free online wpa cracker project idea

[jacko]

yeah I've made a couple of cowpatty hashes for this already.. done one for linksys and one for NETGEAR

with a billion words too.. thing is though- all really need to do is run cal and have ati gpus.. one 5850 does 60k/s compared to an nvidia 460 running cuda which does 17.5k stock (nvidia pretty much fails in this field.. makes me wonder if they paid off stanford folding )

you can attack wpa/wpa2 in like 5 hours with the a billion.. or even crunch a 8 character attack (brute force) but that takes around a month if the dictionary fails- I went and created the hash already with pyrit so I can actually stop and resume as needed too.. it's all already done with the hardware out

[CKing]

I've been very busy lately but I have had some time to work on the project so here's the latest.

Website: http://code.google.com/p/wpacrack/
Nothing on it yet. give me your google account name and I'll add you as a project member

PCAP parser: I did dig up an existing parser online http://node5.blogspot.com/2009/02/ne...ap-parser.html haven't looked at it at all but it might be something to start with, if not, I'm leaning towards a python solution from scratch because I'm more familiar with it (yes, I'm aware of existing python parsers, I'm not a fan though)

Domain name: I'm too cheap(for now)

Offline cracking: Yup, already possible on my personal script.

Users typing a password in a box: Is possible, could be checked by adding the submitted password/cap combo to someones next workload otherwise we need that parser which I keep putting down on my todo list

Making the service "private": Its a question I ask myself on a regular basis; provide excellent cracking to a few, trusted people, or decent cracking to the masses? It's a tough call but getting to the roots of the project and why I wanted to do this in the first place I have to say the masses minus skiddies win.

Me looking at cracking the wrong way: You're entitled to your opinion but the fact is dictionary attacks are by far the most successful against WPA. Beck & Tews attack doesn't crack the password and is rarely useful(when it works)(only works with tkip). In the end I'm just doing this for a hobby.

Scrambling caps for anonymity: I've not seen this BSSID-MUNGE tool before and unfortunately don't have time to investigate at the moment but I would be very interested in seeing how we could change the essid since its used to salt the wpa hash, bssid shouldn't be a problem.

ATI vs NVIDIA: You are correct, ati is superior to nvidia when calpp is used, most of the performance gain is due to an instruction that openCL doesn't implement and the latest round of nvidia(shamefully) cards doesn't even have. They both have their merits though, nvidia's drivers are FAR superior, used more often in gpgpu computing and faster in many other applications.

Pyrit: Yup, great stuff, I use it and my helper script for the public will probably at least have an option for it.

Brute forcing 8 chars: Check your math dude.

GingerP: I think we should be aiming to get our upload page cleaned up and capable of password profiling options ect. before we go on to fancy pcap parser stuff. Let me know what your up to other than that sky router bruter (which looks good, but likely to take a while to crunch all those combos).

[purehate]

yeah I've made a couple of cowpatty hashes for this already.. done one for linksys and one for NETGEAR

with a billion words too.. thing is though- all really need to do is run cal and have ati gpus.. one 5850 does 60k/s compared to an nvidia 460 running cuda which does 17.5k stock (nvidia pretty much fails in this field.. makes me wonder if they paid off stanford folding )

you can attack wpa/wpa2 in like 5 hours with the a billion.. or even crunch a 8 character attack (brute force) but that takes around a month if the dictionary fails- I went and created the hash already with pyrit so I can actually stop and resume as needed too.. it's all already done with the hardware out

These figures are completely wrong, you should probably get your facts straight before posting. In any case, its true ATI is a little faster in benchmarks however, if you actually crack WPA rather than do benchmarks and read about it you would know that the stream code is crappy and buggy. My ATI cards miss passwords all the time, while my nvidia cards get them every time. CUDa is under full active development and IMHO is a much better route to take but as always YMMV.

