Advanced WPA(2) attack methods?

[ternarybit]

I'm somewhat obsessively auditing all the Wi-Fi networks I administer (around 5), trying to crack into them with the methods available. They all run WPA2/CCMP.

I've run all the handshakes through the usual wordlists successfully (darkc0de, Church of Wifi, numeric, etc.)

WPS is disabled, but the passphrases certainly aren't as complex as they could be. They're not dictionary words or common variations of them, but they're not random symbols 20 characters long either.

How would you continue the attack when the easy methods have failed? Does WPA cracking really just boil down to the quality of the wordlist?

[codekiddy]

There is a new method on how to crack WPA/WPA2, and that's WPS cracking

Backtrack5 R2 already has required tools installed, their names are "wash" and "reaver".
with wash tool you scan all the routers that have WPS enabled.
and with reaver tool you crack the PIN of the WPS enabled router.

It's about brute forcing router's PIN and takes about 10 hours to complete

[Magnet0]

it nice to here that, but its better if you can provide us tutorials too.

[samiux]

@ternarybit,

WPA/WP2 can be brute forcing using suitable hardware and software. The limitation is time only.

Samiux

[sostentado]

There is a new method on how to crack WPA/WPA2, and that's WPS cracking

Backtrack5 R2 already has required tools installed, their names are "wash" and "reaver".
with wash tool you scan all the routers that have WPS enabled.
and with reaver tool you crack the PIN of the WPS enabled router.

It's about brute forcing router's PIN and takes about 10 hours to complete

+1 for this...

[hannah]

There is a new method on how to crack WPA/WPA2, and that's WPS cracking

All nice but ternarybit mentioned that he got WPS disabled.

As samiux mentioned to crack WPA/WPA2, limitation is time only. However if the pass phrase is good one you are in pretty good shape.

[stepking2]

I have some wordlist hosted on ThePirateBay :-)

http://thepiratebay.se/user/stepking2

[SilicaG]

There is a new method on how to crack WPA/WPA2, and that's WPS cracking

It's Right, the WPS, now, is the only way for a strong WPA.

[ternarybit]

@everyone Thanks for the info. Keep WPS disabled and use strong PSKs == mostly secure, at least from a purely cryptographic standpoint.

Does anyone have information about some techniques that exploit the human element? Is there a way, perhaps, to set up a rogue AP with identical settings as the target AP, except that whatever PSK a client enters it accepts and logs?

[SilicaG]

You can create a rougue AP with same ssid (and mac) of the target AP and capture the handshake for the WPA or the data for the WEP (caffe-latte attack). You can simulate the AP and share your internet connection. You can simulate the AP and exploit the victim to find password or configuration. But you can't simply log the password: is the 4 way handshake security.