Jump to content

The State of WPA2 Cracking Today.


michael_kent123

Recommended Posts

Hello,

I want to comment on how I understand WPA(2) cracking based on the situation today.

In my opinion, there are three ways to target WPA(2).

a) PSK dictionary cracking.

b) WPS cracking.

c) Social engineering.

a) My opinion is that PSK dictionary cracking is unlikely to work. As an experiment, I acquired the 4-way handshake of ten APs in the vicinity. I uploaded these to gpuhash.me. No PSKs were found. The site claims that they use a 337 million word dictionary. Moxie Marlinspike's cloudcracker.com uses a 604 million word dictionary but charges $17 per attempt whether successful or unsuccessful. gpuhash.me only charge if they are successful. My impression is that most people these days use non-dictionary passwords.

Of note, most routers that I can see in my area have default SSIDs. For example, I observer various BTHomeHub2-XXXX, BTHub3-XXXX, and SKYXXXXX names. I am in the UK. The default SSIDs may suggest that the owners also use default passwords. According to gpuhash.me "Full range of 10 hexadecimal lowercase digits (0000000000-ffffffffff). Often used as a default WPA password for broadband routers: BTHomeHub(1-4)-xxxx."

These attempts demand energy and hence are expensive. The lowercase 10 hex attack is 1100GB worth of keywords. gpuhash.me requests 0.58BTC which is currently $176 or £111. And, of course, there is no guarantee that the default password has not been changed.

b) In my opinion, the main WPS cracking tool, Reaver, is effectively dead. First, the target router must be WPS enabled. Many are not. Checking the number of routers discovered by airodump-ng compared to those recorded by wash, will indicate that about 50% of routers cannot be targeted by the WPS attack. Then, of those that can, the majority time out due to WPS locking. Even those that do not lock have other errors. They may get stuck at 90.90% or 99.99%. In these scenarios, Reaver does not discover the first four digits of the WPS PIN and goes into a loop. I am currently playing with the Reaver fork, version 1.5, but am not optimistic that it will improve matters (based on users' comments) (https://code.google.com/p/reaver-wps-fork/). After all, the issue is not Reaver, but with how routers now function whether they are sold new or have had firmware updates.

This is not to say that Reaver is always ineffective. As Digininja notes, an organisation with 100 APs might have one that is vulnerable (https://forums.hak5.org/index.php?/topic/33715-is-reaver-totally-dead/). However, if there is only one AP, the likelihood of success is minimal.

c) AIUI, the main tool is PwnStar (https://github.com/SilverFoxx/PwnSTAR). You create an open network (a softAP) with the same SSID as that of the network you are targeting. You deauth the client from the genuine AP using airplay-ng. The user then attempts to reconnect to his network but accidentally connects to you because your SSID shows up in the network list and its Tx power is superior to that of the genuine router. This attack requires the user to manually connect to an open network rather than their real WPA(2) network. My impression is that the user has to manually connect because their real SSID uses WPA(2) and hence, after the deauth, their system will not automatically connect to an open network (even one that uses the same SSID).

A variation, promoted by Musket Teams on the Kali Linux forums, is to use a very similar SSID. In other words, if the real SSID is "SKY12345" the softAP SSID would be "SKY12345 ." (five spaces then a dot). AIUI, the idea is that the target's system will start to send out probe requests to open networks to which it previous connected, and the attacker system claims it is one of these networks. (It's not therefore necessary for the SSID to be so similar but the Musket Teams idea looks good for social engineering purposes). However, my impression is that modern systems are less likely to automatically connect. For example, if I deauth myself (on a different computer) from a Windows 8 system, it will not then connect to any open systems in the vicinity even if I had connected to them before. The only way is to manually connect.

I would appreciate any comments on the above scenarios. Further, perhaps there are other WPA(2) attacks that can obtain the PSK of which I am unaware.

Thanks!

Link to comment
Share on other sites

a) While previously people went out and bought their own router which came with either absent or shitty default passwords, pretty much all modern routers include a wizard that will help the user set up their AP with a generated password sequence which is totally random and advise the user to write this down or run the wizard again if they want to change it. This makes it both sufficiently easy for the end-user to setup and sufficiently difficult for the end-user to later change it into 'mysecretpw' or whatever braindead letter combo they do manage to remember.

For the current crop of routers currently provided by ISPs that are wifi-enabled (i.e. any less than 2 years old, possibly more) the wifi passphrase will be preset to something very long and very random, and provided in or along with the documentation for the device. You might be able to change it, but it'll be tedious and made such that you have to really, REALLY want to change it before it's allowed.