In any case a Nvidia 295 gtx can do 20,000 pmk/s
480 GTX can do 28,000 pmk/s
and the 580 is about 38,000 pmk/s

root@classified:~# pyrit benchmark
Pyrit 0.3.1-dev (svn r283) (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Running benchmark (77193.1 PMKs/s)... /

Computed 77193.08 PMKs/s total.
#1: 'CUDA-Device #1 'GeForce GTX 580'': 38326.2 PMKs/s (RTT 2.8)
#2: 'CUDA-Device #2 'GeForce GTX 580'': 36141.2 PMKs/s (RTT 2.8)
#3: 'CPU-Core (SSE2)': 732.7 PMKs/s (RTT 2.9)
#4: 'CPU-Core (SSE2)': 682.5 PMKs/s (RTT 3.0)
#5: 'CPU-Core (SSE2)': 732.8 PMKs/s (RTT 3.0)
#6: 'CPU-Core (SSE2)': 732.4 PMKs/s (RTT 2.9)
#7: 'CPU-Core (SSE2)': 729.9 PMKs/s (RTT 2.9)
#8: 'CPU-Core (SSE2)': 731.1 PMKs/s (RTT 3.0)
#9: 'CPU-Core (SSE2)': 702.0 PMKs/s (RTT 3.0)
#10: 'CPU-Core (SSE2)': 712.9 PMKs/s (RTT 3.0)
#11: 'CPU-Core (SSE2)': 731.8 PMKs/s (RTT 3.0)
#12: 'CPU-Core (SSE2)': 738.0 PMKs/s (RTT 2.9)
#13: 'Network-Clients': 0.0 PMKs/s (RTT 0.0)

[SecUpwN]

Great to see you've found the time to reply, CKing!

Website: http://code.google.com/p/wpacrack/
Nothing on it yet. give me your google account name and I'll add you as a project member

Oh, man.. now we've got 2 websites. GingerP did already set one up HERE. To be honest, I prefer to stay anonymous as best as possible, especially while participating in such a project. Let me get something straight: I don't like google - at least not in terms of privacy and won't open an account there. So please forgive me if I say that I prefer a real website with some type of FORUM and it's own coding section rather than stuff from Google. Would you please take a look at GingerP's website? Thanks ahead, CKing!

Domain name: I'm too cheap(for now)

If you've seen the website GingerP has set up so far, our project runs under a rather long domain name (runningbackwards). But that's a minor issue, we should straighten up where to reside first. As said, I prefer to ONLY use a website like GingerP has set up rather than a google code project. Would be great if we could put everything into one place...

Making the service "private": Its a question I ask myself on a regular basis; provide excellent cracking to a few, trusted people, or decent cracking to the masses? It's a tough call but getting to the roots of the project and why I wanted to do this in the first place I have to say the masses minus skiddies win.

I'm sure that's a point also purehate came across from the very start of his own project. The solution I see to this question is to offer some type of ranking - maybe within a private forum where people have to register first to get access. With more (and continous) contribution, users could climb up the ladder and earn some type of "points". For every contribution (things like a completely new list of useful words we haven't incorporated yet or efforts to improve the overall quality of our service), contributors would earn these points - and thus increase their chance for running a much more powerful pentest on their own handshakes. Keep in mind: Forum posts shouldn't count (at least not ONLY forum posts).

Scrambling caps for anonymity: I've not seen this BSSID-MUNGE tool before and unfortunately don't have time to investigate at the moment but I would be very interested in seeing how we could change the essid since its used to salt the wpa hash, bssid shouldn't be a problem.

I already contacted purehate via PM about BSSID-MUNGE. He wrote a message to the tools developer Josh Wright, but obviously he didn't respond yet. Seems like the tool is completely offline, I searched hours for it and didn't even find it within the internet archive. Hint for everybody reading this: Bring back the tool and earn some credit!

SecUpwN

[CKing]

Oh, man.. now we've got 2 websites. GingerP did already set one up HERE. To be honest, I prefer to stay anonymous as best as possible, especially while participating in such a project. Let me get something straight: I don't like google - at least not in terms of privacy and won't open an account there. So please forgive me if I say that I prefer a real website with some type of FORUM and it's own coding section rather than stuff from Google. Would you please take a look at GingerP's website? Thanks ahead, CKing!

