Faster WPA hash cracking

Well, I'm not that expert, but I think here is the best place where I can discuss about this.

So, basically to crack a WPA network, you capture the handshake packets in order to obtain the key hash right? After that the only way to retrieve the plain text key is to perform a brute force attack on this hash, wait and pray.

The brute force attack provided by the aircrack suite usually tests 400 - 600 keys per second.

Recently I was looking for hash cracking when I found a technique called Time-Memory Tradeoff. They say its cappable of testing up to 100.000 keys per second (WTF?).

A benchmark is shown in the picture bellow:

http://project-rainbowcrack.com/fig_performance.png

This is from the Raibow Crack project, really worth take a look at it... Rainbow Project.

I was wondering if that wouldn't be usefull for also cracking WPA hash.

If I said anything stupid please let me know, I'm just trying to help anyway.

wpa and wpa2 are basically the same thing.
WPA vs WPA2 (802.11i): How your Choice Affects your Wireless Network Security | Openxtra

Keep reading and learning though you are trying and that's a good thing.

I think what windhawk is missing is that those graphs and charts do not take into account the time it takes to actually make the "rainbow" table. I may be able to crack at 100,000 keys per second but if it took me a few days to make the table, thats not very accurate.

The other major difference is that once a ntlm hash table is created it will work with any hash, this is not the case with wpa because the essid is salted into the hash. This means that every time you have a different essid you would have to create a new hash table which is once again , time consuming.

Quote:

---

Originally Posted by purehate

I think what windhawk is missing is that those graphs and charts do not take into account the time it takes to actually make the "rainbow" table. I may be able to crack at 100,000 keys per second but if it took me a few days to make the table, thats not very accurate.

The other major difference is that once a ntlm hash table is created it will work with any hash, this is not the case with wpa because the essid is salted into the hash. This means that every time you have a different essid you would have to create a new hash table which is once again , time consuming.

---

I see your point. I hadn't realized that WPA used salted hashes, this makes the method mentioned above useless.

Well, one more question before this topic dies. I don't see many people talking about aircrack-ng + CUDA yet.

Is there any obvious reason that I'm missing?

im not an expert either but , im working in a project ,im trying to set up my ps3 to crack hash file password because i heard from some source that the power of the ps3 processor is awesome , have you ever heard about it ?

Quote:

---

Originally Posted by TheDarkTangent

im not an expert either but , im working in a project ,im trying to set up my ps3 to crack hash file password because i heard from some source that the power of the ps3 processor is awesome , have you ever heard about it ?

---

Sounds really good. How far have you gone?

Actually WPA and no AES variants of WPA2 are vulnerable to differential cryptanalysis methods as well. If you knew enough plain text you could derive the key just by looking at the traffic.

Quote:

---

Originally Posted by windhawk

I see your point. I hadn't realized that WPA used salted hashes, this makes the method mentioned above useless.

Well, one more question before this topic dies. I don't see many people talking about aircrack-ng + CUDA yet.

Is there any obvious reason that I'm missing?

---

look into pyrit

Quote:

---

Originally Posted by CKing

look into pyrit

---

Yeah, there is an obvious reason.

Talking about that and the previous message.... I saw this guy running pyrit in a PS3.

He was doing some tweaking but as far as I saw, it was around 30.000 PMK/s.

Pretty interesting huh?

pyrit with its cal based core is even more interesting. dealing with ati drivers is a nightmare though.