Re: Advanced WPA(2) attack methods?
@ternarybit,
Rogue AP is one of the methods to get your strong passpharse.
Samiux
Re: Advanced WPA(2) attack methods?
@SilicaG Interesting. I think that besides the WPS vulnerability, rogue APs present the biggest threat to Wi-Fi security. It's very easy to code a rogue AP splash screen that requires the user to "re-authenticate" with the target AP's PSK, especially since the hardware vendor of the AP is known to an attacker. One could easily copy the HTML from the router's configuration screen to make it very convincing to all but the most savvy.
Re: Advanced WPA(2) attack methods?
Or you could use random generator in HackPack... (bump for the toolkitOriginally Posted by samiux
)
I am willing to possibly make some tables for WPA like an OPH if anyone is willing to work with me on it..... I mean after all its just a mix and match game.
Re: Advanced WPA(2) attack methods?
@Bl4cks4b3r Unfortunately generating such tables is infeasible with currently available processing power. Generating a mixed-case alphanumeric table for even the minimum-length PSK allowed in WPA would take a *long* time.
Consider this:
26 lowercase letters + 26 uppercase letters + 10 digits = 62 possibilities for one character, raised to the 8th power (for 8 characters) = 218340105584896 total PMKs.
I saw a quad-Crossfire rig on YouTube with current-gen video cards that cranks out about 280,000 PMKs per second, probably the most power available to people like you and I right now.
218340105584896 / 280000 ~= 779786091 seconds / 3600 ~= 216607 hours / 24 ~= 9025 days / 365 ~= 25 years to generate an 8-character table, for one SSID.. Not to mention the gargantuan amount of disk space such a table would occupy, and the nontrivial amount of time it would take to look up the PMK in the table!
Since WPA's implementation of PBKDF2 salts the passphrase with the ESSID, generating "master tables" (like OphCrack's LanMan hashes) is impossible.
Although if you know something I don't, I'm most interested in any other attack vectors for WPA(2)
Re: Advanced WPA(2) attack methods?
Yeah its not relevant for most people at the moment, but in time it will be. Also (and again this really isnt fair XD) I have access to something 99% of others do not :-p
Re: Advanced WPA(2) attack methods?
Interesting. I know that any cryptographic system will ultimately fall prey to Moore's law. Also, wordlists compress very nicely, so disk space is much less of an issue. I'm very interested to see how long it takes before WPA2 becomes deprecated.
Re: Advanced WPA(2) attack methods?
That's very good. Rougue AP with a html request password page give always good results. If I remember well there was a test in a university with a similar AP and the attacker has collected a lot of password and username.
Re: Advanced WPA(2) attack methods?
@SilicaG about the rogue AP not helping... Forgot to quote sorry...
You actually wrong on that. If you create a rogue AP with the same SSID and MAC, then Deauth the client and have him connect to your AP, since you choose the nonce you can decrypt the key immediately. That is the accepted way to hack WPA via human element. Another way would be to use the PRGA stream along with TKIP (not necessary in this case of CCMP) and set up a captive portal with a fake page that asks for the wifi passwrd again.The is a script somewhere out there in forumland that does this for you.
World Domination is such an ugly phrase. I prefer the term World Optimization.
Re: Advanced WPA(2) attack methods?
Can you explain further?since you choose the nonce you can decrypt the key immediately
My understanding is that whatever nonce you choose, it will not be hashed correctly (since you don't know the PMK), and the authentication sequence will not complete. Therefore a fake AP can be used to grab the handshake, or to phish the key, but not to read/decrypt the key.
Re: Advanced WPA(2) attack methods?
I am also very interested in understanding this attack method, with a practical explanation, if possible.
Posting Permissions