Your link sends me to a 404 for newipnow.
hxxp://wpa.runningbackwards.co.uk/ isn't reachable

[SecUpwN]

hxxp://wpa.runningbackwards.co.uk/ isn't reachable

Sorry to 'bout that. Links have been corrected properly.

SecUpwN

[Sys7emR00t]

Mate, you clearly didn't get the point. Please read the thread again, who's talking about brute forcing here? Noone. A wordlist attack is NOT brute forcing at all. Think before you type.

That's not what I mean...they're the same genre of attack. I'm just saying our best efforts should go toward ACTUAL vulnerabilities. Not guessing. People can ALWAYS make a longer password.

[peterpancake]

I have followed this project development with interest and just got registered to chip in these chain of thoughts about what I see as the end purpose of the project:

Community-powered, free and efficient WPA password auditing

That is, answering the question "Is this password a Good password for our WPA setup?"

Sorry if I have misunderstood the underlying intentions, but I hope that this is in the same line of thought that you guys have... If not, just ignore the rest of my post, or advice me to make a new thread :P

My point here is that we can build a large and powerful system that perform a large dictionary attack, and if the password is found, we could probably say "No, that password is not very secure" (for anyone access to a fair share computing power)

Here we will probably catch the many passwords that are too short or "common" to be considered secure.

However, with a lengthy enough password with different types of characters we can easily prevent this system from finding the password through cluster-driven general purpose dictionary attacks...

But how do we tell someone "This is a Good password"?

A password that is too complex has to be written down in some form by the people using it for authentication. The passwords are most often stored in users' keychains, on a post-it, an email, and/or in plain text. These type of passwords make setups vulnerable in many new ways, especially if passwords are changed often (changing complex passwords often means more people written them in easily accessible locations)

A password that is complex enough to get past attacks using general purpose, albeit large, dictionaries, while still are easy to remember is a harder task. They need to be stored in human memory, a memory that works best by the referencing to existing thoughts, facts and experiences.

The most viable way of cracking such passwords ought to be to build custom contextual dictionaries, that incorporate references to the actual wifi users as well as the possible alterations/tricks that security-minded administrators are using when choosing passwords.

For this part, the project ought to incorporate some sort of dictionary generator based on some context/keywords. This could be as simple as detecting valid words from the SSID, make a google+wikipedia search on those and come up with a contextual dictionary to use for that cracking attempt.

From, say, the most common keywords/words found in those result listings, additional dictionary entries could be generated using different "tricks", like changing the last lowercase letter to uppercase, changing e,a and o to 3,4 and 0 respectively etc.

In practice, this would imply an optional field beside the upload field "Context", where one could enter some general keywords or knowledge (like address where wifi signal was captured), and this would be used to higher the success rate of finding the correct key, still assuming that one has but basic knowledge about the WPA-secured net to begin with...

In this way, the project could at least help answer the question about whether or not the password is a Good password or not.



Also, as someone mentioned regarding the probability of some SSIDs having certain passwords (due to operator policies in choosing passwords), there is a project about that sort of dictionary generator here: hxxp://code.google.com/p/multi-dictionary-creator/

It does, however, seem _very_ inactive, and quite frankly dead. :P

[SecUpwN]

Hi peterpancake, thanks for contributing to our project!

Purpose of the project: Community-powered, free and efficient WPA password auditing

Exactly. And with this thread we are currently collecting ideas, taking notes and getting people involved.

That is, answering the question "Is this password a Good password for our WPA setup?"

Either THAT, or even if a person/company has already set up their wifi protection and are unsure whether their pass could be too weak - they may test it with our service. Although there already exist some crackers out there, our service is aimed to stay free of charge. For now.

