HN Gopher Feed (2017-07-24) - page 1 of 10 ___________________________________________________________________
Crack WPA/WPA2 Wi-Fi Routers with Aircrack-Ng and Hashcat
227 points by braxxox
https://github.com/brannondorsey/wifi-cracking___________________________________________________________________
bobsgame - 2 hours ago
I had the idea a long time ago to make a dd-wrt image which would
automatically crack the vulnerable routers within distance, detect
the model, and install a compatible version of itself in order to
spread virally and create a mesh network. I'm not going to pursue
it because it probably breaks a lot of laws, but I'm still curious
if it would have been possible. Does anyone know if this is
actually feasible? Maybe the radios can't handle that sort of
thing?
pletnes - 2 hours ago
Did you mean this?http://gizmodo.com/264050/slurpr-wi-fi-box-
sucks-up-six-sign...
[deleted]
[deleted]
crummy - 2 hours ago
Probably cracking passwords would be very slow on router hardware
- cool idea though.
goda90 - 2 hours ago
The load could be distributed between nodes, or the original
node could be backed by a more powerful machine to do the
cracking.
rootsudo - 1 hours ago
Honestly, why reinvent the wheel. Use Wifite2 with a proper
password list and done.
thinkxl - 1 hours ago
there are two kinds of people, the ones that want to learn how to
do it "manually" and the script kiddies.
yedpodtrzitko - 4 hours ago
Is there anything novel in there? On a first sight it seems just
like a guide done hundred times before...
IncRnd - 3 hours ago
Nope. This is an ancient attack.
polpo - 4 hours ago
4,733,979 out of the 14,344,391 passwords (33%) in the rockyou.txt
dictionary file used for cracking in this guide are too short to be
WPA2 passwords, which have a minimum length of 8 characters. Are
aircrack and/or hashcat smart enough to not bother hashing those
short passwords?
polpo - 4 hours ago
(looks like the case for aircrack-ng, at least:
https://github.com/aircrack-ng/aircrack-ng/blob/master/src/a...)
domenukk - 4 hours ago
5 million hashes only take a few seconds for wpa2 anyway... Less
than two for this system:
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...
stusmall - 3 hours ago
They don't touch it in this tutorial but typically you don't
check just whats in your dictionary. You also use a set of
rules to manipulate your dictionary that massively increases
the number of hashes to perform. Those 5 million entries
quickly passes tens of billions hashes that need to be run.
These initial entries might be too short like OP pointed out,
but after the rules are applied it might generate many entries
that will be long enough to spend time hashing.The keyspace for
WPA is huge and the hash speed is still relatively slow, even
with an extremely high end system like you linked to the
quality of the initial dictionary is really important.
weinzierl - 1 hours ago
hashcat is smart enough in a subtle way. It will not bother with
candidates that are unsuitable for a certain hash type. It checks
this after the rules have been applied. (stusmall's comment
explains the influence of rules better than I could). Hashcat
shows these candidates as "Rejected".The interesting part is that
you can't configure the minimum or maximum length anymore[1], the
restrictions are hard coded for every hash type. This is because
for fast hashes the branch introduced by the check would be
slower than just hashing away[2].[1] It was possible with the old
CPU-based hashcat (--pw-min and --pw-max)[2]
https://hashcat.net/forum/thread-3444.html?highlight=branch
webaholic - 3 hours ago
To the script kiddies out there who read this: Do not try this on
others wifi. It is a crime in the USA to crack network routers.
Although the chance of you getting caught is low, better be safe
than sorry.
jaimex2 - 16 minutes ago
whats the punishment in the US?
nextstep - 3 hours ago
Does this only crack single word passwords? If my password was two
common dictionary words or a common word plus a single number,
would this try that possibility?
[deleted]
baalimago - 3 hours ago
most people don't change password on their routers anymore
thinkxl - 1 hours ago
wifite2[1] is a wrapper tool that does all this automatically.Not
trying to say that easier is better, in this case. Just wanted to
show this tool for those who don't know it.[1] -
https://github.com/derv82/wifite2edit: added wifite initially,
replaced it with wifite2
infamousjoeg - 5 hours ago
How long does the cracking process take? I remember WEP only
taking 10 minutes using aircrack-ng in BackTrace... I imagine this
takes substantially longer.
jaclaz - 4 hours ago
>Naive-hashcat uses various dictionary, rule, combination, and
mask attacks and it can take days or even months to run against
strong passwords. The cracked password will be saved to
hackme.pot, so check this file periodically.
legojoey17 - 4 hours ago
So I don't have experience with WPA cracking, but if the access
point has WPS (the click to connect button) you can sniff
handshakes on the network and crack the WPA password it in
relatively no time. In my experience this has usually been under
10 minutes.
ty_a - 4 hours ago
On most recent firmware, there is an exponential backoff on WPS
connection attempts.
rexicus - 4 hours ago
It's not viable for those random 12-ish digit passwords most ISPs
will use.
Qub3d - 4 hours ago
Yeah, which is why it is sometimes weirdly safer to not change
your SSID - a cracker can assume that someone who figured out
how to change the broadcast name could've also changed the WiFi
password... often to something much less secure.
tFXR89qo - 3 hours ago
SSID is used for password hashing, so better change it from
default to avoid rainbow tables.
[deleted]
mkagenius - 48 minutes ago
If it is as slow as SHA512 then it will take 20 days on AWS g2 x8
large for 8 characters (made of alphanumeric or some 10 other
symbols).
arprocter - 3 hours ago
Time taken to crack WEP depended on if it was a 64 or 128 bit
keyI did a study using an Atom netbook - a 64 bit key (10 digits
long) took 8 mins to find, 128 (26 digits) took 30 mins
aerovistae - 4 hours ago
I attempted to do this once and it turned out to be monumentally
difficult. I got as far as setting up a bootable kali thumb drive
before getting stopped in my tracks by hardware incompatibilities
and unexpected behaviors and errors. These articles make it sounds
a LOT easier than it is. I was very disappointed because I was
really excited about it.
borne0 - 4 hours ago
And to make matters worse the compatible hardware has been
counterfeited a thousand times over and you never know which one
you're going to get purchasing online.
The_Sponge - 4 hours ago
It's not for the faint of heart or faint of technical skill -
different drivers have different behaviors and ways to enter the
various capture and raw packet modes needed to do
this.Personally, as long as I stick to supported chipsets, I've
almost never had an issue.
wil421 - 4 hours ago
Have you found a wifi card that will work on any laptop or
desktop?
bebopfunk - 4 hours ago
I've had great luck with this wireless card. Works out of the
box on any linux distro I've used it with. I bought it
specifically for its aircrack compatibility (packet injection
and monitor mode).https://www.amazon.com/Alfa-AWUSO36NH-
Wireless-Long-Rang-Net...although some of the reviews seem to
indicate there may have been a change in chipset/drivers. I
wish you luck!
rhinoceraptor - 4 hours ago
Not all Alfa products are OOB compatible, you definitely
need to be careful. I have the AWUS036AC which requires
compiling a DKMS module.It was a pain the get working on my
Raspberry Pi, I had to try several different drivers and
edit a Makefile to get it to compile. But I did eventually
get it working as an AP, there's a script called create_ap
which is very nice to painlessly run an AP on Linux.
wil421 - 3 hours ago
Thanks I was looking for something that could work on
Mac, Linux, Pi and Windows.
madez - 3 hours ago
The stuff fromhttps://tehnoetic.com
(EU)https://www.thinkpenguin.com (USA)just works.
proctor - 2 hours ago
I tested some of the most popular Kali Linux compatible cards
against each other here[0]. Note that there is a version 2 of
the popular and cheap TP-Link TL-WN722N which DOES NOT work
like the version 1 and should be avoided.All of these cards
are "known to just work" on linux at least.[0]
http://rooftopbazaar.com/wirelesscards/
wil421 - 4 hours ago
When I was in school and taking some network security classes I
attempted to crack my own wifi. Even after buying a wifi card
that could do what I need I faced hardware isssues. It was a
major PIA.It was almost easier to automate a brute force, sit
back and wait.
rxhernandez - 2 hours ago
I beg to differ. I was doing this at 15 or 16 years old in 2006
when it was still called backtrack. So long as you had a
mainstream laptop, the most difficult part was buying a
compatible wireless card.To note, the extent of my technical
abilities at that time wasn't much beyond being able to install a
mainstream linux distribution or write a simple program in C.
maxerickson - 1 hours ago
Yeah, I used Backtrack to show my brother that his big complex
password didn't mean anything if he was using WEP (this was
quite a while ago).On a pretty standard laptop (intel
chipset/CPU/GPU/Wireless) it booted right up with no effort.
aerovistae - 41 minutes ago
Regrettably it didn't work out that way for me. I had a brand
new macbook air at the time I tried this. When I booted into
Kali, I was unable to access the network settings at all[1],
period, let alone get any packet sniffing going. I couldn't
even connect to the internet.[1]
https://unix.stackexchange.com/questions/273941/missing-netw...
throwasehasdwi - 4 hours ago
I'm not sure why this is amazing enough to make the first page but
W/E it's HN :). Just so less informed are aware, this has been
feasible for maybe 7 years (since GPU calculation became
possible).Just so nobody freaks out, this is cracking weak
passwords, not broken WPA.I have myself cracked countless WiFi
passwords when security testing. It's easy if the passwords are
bad, which is maybe 90% of the time for home networks and 60% for
businesses. The attack is completely passive if you don't want to
be noticed, and with a cheap dish you can pickup both ends of the
handshakes from up to around a quarter mile away (line of sight).
amluto - 4 hours ago
> Just so nobody freaks out, this is cracking weak passwords, not
broken WPA.I beg to differ. The fact that WPA is subject to a
passive attack at all is a defect. It should use a PAKE, which
would entirely avoid this type of attack.There are simple
balanced PAKE protocols that would do the trick. DH-EKE, SPAKE2,
J-PAKE, and even the venerable SRP would all work. I believe
that several are old enough that no patents are possible, and,
even when WPA was standardized, something should have been
available.
throwasehasdwi - 3 hours ago
Yes, this is still a major problem with WPA. Also the fact that
certain control packets aren't authenticated is nearly
unforgivable. If correctly designed the only reasonable attack
on wifi would be channel jamming, sadly after many years this
still is not the case.
d33 - 3 hours ago
This is probably a good occasion for a call for WPA3:
https://github.com/d33tah/call-for-wpa3
kees99 - 40 minutes ago
WEP, WPA, WPA2... why keep reinventing the same wheel? Each
new iteration inevitable turns out to be less-than-perfect
and keep adding more and more complexity and overhead - for
one, join/leave times keep increasing, up to a point where
we have a separate standard (802.11r) just to get back pre-
WPA roaming speeds (at cost of even more protocol
complexity overhead).Here's crazy idea: Why not run open
network + IPSEC, or heck, even OpenVPN? Obviously, drop all
non-VPN traffic right on the AP (or first router after it)
to nip freeloaders in the bud.
MadSax - 3 hours ago
For those that don't know, like me, how would PAKE etc protect
cracking of weak passwords used during client authentication?
mrb - 2 hours ago
PAKE is awesome, yet not very well-known :-( In a nutshell a
PAKE scheme guarantees that (1) a passive attacker has no way
to brute force passwords at all, and (2) that an active
attacker can at most test one candidate password per
authentication attempt.PAKE is used by Thread (IOT protocol
built on top of IEEE 802.15.4: https://threadgroup.org/ and
it's precisely its use of PAKE that makes it one of the most
secure wireless protocols IMHO. Disclosure: I helped
security-review it during its design.) Various PAKE schemes
exist but a simple one based on Diffie-Hellman works like
this (called DH-EKE):1. Client selects random priv, pub key
pair: a, g^a2. Server selects random priv, pub key pair: b,
g^b3. Client sends its pub key encrypted with client's
password: E(g^a, passwd)4. Server sends its pub key encrypted
with client's password: E(g^b, passwd)5. Client and server
each decrypts the packets (with the password that they both
know) and get each other's pub keys: g^a, g^b6. Client and
server proceed with standard Diffie-Hellman: they compute
g^ab use this value as an encryption key7. Client and server
do a message exchange encrypted with g^ab, to verify they
both derived the same key.Note: I demonstrate the scheme DH-
EKE because it's simple. But please know this scheme is
flawed when naively implemented. In theory it should be safe
when used with an elliptic curve variant using Elligator
https://elligator.cr.yp.to/ but I haven't seen much research
and peer reviews of Elligator... Other PAKE schemes are
considered perfectly secure (but their complexity makes them
unsuitable to be explained in an HN comment, eg: J-PAKE.)What
can an "offline" attacker do? He can passively sniff the
packets and get E(g^a, passwd) and E(g^b, passwd) but there
is no way for him to bruteforce the password. He can try to
decrypt the packet with candidate passwords, but he does not
know when he guesses the right one, because a successful
decryption will reveal g^a or g^b however these value are
indistinguishable from random data (when using Elligator
because that's exactly what it guarantees: that a pub key is
indistinguishable from random data.) And even if he guessed
right, he would obtain g^a and g^b, but would not be able to
decrypt any further communications as the use of Diffie-
Hellman makes it imposible to calculate the encryption key
g^ab.What can an "online" attacker do? If he actively MiTM
the connection and pretends to be the legitimate server, he
can send his own E(g^b, passwd) to the client using one
guessed candidate password. If he guessed wrong, then the
client will decrypt to an incorrect g^b, will not calculate
the right g^ab, and step 7 will fail. Good. At least the
client can detect a (failed) password guess attempt. And
that's all the attacker can do. Each authentication attempt
gives him only 1 chance to test 1 password. If, out of
frustration, the client tries to retype the password and re-
auth 3 times, then the attacker can at most try to guess 3
candidate passwords. He can't bruteforce many passwords.An
effort is ongoing to standardize one of the PAKE schemes,
called J-PAKE, in TLS: https://www.ietf.org/archive/id/draft-
cragie-tls-ecjpake-01.... TLS with J-PAKE is what Thread
uses.
throwasehasdwi - 3 hours ago
It doesn't give you a hash to crack. It reduces your speed of
guessing passwords from "how quick can you hash X", which is
millions of times per second, to "how many times can I
attempt to get in before the access point blocks me".This
major issue with WPA password cracking today is that it can
be done "offline". You can pull the handshake out of the air
and bang on it as long as you want. It's pretty much the same
thing as trying to guess a password from some leaked hashes
vs trying to guess a password using the gmail interface.
MadSax - 3 hours ago
Thanks. I also hope that deauth frames are encrypted in the
next version of WPA.
throwasehasdwi - 2 hours ago
They are a current feature but not the baseline which
means in practice implementations are buggy or non
existent. I've had a few nicer routers where I could turn
the options on but most clients are not able to connect
:( .I need to be in the baseline standard to get
qualified or nobody will implement it.
xori - 3 hours ago
I'm not sure how PAKE works, but how would an AP block you?
MAC address are forgeable. And any nonce an AP sends down
as a one-time salt would be visible to you and you could
still just brute force it offline.EDIT: After reading up on
SPAKE2, it's basically just a Diffe-Hellman exchange. You
can still totally do a brute force because you know what
the first encrypted payload should look like and you can
listen in for that encrypted message and use that as your
"test that you got it right"I think that at the end of the
day, no matter what key stretching techniques you use. A
bad starting key results in a bad end key.
stickfigure - 2 hours ago
Blocking isn't really necessary. How many attempts could
an AP process per second? Not enough to try a large
dictionary with variations.
phinnaeus - 38 minutes ago
Wouldn't that effectively be jamming the AP at that
point?
JetSpiegel - 23 minutes ago
At what point you call security, or just look around the
room and check who is jamming the WiFi.
throwasehasdwi - 2 hours ago
You can't brute force a nonce offline when you don't know
if you answer is right unless you ask the AP. Different
protocols than sending hashes where you can tell if your
hash is correct just by looking at it.You are right that
the AP couldn't block you without blocking everyone, but
since you need to check your answer with the AP for each
guess your attack becomes extremely visible. I guess you
could still DDOS the AP by sending auth requests faster
than it allows but that doesn't hurt the channel any more
than barrage jamming which is un-blockable.
xori - 2 hours ago
But you can capture the first encrypted packet from the
router, and you know what the protocol is to test if your
decoded version is correct. I still don't see how this
helps.
throwasehasdwi - 2 hours ago
I'm not a crypto expert and I'm sure even if I was it
would be difficult to explain. Wiki page on SRP has a
good description though:Like all PAKE protocols, an
eavesdropper or man in the middle cannot obtain enough
information to be able to brute force guess a password
without further interactions with the parties for each
guess.In layman's terms, given two parties who both know
a password, SRP (or any other PAKE protocol) is a way for
one party (the "client" or "user") to demonstrate to
another party (the "server") that they know the password,
without sending the password itself, nor any other
information from which the password can be broken.
