Is WPA/WPA2 Vulnerable to Brute Force?
Just for fun, I attempted to bruteforce my own WPA2 (“Wi-Fi Protected Access”) network using Elcomsoft Distributed Password Recovery. Since I had rather awful results in the past with *.PDFs, I thought, perhaps I would have better luck with WPA cracking. The PDF algorithm doesn’t work with GPUs, but it does work with WPA, so I thought that maybe I’d be in luck!
In order to bruteforce WPA/2, you have to capture a 4-way “handshake” (tutorial below). You can do this using BackTrack, or WireShark to listen and capture the packets to a file, specifically a *.CAP file. If you don’t capture it correctly, you won’t be able to even try cracking it. Not that this makes much of a difference…
So, is it possible to bruteforce a WPA/2 network? As it turns out, the answer to that is a resounding no. Shocked? The algorithm is so strong that the passwords-per-second that you can achieve in bruteforce are incredibly low. For example, I loaded the distributed agent on my Quad-Core (Q9450) system w/ just one NVIDIA GTX280, at full power it average just ~10,000 passwords per second. Even if I could double that to ~20,000 passwords per second, it wouldn’t even amount to a drop in the bucket. This would be more like a drop into the Hoover Dam.
Have a look at a tiny cluster of just7 systems (excluding the above-referenced rig), mostly CPUs (one GPU rig) w/ 11 cores going at it. All those systems combined produced a whopping 2,556 pw/s.
WPA/2 has a minimum password length of 8 characters, and for good reason. This length is just enough to make things impossible without serious power.
So, at 2,556 pw/s, you’re looking at ~1.1 million days to recover an 8-character password. Hey, that’s only ~3,013 years! But wait, there’s more. I only have uppercase and lowercase letters and numbers. What if they use a symbol or a space? Then it’s even worse! Or, what if it’s a 9, 10, or 20 character password? Forget about it. Moreover, if someone has an irregular SSID. you won’t be able to run a rainbow table attack on it.
If, however, you somehow get control of all the current GPU power of Bitcoin… then maybe you could successfully bruteforce my WPA/2 network, anything short of that, you’re out of luck.
Forgive my sarcasm, I just cannot wrap my mind around why this is even offered as an option in this software. Under what circumstances would it ever be possible? OK, I suppose if you knew some of the characters of the password, you could mask off the known characters and bruteforce the rest. In that instance, it could be a useful tool.
But hey, if you really don’t believe me, and want to give it a try yourself, here’s what you need to do:
- Download a BackTrack ISO (“BT”) and burn it to a disc (or use a VM if you know what you’re doing). (Note: different versions behave…differently. I found that, for example, BackTrack 3 worked with a certain wireless card of mine while BT4 did not recognize the same card. So, if you find that you have trouble with one version of BT, try out another before giving up. It is a really tremendously valuable distribution.)
- Boot up BT and open a terminal (command-line prompt).
-Type iwconfig to determine your wireless card interface name. (For example, “eth1″ or “wlan0″). If nothing shows up, then BT did not detect it, and you’ll have to do a lot of Googling to figure it out, or try another version of BT.
- Type airmon-ng start wlan0
- This will enable monitor mode on your wireless interface.
- It should be called mon0. So, go ahead and type: airodump-ng mon0
- From the list of wireless APs (Access Points), take note of the channel, ESSID and BSSID.
- Type airodump-ng -c [channel] -w [ESSID] –output-format ivs mon0
- The [ESSID] will be the filename. Note: don’t type the [brackets] themselves, just enter the data directly in. (As an example: airodump-ng -c 6 -w VGHzNetwork…)
- Open a new console.
- Type aireplay-ng -0 1 -e [BSSID] mon0
- This performs a deauthentication (“deauth”) — in order to acquire a 4-way handshake, someone needs to connect to the network. Since most computers automatically reconnect when the connection is interrupted, we use this command to kick them off. Note: You may need to do this several times, at different intervals. Depending on the router and devices connected, it can be tough to get the handshake. So, be patient. If no one is home, and no devices are connected… you can’t get the handshake no matter what you do. Someone must connect successfully.
- So, keep an eye on the previous console window and look for the words “WPA Handshake” to appear in the upper right corner. Once you see it, you can stop the console window (with Ctrl+C). The aireplay-ng window can then be closed as well since the handshake has been acquired.
- Type aircrack-ng -w list.lst [ESSID]
- Note: Remember the filename you specified earlier on. It will be a *.ivs file. Example: ESSID-01.ivs; type ls to locate it if you don’t know the name.
- You can use this file with ESDPR, or you can use the built-in dictionary attacker w/ aircrack-ng. You’ll want to use a pretty beefy dictionary — and it will likely fail, unless someone has a weak password consisting of something matching your dictionary. If you go this route, you’ll likely need a much largerĀ dictionary than the one provided with BT.
Samuel…U are out of date…………Japanese hv done it in less than 60 seconds…Way back in 2009….Where the fuck are you then………(Fucking around, I guess…lol).
Thanks Zed — I didn’t know that. Though, WPA w/ AES, and WPA2 are still secure and thus my article still holds ground given those parameters. But yes, perhaps I am !@#$ing around.