WEP is dead. Even your mother knows not to encrypt her Linksys wireless router with WEP. For all of us that have played around with the aircrack-ng tool set (on our own networks of course 
), we know that by using aircrack in conjunction with packet injection/replay attacks WEP keys can be cracked within a couple minutes [EDIT: According to German researchers, WEP can now be cracked in an average of 20 seconds on an 802.11g network].
Well, we should use WPA/WPA2 PSK then right? Well yes, but with a couple constraints… First of all, I need to get something out of the way. The recent media explosion that “WPA has been cracked” was blown way out of proportion. One, this only affects WPA/WPA2 networks protected with Temporarary Key Integrity Protocol (TKIP) as opposed to the more secure Advanced Encryption Standard (AES). Two, this attack does not result in disclosure of the secret key, it simply allows re-injection of short packets. Unless there are some unknown 0-day exploits that can compromise a system using a hi-jacked eight-byte message, I think it’s relatively safe to say nobody should panic YET.
Now, let me explain the real threat against WPA/WPA2 keys… brute-force attacks. Yes, ever since the development of rainbow tables (pre-computed password look up tables for cracking Windows hashes that exploit the time-memory trade off… look ups can literally be completed in seconds) brute forcing has taken a back seat in the hacker’s arsenal. You may wonder if the rainbow tables method can be applied to cracking WPA. The answer to that question is yes and no. Unfortunately (or fortunately for the unsuspecting user?), a WPA hash is based off a combination of the WPA SSID AND the secret key hashed together 4096 times. What does this mean? This means that even if you can capture a 4-way handshake and extract the pre-shared key (PSK) you would still have to generate look up tables specific to a SSID. Fortunately, if the target SSID is one of the top 1000 most common, then you’re lucky because the folks over at Render Lab have already done this for you (see the 33gb set).
What if your target’s SSID isn’t in the top 1000 SSID list? Well, you’re not completely out of luck. Grab yourself your favorite word list and combine it with John the Ripper’s word-mangling functionality you can perform a dictionary attack against the captured PSK. This attack will still be able to be completed in a relatively reasonable amount of time (depending upon the size of your word list).
Moral of this story: Use WPA/WPA2 with AES and use a sufficiently long and complex secret key that is NOT based off a dictionary word.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment