Results 1 to 7 of 7

Thread: Is WPA2 broken?

  1. #1
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    11

    Default Is WPA2 broken?

    Hello all,
    My friend recently asked me to check out her network due to suspicions of other people stealing their bandwidth. Lo and behold, with a WPA password of "letmeinnow", the neighbors were indeed showing up in the router clients list. From a hard line, I upgraded her to WPA2 with AES, and her password is now 16 seemingly random (non-dictionary, at least) upper and lowercase letters with digits interspersed. I figured this would be enough, but a few days later the same computers came up on the clients list, and the bandwidth is once again drained.

    Unfortunately, this is where my knowledge runs out. My largest wordlist (purehate's 3 GB list) contains nothing like their password, and using a generator starting at 8 characters and working up to 16 would take years even on a decent computer running pyrit.

    My question to you is this: Did someone finally break WPA2 and AES and I just missed it? Is there some possible exploit that I've not come across for this? I've heard of spoofing the AP to get a client to send you the authentication key but I've never run across an implementation of it.

    Thanks

  2. #2
    Senior Member MikeCa's Avatar
    Join Date
    Jan 2010
    Location
    DC
    Posts
    129

    Default

    You are right in your instinct that the password should be secure enough, I highly doubt someone brute forced that. It is possible that they set up an "evil twin" (google it), scan the area for multiple AP's on your friends SSID.

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    See if they are actually on the network by monitoring some traffic. They may be showing up on the client list if they've tried to connect using the SSID, but were still locked out at the association phase.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    scottsee
    Guest

    Default

    Sounds like she may have a resonably informed person on her hands.

    I would personally send them a "net send" message to the device telling them if they don't stop trying to authenicate to her AP you'll take your own actions to make it stop (legally)

    First step is to enabling MAC filtering on your girls AP. Fire up wireshark, create a deauthenicate packet filter and see if they try grabbing a handshake from her connected client's.

  5. #5
    Member
    Join Date
    May 2009
    Posts
    102

    Default

    Quote Originally Posted by vityav View Post
    Hello all,
    My friend recently asked me to check out her network due to suspicions of other people stealing their bandwidth. Lo and behold, with a WPA password of "letmeinnow", the neighbors were indeed showing up in the router clients list. From a hard line, I upgraded her to WPA2 with AES, and her password is now 16 seemingly random (non-dictionary, at least) upper and lowercase letters with digits interspersed. I figured this would be enough, but a few days later the same computers came up on the clients list, and the bandwidth is once again drained.

    Unfortunately, this is where my knowledge runs out. My largest wordlist (purehate's 3 GB list) contains nothing like their password, and using a generator starting at 8 characters and working up to 16 would take years even on a decent computer running pyrit.

    My question to you is this: Did someone finally break WPA2 and AES and I just missed it? Is there some possible exploit that I've not come across for this? I've heard of spoofing the AP to get a client to send you the authentication key but I've never run across an implementation of it.

    Thanks
    Once AES get's broken, you won't miss it. There would be chaos everywhere. But who knows? Perhaps somebody has already been using the SSL stripping attack long before SSLstrip came out.

    Other than that, WPA-PSK cracking is just like the traditional password cracking. The bad news is, the minimum useable length is quite long enough to make full brute force infeasible. What's worse, there is no limit to which character sets will be used. Unlike an italian auction website, a random wifi cracker also won't have an idea of what native language his target is using making letter frequency analysis and markov chains ineffective other than knowing that the SSID sounds like a spanish word.

    Although most likely they would, users are not even required to create memorable WPA PSKs since they only have to enter it once in their laptop and Windows will memorize it for them.

  6. #6
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    11

    Default

    Thank you all for your replies, they've given me a lot to look into. I'm also glad to know I'm not crazy.

    @scottsee, she didn't want mac filtering because they use enough different computers and have people over often enough that it would just be easier to buy a couple of really long cables and a hub. And I thought net send was disabled by default on newer versions of Windows, and doesn't exist at all on linux, but I could be wrong.

    @mikec I'll check on the evil twin thing. It certainly looks interesting and I'm surprised I haven't heard more about it before now.

    @Thorn The reason they thought the person had gotten on their network again was because of a sudden loss of bandwidth that had shown up the first time someone else was on their network, and was there again. I'll certainly have to check the traffic now.

  7. #7
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by vityav View Post
    @Thorn The reason they thought the person had gotten on their network again was because of a sudden loss of bandwidth that had shown up the first time someone else was on their network, and was there again. I'll certainly have to check the traffic now.
    One thing to keep in mind: Was it loss of bandwidth, or did the WLAN merely shift from 'g' speed (54mbps) to 'b' speed (11mbps)? Users tend to confuse the two issues.

    Unless the AP is set to ignore 'b' devices (i.e. it's preset to "g only" mode), anytime a 'b' device attempts to join a 'g' network, the speed automatically drops down to 11mbps or slower to accommodate the slower device.
    Thorn
    Stop the TSA now! Boycott the airlines.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •