How to Prevent Brute-Force Cracking?

[radioraiders]

What is the best way to prevent brute-force attacks on WPA/WPA2? (In home and centralized systems)

Can routers be programmed to detect multiple failed login attempts and block the user? (Say after 5 failed login attempts, the MAC address can be blocked for 1 hour?) Can an alert be sent to the owner of the Access Point or system administrator that a brute-force attack is in progress?

I suppose it would vary greatly depending on the firmware capabilities of the Access Point, and/or the system. Anyway, it's just a general question, any feedback is apreciated. Thanks..

[M1ck3y]

Brute force (in fact, it's more likely "dictionary attacks") against a WPA key is done offline. The principle is not to attempt many connexions with differents passphrases until you find the right one, but to capure a handshake and run a dictionary attack against it, locally. The handshake can be captured without sending any data in the air, just listening passively to your wifi network.

The best thing you can do to protect yourself against this kind of attack is to set up a strong passphrase, and that's all.

[Barry]

Brute force (in fact, it's more likely "dictionary attacks") against a WPA key is done offline. The principle is not to attempt many connexions with differents passphrases until you find the right one, but to capure a handshake and run a dictionary attack against it, locally. The handshake can be captured without sending any data in the air, just listening passively to your wifi network.

The best thing you can do to protect yourself against this kind of attack is to set up a strong passphrase, and that's all.

Changing it often helps a lot as well.

[Thorn]

What is the best way to prevent brute-force attacks on WPA/WPA2? (In home and centralized systems)

Use a strong passphrase. Brute force attacks on WPA/WPA2 are dictionary attacks.

Can routers be programmed to detect multiple failed login attempts and block the user? (Say after 5 failed login attempts, the MAC address can be blocked for 1 hour?) Can an alert be sent to the owner of the Access Point or system administrator that a brute-force attack is in progress?

Most SOHO routers do not have that capability. However, you can turn off any remote capability. That way an attack can't come from the Internet side.

If an attack is coming from the WLAN side, you've already had your encryption compromised, or a regular user is abusing the system and needs to be dealt with quickly.

You can set up a Snort box to look for attacks.

[streaker69]

You can set up a Snort box to look for attacks.

A properly setup Snortbox can look for attacks on both sides of the network, just to clarify, not that you didn't know that Thorn, but others might not have.

[radioraiders]

Brute force (in fact, it's more likely "dictionary attacks") against a WPA key is done offline.

Thanks for the info, I didn't realize brute-force attacks were done off-line

Use a strong passphrase. Brute force attacks on WPA/WPA2 are dictionary attacks..

Since brute-force are "dictionary" attacks, then a string of random characters would be the strongest password? (ie: f1TjH&mC9) How could someone bruteforce a password like that? I guess there are some random-character generators that can just keep trying different series of characters and hope by luck it hits something?

...and adding a VPN on top of that would make any transmissions extremely hard to crack then?

[Thorn]

Since brute-force are "dictionary" attacks, then a string of random characters would be the strongest password? (ie: f1TjH&mC9)

Yes, in essence.

Since brute-force are "dictionary" attacks, then a string of random characters would be the strongest password? (ie: f1TjH&mC9) How could someone bruteforce a password like that?

It can still be done. There are password lists that contains random characters. If you use anything below 12 characters, you're being foolish. Password lists containing from one to eight random characters are easy to find.

WPA allows for up to 63 characters.

I guess there are some random-character generators that can just keep trying different series of characters and hope by luck it hits something?

There are password generators that use random characters.

...and adding a VPN on top of that would make any transmissions extremely hard to crack then?

Yes.

[radioraiders]

Thanks for the replies Thorn!
One last question: approximately how long does a "password cracking program" take to run through say the english dictionary (using a modern computer, ie: 2Ghz CPU or similar)? ...and what is the most popular program used?

[Barry]

Thanks for the replies Thorn!
One last question: approximately how long does a "password cracking program" take to run through say the english dictionary (using a modern computer, ie: 2Ghz CPU or similar)? ...and what is the most popular program used?

Look up cowpatty, and aircrack.

[Thorn]

Thanks for the replies Thorn!
One last question: approximately how long does a "password cracking program" take to run through say the english dictionary (using a modern computer, ie: 2Ghz CPU or similar)? ...and what is the most popular program used?

That is highly dependent on the program, the password file*, the manner in which it works, the computer, and the RAM.

CoWPAtty can take several hours to run in the real-time mode. It will run on the order of 40-50 passphrases/second.

On the other hand, if you are using coWPAtty with pre-hashed WPA keys with a known SSID, it will run up to about 64,000 words per second. I've personally seen it break a WPA plain English passphrase in less than 10 seconds. That is NOT counting the time it takes you to prehash the keys and SSID.

Theprez98 ran a time trade-off test detailed in this thread, which I'd suggest reading.

In it, he ran coWPAtty in the standard mode, and it took over over and hour for a 172,000 word list.

He then pre-computed the hashes using genpmk, which took about 30 minutes, and then ran coWPAtty with the hashes. It took about 2.5 seconds to run through all 172,000 passphases.

*You seem confused about what constitutes a dictionary file, since you mention using "the english (sic) dictionary". You don't use a standard dictionary like Merriam's or Webster's. Rather in means that the words can be looked up in a dictionary; ie, the are real words, as opposed to random letters. So-called dictionary files are composed of real words, that are commonly used as passwords.