WPA Cracking in the Cloud

It's a service:

The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35, you can get the job done in about half the time. Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.

[...]

It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.

FAQ here.

In related news, there might be a man-in-the-middle attack possible against the WPA2 protocol. Man-in-the-middle attacks are potentially serious, but it depends on the details -- and they're not available yet.

EDITED TO ADD (8/8): Details about the MITM attack.

Posted on July 27, 2010 at 6:43 AM • 22 Comments

Comments

RodrigoJuly 27, 2010 7:04 AM

Well, but if you don't use a password that is in a dictionary you'll be ok... I mean, it's not full brute force, it's a dictionary attack, right?

Bye!

Clive RobinsonJuly 27, 2010 7:19 AM

It raises the obvious question,

If "civi-street" services can do this at this cost, what can the NSA or other government agency do in the same length of time?"

Or how about Google, they are finding all the wireless access points they can as part of their "st mapping-recording" efforts, how much more would it cost them to crack them as they went?

As we know for many people just knowing one of their passwords is sufficient short cut to any others.

It raises the interesting prospect of using the passwords like an ID database. That is you might use many different User ID's but just how many different passwords do you use with them. If I know both the User ID and Password, can cross correlate to see if there are any other possible Usernames you might be using more covertly...

Jim LJuly 27, 2010 7:28 AM

I just got an email from Verizon on Friday saying the too many users are still using the default password on their routers.

At the time I questioned if they were really about good security or just losing bandwidth.

It came out of the blue, but this might explain it.

jkJuly 27, 2010 8:26 AM

So...

http://www.oxforddictionaries.com/page/... says there are about 250,000 words including obsolete words. How many of those are less then 8 characters? How many are less than 8 characters but are worth padding? The WPA cracking website does not indicate what max number of characters are used. One could only assume it goes from 8 characters to at least 20 since 20 is kind of the suggested lower bound to keep just this kind of thing from happening.

So 250,000 words compared to 135,000,000 in the word list... leads to over 500 iterations for each word, over 1600 iterations if you add the additional 284,000,000 word list. So, this is a nice big dictionary. What about phrases. I wonder how it does on phrases....

Hmmmmm

GweihirJuly 27, 2010 8:40 AM

The GRC thing seems to be a waste of money. I just use a variant of

cat /dev/urandom | base64 | head -c 12; echo

and convert to all lower-case for easier remembering. Use /dev/random if paranoid and some waiting time is ok.

Peter MaxwellJuly 27, 2010 8:48 AM

In light of this type of service...

Most modern home routers have the default password/keys set as a random string/pseudo random derived string; assuming that the method for deriving this string is secure then having the user pick their own passwords looks like a lowering of the security threshold.

Go figure.

vedaalJuly 27, 2010 8:51 AM

The issue is one of having a password that is resistant to cloud attack.

There is a simple (but slightly tedious) solution:

[1] Encrypt any file with Gnupg, using either AES 256 or Twofish

[2] Decrypt the file, using the option of
--show-session-key

[3] Copy the 64 character session key and save it in a safe backup, and also on a usb

[4] Use this 64 character string as your password.

[5] This can only be broken if 256 bit symmetrical ciphers can be brute forced
(nowhere near current or forseeable cloud capabilities, although they might be 'tempted' into a colossal waste of time trying ;- )) )

dune73July 27, 2010 9:17 AM

The FAQ lists Moxie Marlinspike as contact. That's the guy behind the https implementation weaknesses reported at DefCon2009. He used an online service to gather real world usage data to demonstrate his https weaknesses in the wild. I'm inclined to believe there is a hidden agenda with this service offering.

Martin EianJuly 27, 2010 9:23 AM

"In related news, there might be a man-in-the-middle attack possible against the WPA2 protocol. Man-in-the-middle attacks are potentially serious, but it depends on the details -- and they're not available yet."

I think I've figured out how to do it. Due to the fact that the GTK is shared, any authenticated wireless station can send a valid broadcast frame (the press release says that the attacker has to be an insider, in other words that he can successfully complete 802.1X authentication). This makes it possible to perform an ARP poisoning attack. The attacker sends a gratuitous ARP request (broadcast) associating his own MAC address with the default gateway's IP address. All traffic from other wireless clients to the default gateway will then be forwarded to the attacker. The AP will decrypt the traffic, and then re-encrypt it using the attacker's PTK. The attacker can then forward the traffic to the default gw, acting as a man-in-the-middle. All the traffic will be visible as plaintext to the attacker, since the AP handles the decryption (with the victim's PTK) and re-encryption (with the attacker's PTK).

This attack will also work against other clients on the same subnet, by using ARP poisoning to associate the attacker's MAC address with the client's IP address.

I'm not sure why the experts commenting the press release haven't mentioned this possibility.

Harvey MacDonaldJuly 27, 2010 10:06 AM

A dictionary attack doesn't mean dictionary words.

