Faster WPA hash cracking

[windhawk]

Well, I'm not that expert, but I think here is the best place where I can discuss about this.

So, basically to crack a WPA network, you capture the handshake packets in order to obtain the key hash right? After that the only way to retrieve the plain text key is to perform a brute force attack on this hash, wait and pray.

The brute force attack provided by the aircrack suite usually tests 400 - 600 keys per second.

Recently I was looking for hash cracking when I found a technique called Time-Memory Tradeoff. They say its cappable of testing up to 100.000 keys per second (WTF?).

A benchmark is shown in the picture bellow:



This is from the Raibow Crack project, really worth take a look at it... Rainbow Project.

I was wondering if that wouldn't be usefull for also cracking WPA hash.

If I said anything stupid please let me know, I'm just trying to help anyway.

[Archangel-Amael]

wpa and wpa2 are basically the same thing.
WPA vs WPA2 (802.11i): How your Choice Affects your Wireless Network Security | Openxtra

Keep reading and learning though you are trying and that's a good thing.

[purehate]

I think what windhawk is missing is that those graphs and charts do not take into account the time it takes to actually make the "rainbow" table. I may be able to crack at 100,000 keys per second but if it took me a few days to make the table, thats not very accurate.

The other major difference is that once a ntlm hash table is created it will work with any hash, this is not the case with wpa because the essid is salted into the hash. This means that every time you have a different essid you would have to create a new hash table which is once again , time consuming.

[windhawk]

I think what windhawk is missing is that those graphs and charts do not take into account the time it takes to actually make the "rainbow" table. I may be able to crack at 100,000 keys per second but if it took me a few days to make the table, thats not very accurate.

The other major difference is that once a ntlm hash table is created it will work with any hash, this is not the case with wpa because the essid is salted into the hash. This means that every time you have a different essid you would have to create a new hash table which is once again , time consuming.

I see your point. I hadn't realized that WPA used salted hashes, this makes the method mentioned above useless.

Well, one more question before this topic dies. I don't see many people talking about aircrack-ng + CUDA yet.

Is there any obvious reason that I'm missing?

[CKing]

I see your point. I hadn't realized that WPA used salted hashes, this makes the method mentioned above useless.

Well, one more question before this topic dies. I don't see many people talking about aircrack-ng + CUDA yet.

Is there any obvious reason that I'm missing?

look into pyrit

[windhawk]

look into pyrit

Yeah, there is an obvious reason.

Talking about that and the previous message.... I saw this guy running pyrit in a PS3.

He was doing some tweaking but as far as I saw, it was around 30.000 PMK/s.

Pretty interesting huh?

[CiE101]

To create the rainbow tables fast you would need to use a computer that has an nvidia video card that use's the CUDA technology. The CUDA technology allows you to harness the power of the GPU to create the tables as mentioned above look into Pyrit. Let me know if you need anything else.

[lnuxxunl]

Fake Ap (same essid,Bssid) with stronger Signal than victim original WLAN

+

That's force the victim to connect to the fake AP ?why? because the original WLAN is just disappeared like charm!

+

Fake DNS Replies !!! direct the victim to fake page

+

Bingooo!!! you just comprised the victim box
Steal WPA from Registry


Repeat After Me:

"Steal WPA Don't Crack it"

[ertye]

I see your point. I hadn't realized that WPA used salted hashes, this makes the method mentioned above useless.

Well, one more question before this topic dies. I don't see many people talking about aircrack-ng + CUDA yet.

Is there any obvious reason that I'm missing?

Also, keep in mind that people do post rainbow tables for popular essid's for keys with reasonable numbers of chars... So the method is not entirely useless

[TheDarkTangent]

im not an expert either but , im working in a project ,im trying to set up my ps3 to crack hash file password because i heard from some source that the power of the ps3 processor is awesome , have you ever heard about it ?