Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Advanced WPA(2) attack methods?

  1. #11
    Member
    Join Date
    Feb 2010
    Location
    Somewhere in the hell
    Posts
    91

    Default Re: Advanced WPA(2) attack methods?

    @ternarybit,

    Rogue AP is one of the methods to get your strong passpharse.

    Samiux

  2. #12
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: Advanced WPA(2) attack methods?

    @SilicaG Interesting. I think that besides the WPS vulnerability, rogue APs present the biggest threat to Wi-Fi security. It's very easy to code a rogue AP splash screen that requires the user to "re-authenticate" with the target AP's PSK, especially since the hardware vendor of the AP is known to an attacker. One could easily copy the HTML from the router's configuration screen to make it very convincing to all but the most savvy.

  3. #13
    Moderated Member
    Join Date
    Oct 2011
    Posts
    44

    Default Re: Advanced WPA(2) attack methods?

    Quote Originally Posted by samiux View Post
    @ternarybit,

    Rogue AP is one of the methods to get your strong passpharse.

    Samiux
    Or you could use random generator in HackPack... (bump for the toolkit )

    I am willing to possibly make some tables for WPA like an OPH if anyone is willing to work with me on it..... I mean after all its just a mix and match game.

  4. #14
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: Advanced WPA(2) attack methods?

    @Bl4cks4b3r Unfortunately generating such tables is infeasible with currently available processing power. Generating a mixed-case alphanumeric table for even the minimum-length PSK allowed in WPA would take a *long* time.

    Consider this:

    26 lowercase letters + 26 uppercase letters + 10 digits = 62 possibilities for one character, raised to the 8th power (for 8 characters) = 218340105584896 total PMKs.

    I saw a quad-Crossfire rig on YouTube with current-gen video cards that cranks out about 280,000 PMKs per second, probably the most power available to people like you and I right now.

    218340105584896 / 280000 ~= 779786091 seconds / 3600 ~= 216607 hours / 24 ~= 9025 days / 365 ~= 25 years to generate an 8-character table, for one SSID.. Not to mention the gargantuan amount of disk space such a table would occupy, and the nontrivial amount of time it would take to look up the PMK in the table!

    Since WPA's implementation of PBKDF2 salts the passphrase with the ESSID, generating "master tables" (like OphCrack's LanMan hashes) is impossible.

    Although if you know something I don't, I'm most interested in any other attack vectors for WPA(2)

  5. #15
    Moderated Member
    Join Date
    Oct 2011
    Posts
    44

    Default Re: Advanced WPA(2) attack methods?

    Yeah its not relevant for most people at the moment, but in time it will be. Also (and again this really isnt fair XD) I have access to something 99% of others do not :-p

  6. #16
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: Advanced WPA(2) attack methods?

    Interesting. I know that any cryptographic system will ultimately fall prey to Moore's law. Also, wordlists compress very nicely, so disk space is much less of an issue. I'm very interested to see how long it takes before WPA2 becomes deprecated.

  7. #17
    Junior Member
    Join Date
    Jun 2012
    Location
    127.0.0.1
    Posts
    25

    Default Re: Advanced WPA(2) attack methods?

    Quote Originally Posted by ternarybit View Post
    @SilicaG Interesting. I think that besides the WPS vulnerability, rogue APs present the biggest threat to Wi-Fi security. It's very easy to code a rogue AP splash screen that requires the user to "re-authenticate" with the target AP's PSK, especially since the hardware vendor of the AP is known to an attacker. One could easily copy the HTML from the router's configuration screen to make it very convincing to all but the most savvy.
    That's very good. Rougue AP with a html request password page give always good results. If I remember well there was a test in a university with a similar AP and the attacker has collected a lot of password and username.

  8. #18
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: Advanced WPA(2) attack methods?

    @SilicaG about the rogue AP not helping... Forgot to quote sorry...

    You actually wrong on that. If you create a rogue AP with the same SSID and MAC, then Deauth the client and have him connect to your AP, since you choose the nonce you can decrypt the key immediately. That is the accepted way to hack WPA via human element. Another way would be to use the PRGA stream along with TKIP (not necessary in this case of CCMP) and set up a captive portal with a fake page that asks for the wifi passwrd again.The is a script somewhere out there in forumland that does this for you.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  9. #19
    Senior Member VulpiArgenti's Avatar
    Join Date
    Sep 2011
    Location
    lost
    Posts
    174

    Default Re: Advanced WPA(2) attack methods?

    since you choose the nonce you can decrypt the key immediately
    Can you explain further?
    My understanding is that whatever nonce you choose, it will not be hashed correctly (since you don't know the PMK), and the authentication sequence will not complete. Therefore a fake AP can be used to grab the handshake, or to phish the key, but not to read/decrypt the key.

  10. #20
    Junior Member
    Join Date
    Jun 2012
    Posts
    42

    Default Re: Advanced WPA(2) attack methods?

    Quote Originally Posted by VulpiArgenti View Post
    Can you explain further?
    My understanding is that whatever nonce you choose, it will not be hashed correctly (since you don't know the PMK), and the authentication sequence will not complete. Therefore a fake AP can be used to grab the handshake, or to phish the key, but not to read/decrypt the key.
    I am also very interested in understanding this attack method, with a practical explanation, if possible.

Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 01-23-2011, 01:57 PM
  2. VBScript Infection Methods
    By AngryCockroach in forum Beginners Forum
    Replies: 0
    Last Post: 04-19-2010, 09:28 AM
  3. Replies: 4
    Last Post: 03-04-2010, 09:26 AM
  4. why many methods to start networking ?!
    By code1101 in forum Beginners Forum
    Replies: 7
    Last Post: 02-13-2010, 12:53 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •