WPA Cracking: It Starts With Sniffing
There are three steps to penetrating a WPA-protected network.
- Sniffing: Intercepting packets in order to get the data necessary to perform an attack.
- Parsing: Inspect the harvested packets to see if there's a valid handshake. This is the critical step. The information you're trying to capture consumes less than 1 MB, but it's important that it includes packets that contain PTK authentication information. This means that someone needs to log on to the network while you're sniffing.
- Attacking: Employ brute-force password cracking.
The entire process of sniffing, parsing, and attacking tends to be modular, but the exact procedure is a little different, depending on the operating system. At the moment, Linux is the preferred route for many networking ninjas, but there are tools in Windows that streamline the process too.
No matter what software route you take, making this happen isn't as easy as typing in the right commands. Getting past the sniffing step is perhaps the most difficult part because it requires a particular type of wireless card. Specifically, you need one that has drivers able to provide access to low-level 802.11 protocol information. The majority of wireless cards don't cut it because they use a driver that filters the RAW 802.11 packets and hides them from the upper layers of the operating system.
But the right equipment doesn't cost an arm and a leg. Many compatible wireless cards cost less than $50. Ultimately, skill is what separates the beginners from hackers. Without giving you the blow-by-blow, these screenshots give you an idea of how easy it can get. In all, I spent about 10 minutes getting the information needed to set up the password attack, which is step three.
There is one caveat worth mentioning. Capturing the authentication information (four-way handshake) requires you to monitor for the packets transmitted when a client attempts to connect with an access point (AP). The act of connecting is what generates the packets that hackers are interested in exploiting. If there are no wireless clients connected, a hacker must wait for someone to establish a connection. Checking your morning email just got a little more real, didn't it?
If a client is already connected, it is still possible to capture the requisite information by forcing a reconnection attempt. How, you ask? By targeting a specific user and booting them off the network with one simple command-line instruction.
After we're done sniffing, we have to use a cracker to brute-force every master key against the PTK. Between Linux and Windows, there are fewer than 10 programs that actually perform the brute-force attack. The majority of them, such as Aircrack-ng and coWPAtty, rely on a dictionary attack. That means you need to provide a discrete database of words to check against. In the end, there are really only two programs that perform truly random brute-force attacks: Pyrit (combined with John the Ripper in Linux) and Elcomsoft's Wireless Security Auditor (Windows).
It should come as no surprise that coordinating an attack in Linux is more involved than Windows. Aircrack-ng is used to sniff and parse. Then you switch to Pyrit in pass-through mode via coWPAtty (PMK-PTK conversion) for the brute-force attack. In comparison, Elcomsoft offers a much more fluid experience with its Wireless Security Auditor. Admittedly, that app is so easy to use, a caveman could do it. It sniffs (provided you have an AirPcap adapter), parses, and attacks a WPA-protected network in no more than 10 mouse clicks.
Although cracking is slightly more complicated to pull off in Linux, it's also less expensive. The fully-automated version of WSA runs $1199, but it lets you use up to 32 CPU cores and eight GPUs, it adds sniffer support, and it features support for dedicated cracking hardware like Tableau's TACC1441 (the serious FPGA-based stuff). The standard version is more limited. It's restricted to two CPU cores and one GPU and only costs $399. You do need a third-party app for the sniffing step, though.
| OS | Linux | Windows | Windows (fully automated) |
|---|---|---|---|
| Sniffing | Aircrack-ng | Aircrack-ng | Wireless Security Auditor Pro Edition |
| Parsing | Aircrack-ng | Wireless Security Auditor Std. Edition | Wireless Security Auditor Pro Edition |
| Cracking | Pyrit via CoWAPtty | Wireless Security Auditor Std. Edition | Wireless Security Auditor Pro Edition |
| Software Cost | Free | $399 | $1199 |
Brute-Force Cracking
If you want more information on how brute-force attacks work, we suggest that you read page four of Harden Up: Can We Break Your Password With Our GPUs?. In a nutshell, brute-force attacks involve "guessing and checking" on a much larger and faster scale in an attempt to defeat passwords.
Unlike online banking passwords, WPA doesn't have any authentication restriction. If you're persistent enough, you can keep guessing passwords until hell freezes over.
| Available Characters Using The English Language | Possible Passwords, Two Characters | Possible Passwords, Four Characters | Possible Passwords, Six Characters |
|---|---|---|---|
| Lower-case | 676 | 456 976 | 308 915 776 |
| Lower- and Upper-case | 2704 | 7 311 616 | 19 770 609 664 |
| Lower-case, Upper-case, and Numbers | 3844 | 14 776 336 | 56 800 235 584 |
| All (Printable) ASCII Characters | 8836 | 78 074 896 | 689 869 781 056 |
Brute-force attacks are only effective when they can check passwords at a high speed, as the number of potential passwords grows exponentially with a larger character set and longer password length (possible passwords =n[password length] , where n is the number of possible characters).
Most of the time, hackers don't know the length of your password, though. That's why they have to perform an exhaustive search of all possible combinations, starting from a list of single-character options.