Your best bet in cracking WPA2 APs is to find one that's operated by some commercial entity for the benefit of its paying customers. The passphrase here is typically something simple that includes the name of the commercial entity.

But in general, the password will be a long list of garbage which you can't work out with a wordlist (since it's not a sequence of intelligible words with some characters thrown in) and the keyspace is too large to make brute-forcing it feasible.

b) You probably can't buy a Wifi router these days that supports WPS and doesn't support automatic lockout. Most that support WPS will require you to press a button on the router before it will even respond to a WPS request and shut that feature off again after a few failed attempts. In general I think it's safe to say that Reaver has simply run its course and the hole it got in through has been fairly thoroughly plugged. You can and, in case of a pentest, should always test to make sure the router doesn't have WPS in an always-on configuration, but it'll be one of those low-hanging fruits that likely won't be there anymore if the admin was sufficiently competent.

c) I think the variation you describe is that you disconnect the legitimate user, provide a near-identically named AP and hope that when the user tries to reconnect and fails, he looks into his available APs list, see yours, assume its his and connect to it. Yours would have to be an open-access one to prevent the user from having to enter the password (which he won't as we already discovered in point a that it's a load of gobbledigook).

Link to comment
Share on other sites

Thanks for your helpful and informative comments.

For the current crop of routers currently provided by ISPs that are wifi-enabled (i.e. any less than 2 years old, possibly more) the wifi passphrase will be preset to something very long and very random, and provided in or along with the documentation for the device. You might be able to change it, but it'll be tedious and made such that you have to really, REALLY want to change it before it's allowed.

So you are saying that most users these days use default passwords provided by the manufacturer - but that these are very hard to brute force because they are not based on any kind of dictionary words. Correct?

If so, this will be an example where not changing the default password is best.

When I looked at my friend's PlusNet wireless router, the default was a random 12 digit uppercase hex number e.g. "DD01FE17FAA5". He didn't change the default. I suppose it could be bruteforced but even commercial crackers like gpuhash.me charge 0.58BTC and that's for 10 digit hex (uppercase or lowercase).

One thing I was wondering is whether there is a website that lists the default PSK style for all routers. The gpuhash.me lists a few (https://gpuhash.me/?menu=en-tasks-add):

Often used as a default WPA password for broadband routers:

10 digits — 2WIRExxx, ONOxxxx, ATTxxx, BigPondxxx
8 lowercase — virginmedia
8 uppercase — SKYxxx, UPCxxxxxxx
10 HEX lowercase — BTHomeHub(1-4)-xxxx

There must be some standard for all routers. For example, even if all PlusNet routers are 12 hex uppercase, an adversary with significant GPU power (e.g. a government) could surely crack all default router passwords given time?

In general I think it's safe to say that Reaver has simply run its course and the hole it got in through has been fairly thoroughly plugged.

I agree. At the same time, however, it is worth noting that the Reaver forums are active (whether the Kali Linux forum or the Google Code page where Reaver is hosted). There is now a fork of Reaver (https://code.google.com/p/reaver-wps-fork/).

I can't imagine it can be 100% dead - maybe 97%. But is it worth spending time on? Probably not.

c) I think the variation you describe is that you disconnect the legitimate user, provide a near-identically named AP and hope that when the user tries to reconnect and fails, he looks into his available APs list, see yours, assume its his and connect to it. Yours would have to be an open-access one to prevent the user from having to enter the password (which he won't as we already discovered in point a that it's a load of gobbledigook).

My impression is that there are two options. You either provide the same SSID and hope that your Tx power is superior to the target's. Or you end up with two very similarly named systems and hope that the target chooses your open network as he is fed up with being unable to connect to his genuine WPA(2) system due to the ongoing deauth attack.

Once the target connects to you, PwnStar serves them a page which tells them there is a router error and asks them to input their WPA(2) PSK. This requires the user to a) manually connect to the attacker's open network; b) know their own PSK (which should be on the router but they may not know this; c) be willing to enter it.

PwnStar then either provides internet access or does not provide internet access in which case the webpage just goes into a loop back to the phishing page every time the user requests a website.

The router phishing page is an addition to PwnStar (https://forums.kali.org/showthread.php?21114-New-WPA-Phishing-system-using-pwnstar9-0-released-for-general-use).

Any more comments or suggestions?

Edited by michael_kent123
Link to comment
Share on other sites

  • 4 weeks later...

Musketteams wish to add the following expansion on WPA Phishing. We have no issue with the comments above.

