you to reenter your Wireless passphrase"

I have personally tested this tecnique on.... about 100 clients, 90 of which did it :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...