For example, a *good* dictionary might contain keyboard layout pattern entries like:
1234qwer
1qazXSW@
0o9i8u7y6t5r4e3w2q1
1q2w3e4r5t6y7u8i9o0p

And so on...

Glenn FleishmanJuly 27, 2010 11:44 AM

Bruce, most of the "Hole196" exploit details are now available, and I'll have a full write-up based on interviews at Ars Technica on Saturday when the embargo is lifted and the researcher presents his demo at Defcon.

In short, the group keys in WPA/WPA2 lack any authentication or integrity checking. A malicious station can use broadcast messages with the group key that the AP ignores, and which to other stations appear to come from the AP. No key breaking is required. An authenticated user is required, which means an 802.1X-authenticated login, typically.

On one hand, it's no worse than any of the network-based attacks that an insider could carry out. What makes it bad, is that it's untraceable to some extent (proximity is required), and none of the intrusion systems in use now would likely notice attacks made in this manner.

Mike HamburgJuly 27, 2010 1:15 PM

I usually use Diceware for that reason (eg, http://diceware.shiftleft.org , but generate your own instead). A 5-word password like "ned cute beep gogo hague" has about 64 bits of entropy, easily enough to thwart this sort of attack. If you're worried about governments getting involved, just use 10 words instead to match 128-bit AES.

Don_CJuly 27, 2010 10:10 PM

Given the wap/wap2 potential attack problems, how safe is wep, if you are forced into using it, for old devices such as Roku boxes and other WiFi devices that require wep only, in a typical home WiFi system?

Is wep that much worse, provided you use safe passwords?

How do you get decent security from nasty neighbors if you need to use wep ?

Don_CJuly 27, 2010 10:18 PM

Given the wpa/wpa2 potential attack problems, how safe is wep, if you are forced into using it, for old devices such as Roku boxes and other WiFi devices that require wep only, in a typical home WiFi system?

Is wep that much worse, provided you use safe passwords?

How do you get decent security from nasty neighbors if you need to use wep?

I misspelled wpa in previous post.

Martin EianJuly 28, 2010 3:49 AM

@Don_C

Short version:

Do not use WEP if WPA/WPA2 is available.

Longer version:

WEP acts as a "Do not enter" sign, but not much more. An attacker can recover the whole WEP key and gain full access to the network in approximately 1 minute (using statistical attacks [1], not dictionary attacks that depend on a guessable passphrase). The attacks against WPA/WPA2 are a lot less serious than those against WEP, so use WPA/WPA2 whenever possible. With WEP, the strength of the password doesn't really matter, since the most efficient attack exploits weaknesses in the cryptographic algorithm implementation. With WPA/WPA2 PSK, the password is very important, since the most efficient attack is a dictionary attack.

[1] http://www.aircrack-ng.org/doku.php?...

Clive RobinsonJuly 28, 2010 4:52 AM

@ Harvey MacDonald,

"A dictionary attack doesn't mean dictionary words"

Or which dictionary ;) At one time it was called a "catalog search" which is still mor appropriate . With what we now call a "brut force search" being called a "British Museum Attack"

As you say,

"For example, a *good* dictionary might contain keyboard layout pattern"

Or any other "ordered collection" of data.

Which raises an interesting (philosophical if you will) question about our method of deciding what entropy is in any practical sense.

After all at one point in time computers where used to produce "random" but "pronouncable" words for passwords using simplistic rules such as 'CVCVC' and in some cases putting them through secondary filters to check they where actually not in a "known" dictionary and where still pronouncable.

Thus "one mans good entropy is another mans bad entropy" simply because they play by different rules of judgment.

For instance the keyboard "WERTY" is also a "CVCCV" acceptable word...

Thus it can be argued that the strength of your password should be based on knowledge of what an attacker would put in their "attack dictionary"... Which in turn means that an attacker should not have likley words in their "attack dictionary" as they would not be used and are thus a waste of CPU cycles...

Which is a nice start to a downward spiral of second guessing by both parties.

Luckily for most attackers in the general case they don't care because they are not looking for a plaintext match to a single encrypted password but just any match to many many ciphertext passwords (the old "steal the password file" attack).

And that is the advantage this "Cloud" system has, afterall if you are paying hard cash you are likley to be using a real password.

So the cloud owners have a high probability of having a real password "with real value" that they have other info about (the enquirers IP address Credit Card info etc) that enables them to "localize" where the password is for geographicaly so can search another DB (such as googles private Wirless network list)...

JardaAugust 2, 2010 12:31 AM

>"but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes."

That's why you are supposed to have a non dictionary key, like mine, which is a string of random garbage, as long as it was willing to take.

And the details about the man in the man in the middle attack are here: Man in the middle howto:
http://webcache.googleusercontent.com/search?...

BobJanuary 22, 2011 7:39 AM

Using cloud computing this is possible:

"I'll demonstrate how to break a WPA-PSK handshake at a speed of ~400.000 PMKs/s, maybe (if I get it finished till then) also at a speed of over 1.000.000 PMKs/s per second."
http://stacksmashing.net/

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..