Testing WPA PassPhrase Strength, how long is long enough.

Viewing 3 reply threads
  • Author
    Posts
    • #2780
      dalepearson
      Participant

      Question to those who do regular Wireless Pen Tests, when do you decide to throw in the towel when it comes to WPA based attacks, and is this predefined contractually with the client?

      The reason I ask is that, obviously you have the dictionary and brute force attacks, and as you can sniff the handshake and then work offline you really do have forever to test various rainbow tables, keyword lists and other techniques, but when do you decide enough is enough, and you will happily tell your client based on the techniques used the choice of passphrase in use is acceptable.

      Of course you could simply review the passphrase if they offered it to you and make a judgement call on how likely it would appear in someones lists when attacking, but that would kinda defeat the Wireless Pen Test.

    • #19481
      joswr1ght
      Participant

      @dalepearson wrote:

      Question to those who do regular Wireless Pen Tests, when do you decide to throw in the towel when it comes to WPA based attacks, and is this predefined contractually with the client?

      Certainly, this depends on the negotiated terms and goals of the engagement with the customer.  I have a few dictionaries I’ll try and have pre-established mechanisms to accelerate the testing process (using nVidia GPU’s, available hosts and FPGA’s), and I’ll run that to completion for a test.

      @dalepearson wrote:

      The reason I ask is that, obviously you have the dictionary and brute force attacks, and as you can sniff the handshake and then work offline you really do have forever to test various rainbow tables, keyword lists and other techniques, but when do you decide enough is enough, and you will happily tell your client based on the techniques used the choice of passphrase in use is acceptable.

      Determining if the passphrase choice is acceptable requires more evaluation than just what you can determine from a penetration test.  I try to work out with the client what the resources would be of a potential adversary ($1,000? $10,000? $1,000,000?) and then use math to figure out how long it would take to figure out the selected passphrase (usually, this is by ignoring the entropy of the selected passphrase, and just using the character selection and length of the passphrase, factoring in probability).

      @dalepearson wrote:

      Of course you could simply review the passphrase if they offered it to you and make a judgement call on how likely it would appear in someones lists when attacking, but that would kinda defeat the Wireless Pen Test.

      For me, PSK’s aren’t acceptable in anything by the environments of least risk (perhaps a guest network, or a home network with little to no valuable resources).  It’s less about being able to brute-force the PSK, and more about how the PSK (or derived PMK) is stored on each and every workstation.  I can use a combined pen-test approach to leverage physical security with wireless attacks and a tool like Aircrack-ng’s WZCOOK to extract a PMK which is shared by all the other usrers on the network, all without having to resort to dictionary attacks.

      Good post.

      -Josh

    • #19482
      dalepearson
      Participant

      Josh,

      thanks for your response.
      I was just trying to get an insight to how Pen Testers like yourself approach this sorts of situations.

      Thanks for taking the time to respond.

    • #19483
      sturm
      Participant

      @dalepearson wrote:

      Question to those who do regular Wireless Pen Tests, when do you decide to throw in the towel when it comes to WPA based attacks, and is this predefined contractually with the client?

      The reason I ask is that, obviously you have the dictionary and brute force attacks, and as you can sniff the handshake and then work offline you really do have forever to test various rainbow tables, keyword lists and other techniques, but when do you decide enough is enough, and you will happily tell your client based on the techniques used the choice of passphrase in use is acceptable.

      Of course you could simply review the passphrase if they offered it to you and make a judgement call on how likely it would appear in someones lists when attacking, but that would kinda defeat the Wireless Pen Test.

      This is a good question.

      As the password approaches true randomness, the statistical possiblities become
      overwhelming, even for an eight-character password.  For example, if one considers
      that all of the keys on the keyboard can be used to construct the password, then
      there are 95-raised-to-the-8th-power possibilities.  This is 6,634,204,312,890,625
      possible passwords.  (I don’t even know what the number is?  A quadrillion?)  Aircrack-ng,
      which is the best cracker I’ve found so far, tests about 220 keys per second on a
      1.9GHz cpu.  At that rate, it would take 956,223 years ,… or about the time for
      another Ice Age to come and go … to crack it.

      Adding just one character increases that time exponentially. 

      But, of course, most humans don’t choose passwords randomly.  In fact, humans really
      don’t anything randomly.  They opt for patterns which loom in their memories.  Thus,
      the development of brute force dictionaries. 

      I have a dictionary of wpa 8-char passcodes which is 1.2 million entries and have yet
      to crack an interesting WPA-TKIP-PSK access point with it.  So obviously people
      with valuable data do not use crap passwords.

      If anyone has any ideas on this, I’d be interested in hearing them.

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?