Further, it is not possible to conduct an offline brute
force search for the password.https://en.wikipedia.org/wi
ki/Secure_Remote_Password_protoco...
[deleted]
throwaway91111 - 23 minutes ago
Agreed. However, WPA has been obviously broken for years; just
use WPA2 instead. It's also way easier to set up on your
grandmother's random router.
mdeeks - 4 hours ago
Can someone define what is considered a weak vs strong password
now for WiFi? The only guides I found online are years old.Is 10
characters considered weak for mixed case letters, numbers, plus
punctuation now?
fhood - 4 hours ago
Weak = is in rainbow table that hashcat is using
throwasehasdwi - 4 hours ago
Wifi password cracking is only around 1000X slower than a
SHA256 brute-force if I remember right. So your password needs
to be secure enough that if a hash of it was leaked it would
never be cracked.... So very strong.WPA enterprise using
certificates is usually much harder to crack since you need to
interrogate server, you can't just brute force hash. This
method only really applies to PSK mode (home networks and small
businesses usually)
domenukk - 4 hours ago
If you consider your random keyspace with 26 * 2 chars + 10
numbers + 20ish special chars then to crack 10 letters you'll
have to try an average of ((26 * 2 + 10 + 20) ^ 10) / 2 =
6.8724016e+18 keys. If you then assume around 3 million hashes
per second it still takes around 72641 days to crack your
password.Edit: As another comment said, just make sure it's not
easy to guess based on rainbow tables and whatnot
1wd - 3 hours ago
Did you mean 72641 days or years?(And could / should we
include somehow that "hashes/second" increases by factor of
~2(?) each year?)
rocqua - 3 hours ago
To do this formally, you need to consider information entropy.
This is all about how you generated your password. 10
characters of totally random mixed case, numbers and
punctuation gives about 60 bits of entropy which is strong
enough.HOWEVER, that calculation only works if all 10
characters were generated uniformly and randomly. Humans are
terrible at this. Now, maybe your trick for turning words into
safe passwords is great, but there is no way to be sure. Sadly,
remembering 10 random characters is hard.Luckily, easy to
remember and strong passwords are possible. The system I would
recommend is diceware: www.diceware.com
joshjje - 14 minutes ago
There was a nice comic/picture of this. I tend to follow it.
Basically using 3-4 short words as a phrase instead of random
characters. You can toss special characters
inbetween/before/after. They are also much easier to
remember. Password "FoolMeOnce!ShameOnMe" for example.
samstave - 1 hours ago
I would love to see a comparison between where physically and
which modifiers are used for each character are, and the
strength of a password.Is a password which is very
easy/comfortable to type out physically any more/less strong
than another of the same length?I ask this because I often
use a visual pattern on the keyboard for a password and I
don't recall which characters they may be, but I recall the
pattern in need to type out on a qwerty kb
Laforet - 1 minutes ago
Depends on how good the pattern is, however entropy is
lower all likelihood because the layout of qwerty keyboard
is standardised.Most password crackong dictionary already
include common keyboard patterns sich as "qwerfdsazxcv" or
variations of it.
thomastjeffery - 1 hours ago
> but W/E it's HNWould you please simply type "whatever", instead
of this "W/E" nonsense? Considering the amount of 8+ character
adjectives you used, you clearly aren't trying to be less
verbose.
hyperdunc - 3 minutes ago
In the same spirit of improving grammar and readability - I
think you meant to type 'number' of 8+ character adjectives.
hartator - 1 hours ago
I am okay with abbreviations, but I had to think twice for this
one.
lqdc13 - 4 hours ago
Nowadays most routers I've seen come with a pre-shared key that's
something like 20 chars long.It's been the case with Comcast +
Verizon for a while now. Not sure about AT&T.Still might work 10%
of the time though.
paulgerhardt - 3 hours ago
Some regional bias here.Most of Asia (so most of the world) use
digits only for their wifi password.Lack of fluency with Latin
characters was not a big concern in the original
implementation. That should be fixed with WPA3