Advanced WPA(2) attack methods?
I'm somewhat obsessively auditing all the Wi-Fi networks I administer (around 5), trying to crack into them with the methods available. They all run WPA2/CCMP.
I've run all the handshakes through the usual wordlists successfully (darkc0de, Church of Wifi, numeric, etc.)
WPS is disabled, but the passphrases certainly aren't as complex as they could be. They're not dictionary words or common variations of them, but they're not random symbols 20 characters long either.
How would you continue the attack when the easy methods have failed? Does WPA cracking really just boil down to the quality of the wordlist?
Re: Advanced WPA(2) attack methods?
There is a new method on how to crack WPA/WPA2, and that's WPS cracking :D
Backtrack5 R2 already has required tools installed, their names are "wash" and "reaver".
with wash tool you scan all the routers that have WPS enabled.
and with reaver tool you crack the PIN of the WPS enabled router.
It's about brute forcing router's PIN and takes about 10 hours to complete :D
Re: Advanced WPA(2) attack methods?
it nice to here that, but its better if you can provide us tutorials too. :D
Re: Advanced WPA(2) attack methods?
@ternarybit,
WPA/WP2 can be brute forcing using suitable hardware and software. The limitation is time only.
Samiux
Re: Advanced WPA(2) attack methods?
Quote:
Originally Posted by
codekiddy
There is a new method on how to crack WPA/WPA2, and that's WPS cracking :D
Backtrack5 R2 already has required tools installed, their names are "wash" and "reaver".
with wash tool you scan all the routers that have WPS enabled.
and with reaver tool you crack the PIN of the WPS enabled router.
It's about brute forcing router's PIN and takes about 10 hours to complete :D
+1 for this...
Re: Advanced WPA(2) attack methods?
Quote:
Originally Posted by
codekiddy
There is a new method on how to crack WPA/WPA2, and that's WPS cracking :D
:D
All nice but ternarybit mentioned that he got WPS disabled.
As samiux mentioned to crack WPA/WPA2, limitation is time only. However if the pass phrase is good one you are in pretty good shape.
Re: Advanced WPA(2) attack methods?
I have some wordlist hosted on ThePirateBay :-)
http://thepiratebay.se/user/stepking2
Re: Advanced WPA(2) attack methods?
Quote:
Originally Posted by
codekiddy
There is a new method on how to crack WPA/WPA2, and that's WPS cracking :D
It's Right, the WPS, now, is the only way for a strong WPA.
Re: Advanced WPA(2) attack methods?
@everyone Thanks for the info. Keep WPS disabled and use strong PSKs == mostly secure, at least from a purely cryptographic standpoint.
Does anyone have information about some techniques that exploit the human element? Is there a way, perhaps, to set up a rogue AP with identical settings as the target AP, except that whatever PSK a client enters it accepts and logs?
Re: Advanced WPA(2) attack methods?
You can create a rougue AP with same ssid (and mac) of the target AP and capture the handshake for the WPA or the data for the WEP (caffe-latte attack). You can simulate the AP and share your internet connection. You can simulate the AP and exploit the victim to find password or configuration. But you can't simply log the password: is the 4 way handshake security.
