9

Maybe a duplicate: Bruteforce on 10 characters length WPA2 password

So I am trying to get into home network security for the fun of it. More concretely, I am trying to reproduce the scenario of cracking my home router's WPA2 pass-phrase.

It was trivial to record a handshake with my AP. Now, to cracking the (already known by me) password. The password consists of two long words in Bulgarian (but spelled in Latin), with capitalized first letters, no spaces, special characters or numbers.

  • I found two dictionaries for such passwords in Bulgarian: one, two. Neither of the two words is in any of the dictionaries.

  • The password is 18 characters long. While choosing it might have been a fortunate example of "correcthorsestaple", even a 10-character password in infeasible for brute-force, according to my calculations. Note that Wikipedia seems to state otherwise.

To protect against a brute force attack, a truly random passphrase of 13 characters (selected from the set of 95 permitted characters) is probably sufficient. Wikipedia

aircrack-ng: 1500 keys/second
worst_case_attempts = (lowercase(26) + uppercase(26) + numbers(10) + common_symbols(15)) ^ pass_len(10)
The result is about 80 million years.

So where do I go from here? Do I learn how to generate dictionaries according to probability distributions of user input e.g. capital letters are often the first letters? Do I learn more about the details of the protocol? Do I search for other attack types e.g. somehow attack the open ports of the AP?

Vorac
  • 1,907
  • 3
  • 20
  • 29
  • I wonder if this will get closed as blackhat. Any tips on how to improve the question are welcome! – Vorac Sep 04 '13 at 10:25
  • WPA2 is generally considered to be secure as long as dictionary attacks don't get you in. – Polynomial Sep 04 '13 at 10:26
  • @Polynomial, remember [this question](http://security.stackexchange.com/questions/33960/is-there-additional-security-value-in-using-passwords-with-words-or-phrases-in-n)? – Vorac Sep 04 '13 at 10:28
  • As long as you use as strong password and do not use any of the common/default SSIDs you should be fine – Lucas Kauffman Sep 04 '13 at 11:12
  • @Lucas Kauffman, so I should look into other attack. The firmware has not been updated for a couple of years. This should provide entry easy enough? – Vorac Sep 04 '13 at 11:15
  • It won't get closed as blackhat, but the question basically boils down to "assuming a strong password, are there any known attacks against WPA2" which will either get an answer straight away or be a no (until there is one) – Rory Alsop Sep 04 '13 at 11:23
  • @Rory Alsop, exactly what I am expecting! Though - 2 dictionary words are a strong password? – Vorac Sep 04 '13 at 11:30
  • Dictionary words together can be very strong: http://security.stackexchange.com/q/6095/485 – Rory Alsop Sep 04 '13 at 12:27

1 Answers1

9

WPA2 uses PBKDF2 for password hashing; it is configured with HMAC/SHA-1 and 4096 iterations. The result is a 256-bit string. Since SHA-1 offers only a 160-bit output, PBKDF2 needs to apply the iterated HMAC/SHA-1 twice, to get all 256 bits of output, so this means 8192 invocations of HMAC/SHA-1. Each invocation implies two elementary calls to SHA-1 ("elementary call" means "processing of one 512-bit block with the SHA-1 compression function"), so that's 16384 hash function invocations. Once the 256-bit password-dependent key is obtained, a few extra computations are still needed to check that key against what was observed, but that's lightweight so we ignore that cost here (that's about as expensive as a couple more SHA-1 invocations). The whole 256-bit key must be available for that check, so no shortcut here: an attacker running a dictionary attack must pay the cost of computing 16384 SHA-1 instances (plus a few extra code) per password.

An attacker with a good GPU may hope for a billion SHA-1 instances per seconds, so he might "try" 60 thousands of passwords per second -- but that's assuming that he has a good, programmable GPU, and that the software he uses is up to it. Common cracking software like Aircrack-ng will usually be CPU-only, yielding the kind of performance that you observe (1500 passwords per second). Assuming that you can find an appropriate dictionary (which may be difficult, as you notice, when the target uses Bulgarian words), and know the construction method (as you explain: two words, with capitalization), then you can compute the number of possible passwords (with a dictionary of N words, that's N2 possible passwords) and a simple division will give you the time needed to "try them all".

Without any further information on probability distributions of password components, there is little more that you can do. This also shows that the 4096 iterations of PBKDF2 are effective at making life hard for attackers.


Now, are there any possible shortcuts ? There is a potential shortcut, which is that PBKDF2 uses a salt; it is as if there was not one PBKDF2 function, but billions of billions of distinct functions, one per salt value. IF several access points use the same salt, then attackers who try to break any of these access points may collude and share the effort, because "tried passwords" for one access point will also (somehow) apply to other access points. In WPA2, the salt for PBKDF2 is the network SSID. Thus, if several access points use the same SSID, then they transform the same password into the same key.

However, the actual messages and actual encryption key will be derived not only from the hashed password, but also nonce values which the access points and the connecting client send as part of the initial steps of the handshake (see this answer for pointers). This actually prevents precomputations from being effective. There is a generic advice about not using a "common SSID" but, in the case of WPA2, using the same SSID as many other access points does not seem to induce any extra weakness.


All of the above is about trying to find the access point password, in order to either decrypt traffic, or connect to the access point and benefit from its services (namely, "free" Internet access). No weakness in WPA2 is currently known, making password guessing the only practical break-in path.

However, if the true target is not the access point but another machine which connects to that access point, then other methods may be applicable. For instance, the attacker may setup a fake access point, advertising the same SSID, but requiring no authentication at all; it is possible (depending on the victim's operating system and configuration, and the human user's ability to "click through" warning popups) that the target machine will connect to the fake access point. At that point, the attacker must provide the "Internet access" service, but he also has a direct access to the victim's machine, allowing him to try out any remote exploit relevant to that machine. Also, this puts the attacker in ideal place to try Man-in-the-Middle attacks.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • A couple more questions. [reaver-wps](http://code.google.com/p/reaver-wps/) claims to brute-force WPA2 in under 10 hours. But they rely on using a PIN, while I just entered a passphare. This is not applicable to me, right? And second, can I still target the AP's firmware with my wireless card or through the public ip in internet? What topics should I study in that direction? – Vorac Sep 04 '13 at 12:23
  • 2
    reaver-wps is about WPS, which is an additional system which may or may not be enabled on a particular access point. WPS is a PIN-protected system which allows for _recovering_ the WPA2 password for the access point; if you know the PIN you can talk to the access point to have it send back the password itself... and, unfortunately, WPS was poorly designed, so the 8-digit PIN can be brute-forced efficiently (in particular, both PIN halves can be guessed independently of each other, and one digit is a "checksum", so the attack effort is at most 11000 tries). – Thomas Pornin Sep 04 '13 at 12:29
  • 3
    Attacks against WPS _are_ very effective, but they are _online_ (attacker must talk to the access point repeatedly) and they are not, per se, attacks against WPA2. Entropy of the WPA2 password has no relevance to the resistance against brute-forceing WPS. – Thomas Pornin Sep 04 '13 at 12:31