WPA Cracker

The was an interesting article on the Register this morning about a new cloud based service that allows you to brute force crack wireless WPA passwords. The service, run by Moxie Marlinspike of null byte prefix fame, claims it can compare your key against a 135 million word dictionary, optimised for WPA passwords, in around 20 minutes. It can achieve such speed by spreading the load over a 400 CPU cloud cluster.

Although the figures are impressive, the service falls way short of guaranteeing being able to crack your WPA password (Note, it doesn’t claim that it can). For an 8 letter key that uses upper and lower case and numbers, there are 2.18 x e¹⁴ possible combinations. This rises to 4.77 x e²⁸ for a 16 letter password. Hence the chance of the service successfully finding your password depends on how closely it resembles a dictionary word.

Of course in reality, your WPA key almost certainly does resemble a dictionary word. If you want to make it safer but still keep it possible to remember, then increase its length as discussed here.

If you want to test the strength of you WPA password, you need to capture the WPA handshake using something like Aircrack-ng, then submit it to the site and hand over $17.

Cracking WEP

We all know that using WEP to protect wireless network communication is considered unsecure and many people also know that this is because of the way the depreciated RC4 stream cipher is used in its implementation. In real terms, the implementation weakness allows anyone who can capture enough WEP encrypted packets from a particular wireless access point to use statistical analysis to crack the encryption key. This is much quicker and easier that using a brute force dictionary attack.

If you are not a mathematician with some handy wireless packet capture equipment, cracking WEP still seems quite tricky. However a quick search of the internet shows that are plenty of tools out there to do the job for you. Most links point in the direction of aircrack-ng, a suite of tools that allow you to discover weak access points, capture wireless packets, inject extra packets to generate more traffic and finally to extract the encryption key. There are even plenty of You Tube videos to tell you how to use it but I found the documentation on the aircrack-ng site easier to follow.

The most difficult part of the process is getting you wireless network card to work with the software as not all chipsets are supported. Refer to the hardware compatibility list. Aircrack-ng works better with Linux but if you only have Windows you can use a Live CD such as BackTrack.

My own experimentation showed that once you have your attack system up and running, it typically took less that 10 minutes to break into a WEP protected wireless network. Although it is possible to complicate the process by hiding the SSID and restricting MAC addresses, these measures only delay the WEP network’s compromise.

To conclude, WEP shouldn’t be used to secure a wireless network. Given that I can pick up four WEP networks just from my house, (I do live near a business centre), it’s possible it is still in widespread use. Even those networks that are WPA protected are not necessarily safe. The aircrack-ng software also included a brute force attack method that worked against the 4 way handshake part of the initial WPA negotiation although it’s only really successful if common dictionary words are used for the key. There are also reports of new techniques similar to the WEP attack that can be used against WPA TKIP, so it is surely only a matter of time before tools are available for crack this as well. So my advice is to use WPA2 (AES), strong keys and upgrade as new technology comes available.