The beginnings of WPA Phishing was really started by two groups. Weaknet Labs(WNL) for WPA Enterprise and Techdynamics(TD) for WPA.. The WNL required a active participation it was not fire and forget. The TD method looked good on paper BUT it had several operational problems. Musketteams worked thru the TD step by step.

1. The rogueAP had to be on a different channel then the target to avoid mdk3 g or aireplay-ng -0 0 signal interference when the target was DDOSed.

2.The second problem was how to get clients to connect to the rogueAP. Because almost all clients would have the WPA key already loaded there could be no automatic association to a same named Open AP. To have the client associate to a same named rogueAP would require the removal of the WPA setting. We thought this a highly unlikely social; engineering event. So we came up with a router malfunction. to induce association wherein the rogueAP is on a different channel, with almost the same mac code and broadcasting an open AP name that looks the same but is not. The idea is that the user unable to associate to the targetAP must then by default look at the wifi devices. Seeing the samed name rougueAP associates to it and is immediatley given the cause of the problem and the solution ie the router needs its WPA key refreshed.

A special use pwnstar9.0 phishing program wherein the web page that was expressed could be altered to meet the router name as provided. We do not do videos only text explanations

You can download the pwmstar-mv.zip file at:

http://www.axifile.com/en/8D0DEA0B60

This zip file contains:

pwnstar9.0-mv1.2
routerwpa3 folder
a. formdata.txt
b. index.html
c. processs-form-data.php
Install instructions - pwnstar9.0mv1.2.txt


.

Link to comment
Share on other sites

Reference Reaver,

Mteams suggest those interested should reference issues 675,676 677 in the WPS reaver site

http://code.google.com/p/reaver-wps/issues/detail?id=675&start=500

http://code.google.com/p/reaver-wps/issues/detail?id=676&start=500

http://code.google.com/p/reaver-wps/issues/detail?id=677&start=500

There are script downloads and cracking methods available for download

MTeams.

Link to comment
Share on other sites

a) While previously people went out and bought their own router which came with either absent or shitty default passwords, pretty much all modern routers include a wizard that will help the user set up their AP with a generated password sequence which is totally random and advise the user to write this down or run the wizard again if they want to change it. This makes it both sufficiently easy for the end-user to setup and sufficiently difficult for the end-user to later change it into 'mysecretpw' or whatever braindead letter combo they do manage to remember.

For the current crop of routers currently provided by ISPs that are wifi-enabled (i.e. any less than 2 years old, possibly more) the wifi passphrase will be preset to something very long and very random, and provided in or along with the documentation for the device. You might be able to change it, but it'll be tedious and made such that you have to really, REALLY want to change it before it's allowed.

Your best bet in cracking WPA2 APs is to find one that's operated by some commercial entity for the benefit of its paying customers. The passphrase here is typically something simple that includes the name of the commercial entity.

But in general, the password will be a long list of garbage which you can't work out with a wordlist (since it's not a sequence of intelligible words with some characters thrown in) and the keyspace is too large to make brute-forcing it feasible.

I've noticed companies that issue out their own Wi-Fi routers generally form the password out of two parts of information pertaining to the router. The first half is the model number of the hardware and the second half is the device identifier half of the MAC address (last half). This is information that can be easily collected over the network. I think Arris does this with their routers but don't quote me on that.

Link to comment
Share on other sites

I can only speak for the two largest cable internet providers here, Ziggo and UPC, who together cover about 90% of .nl and whose routers may have their password initially generated algorithmatically, but not via straightforward means such as simply copying parts of the mac address.

Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...

After reading this I have to say I agree.

Reaver is all but dead, and was never quite as reliable as the WEP crack back in the day and trying to crack a handshake is fairly unreliable lately. I do find this social engineering topic quite interesting. Spoofing a targets AP Name and sending deauths does seem like a reliable way to get someone to connect to you, but after that it's very hit or miss. I can't imagine very users typing in their own WPA password on a random popped up page.

Is there a way to capture the WPA password a user has typed in when attempting to authenticate with our newly spoofed AP?

Are there any other methods? This IS very interesting and would love to hear more thoughts on it.

Link to comment
Share on other sites

Basically, the brute force attack on WPA/WPA2-PSK use the MIC. If the password is too large, becomes more difficult.

But, the GTK is the same for all stations and we know the first traffic encrypted with GTK: DHCP Request.

I'm thinking use a known plain text attack and discover the GTK.

My question is:

Can I capture encripted frames of SSID without associating me a Access Point? What's the software do it?

Thank you very much.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...