My point here is that we can build a large and powerful system that perform a large dictionary attack, and if the password is found, we could probably say "No, that password is not very secure" (for anyone access to a fair share computing power)

I get what you're trying to say. But our intention also was to reveal the password to the people who are pentesting their networks. Without doubt, there are many skiddies out there who try to rack their neighbors wifi just to gain access to free internet - but you are right, maybe we could incorporate some mechanism that ensures that ONLY a small group of trusted members get to see the plain password. Like this:

Code:

ATTENTION! Your password is WEAK and has been CRACKED by our service! It contains these 3 characters: XYZ.

While "XYZ" would be any 3 characters contained within the passphrase. We should make sure to always show the same digits (say the 6th, 7th and 8th) of the pass, thus preventing skiddies to be able to reveal the full passphrase through multiple usage of our cracker.

But how do we tell someone "This is a Good password"?

Well then, this could be done with just using the opposite...

Code:

CONGRATULATIONS! Your password is STRONG and hasn't been cracked by our service! Modify it slightly and use it.

A password that is complex enough to get past attacks using general purpose, albeit large, dictionaries, while still are easy to remember is a harder task. They need to be stored in human memory, a memory that works best by the referencing to existing thoughts, facts and experiences. The most viable way of cracking such passwords ought to be to build custom contextual dictionaries, that incorporate references to the actual wifi users as well as the possible alterations/tricks that security-minded administrators are using when choosing passwords. For this part, the project ought to incorporate some sort of dictionary generator based on some context/keywords. This could be as simple as detecting valid words from the SSID, make a google+wikipedia search on those and come up with a contextual dictionary to use for that cracking attempt.

Hm.. do you mean something like the Common User Passwords Profiler (CUPP)?

SecUpwN

[Gitsnik]

It's fairly standard these days to see people turn "password" into "P@$$w0rd" with little or no complaints. They also don't, and even very rarely do, keep track of what the password is - the IT guys might, but they can write it down and secure it in a vault of some kind (be it software, wetware or hardware), so don't start speccing on an idea that is becoming more and more inaccurate - keep it flexible.

While he was developing it pureh@te's kracker was open to those who knew where it was, but as soon as it went live he had to throw the paypal in front of it - a lot of money and effort goes into these (as you're all finding), but consider the "for now" comment SecUpwN just said - this cracker will probably go the same way as any of the others.

So. What should you actually be aiming for guys?

Welp it's pretty easy really - a standard cracker will accept the upload file of a certain file size or less, it will validate that it has received a PCAP file (there are a couple ways to do this) then perform its own stripping just to be sure. It cracks via pyrit or whatever, and emails out the results. pureh@te already rolls this, which is where the real power is because the two or three times I've needed to go that far, I'm not using standard "linksys" tables.

So, how do you make a cracker I am likely to use (and thus one you are going to end up charging people for).

Accept File
If hash tables exist on disk use those
If no hash tables exist on disk do in memory with standard dict
If no password found so far use CUPP generated dict
log ssid for generation - later if enough SSID have been submitted with the same name, generate tables instead.
email response

If you start downloading password files and such via CUPP or wyd or whatever, you shouldn't be doing it on the fly - log the variables to a database somewhere and manually review them for additional content generation later - properly sanitized of course, otherwise enough random SSID submissions is going to blow out your file system (albeit not quickly! It's like taking screenshots with a locked iPhone. You'll get bored before you fill it up, but you can get there..). But you don't want to not do that if you think it will help, so you generate a separate password file - that way all your hash files are generated with the same one, but you can still add to it if you need. You could also speed up the process by generating a list of found passwords and testing those before all else - so if it takes twenty minutes for the server to find my password in the hash table, but I later resubmit the same hash file, it'll take a couple of seconds.

The possibilities are endless really, just try to remember that everyone has had this idea, and these things cost $$ when it comes down to it - so you'll probably end up having to pay for it anyway.

Which to be fair is fine - you get paid more than $10 for a job anyway so if the Kracker can get you in, it's money well spent.