michael_kent123 Posted October 5, 2014 Share Posted October 5, 2014 Hello,I want to comment on how I understand WPA(2) cracking based on the situation today. In my opinion, there are three ways to target WPA(2).a) PSK dictionary cracking.b) WPS cracking.c) Social engineering.a) My opinion is that PSK dictionary cracking is unlikely to work. As an experiment, I acquired the 4-way handshake of ten APs in the vicinity. I uploaded these to gpuhash.me. No PSKs were found. The site claims that they use a 337 million word dictionary. Moxie Marlinspike's cloudcracker.com uses a 604 million word dictionary but charges $17 per attempt whether successful or unsuccessful. gpuhash.me only charge if they are successful. My impression is that most people these days use non-dictionary passwords.Of note, most routers that I can see in my area have default SSIDs. For example, I observer various BTHomeHub2-XXXX, BTHub3-XXXX, and SKYXXXXX names. I am in the UK. The default SSIDs may suggest that the owners also use default passwords. According to gpuhash.me "Full range of 10 hexadecimal lowercase digits (0000000000-ffffffffff). Often used as a default WPA password for broadband routers: BTHomeHub(1-4)-xxxx." These attempts demand energy and hence are expensive. The lowercase 10 hex attack is 1100GB worth of keywords. gpuhash.me requests 0.58BTC which is currently $176 or £111. And, of course, there is no guarantee that the default password has not been changed.b) In my opinion, the main WPS cracking tool, Reaver, is effectively dead. First, the target router must be WPS enabled. Many are not. Checking the number of routers discovered by airodump-ng compared to those recorded by wash, will indicate that about 50% of routers cannot be targeted by the WPS attack. Then, of those that can, the majority time out due to WPS locking. Even those that do not lock have other errors. They may get stuck at 90.90% or 99.99%. In these scenarios, Reaver does not discover the first four digits of the WPS PIN and goes into a loop. I am currently playing with the Reaver fork, version 1.5, but am not optimistic that it will improve matters (based on users' comments) (https://code.google.com/p/reaver-wps-fork/). After all, the issue is not Reaver, but with how routers now function whether they are sold new or have had firmware updates. This is not to say that Reaver is always ineffective. As Digininja notes, an organisation with 100 APs might have one that is vulnerable (https://forums.hak5.org/index.php?/topic/33715-is-reaver-totally-dead/). However, if there is only one AP, the likelihood of success is minimal. c) AIUI, the main tool is PwnStar (https://github.com/SilverFoxx/PwnSTAR). You create an open network (a softAP) with the same SSID as that of the network you are targeting. You deauth the client from the genuine AP using airplay-ng. The user then attempts to reconnect to his network but accidentally connects to you because your SSID shows up in the network list and its Tx power is superior to that of the genuine router. This attack requires the user to manually connect to an open network rather than their real WPA(2) network. My impression is that the user has to manually connect because their real SSID uses WPA(2) and hence, after the deauth, their system will not automatically connect to an open network (even one that uses the same SSID). A variation, promoted by Musket Teams on the Kali Linux forums, is to use a very similar SSID. In other words, if the real SSID is "SKY12345" the softAP SSID would be "SKY12345 ." (five spaces then a dot). AIUI, the idea is that the target's system will start to send out probe requests to open networks to which it previous connected, and the attacker system claims it is one of these networks. (It's not therefore necessary for the SSID to be so similar but the Musket Teams idea looks good for social engineering purposes). However, my impression is that modern systems are less likely to automatically connect. For example, if I deauth myself (on a different computer) from a Windows 8 system, it will not then connect to any open systems in the vicinity even if I had connected to them before. The only way is to manually connect.I would appreciate any comments on the above scenarios. Further, perhaps there are other WPA(2) attacks that can obtain the PSK of which I am unaware. Thanks! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.