WPA WPA2 Cracking no longer a problem

Viewing 11 reply threads
  • Author
    Posts
    • #6239
      Anonymous
      Participant

      Hi All,

      Many of us know that cracking WPA and WPA2 keys was never 100% secure. However as long as the Key used was complex and long enought it was not a easy process to brutt force the key, as it would take days,week,monts even.

      Introduing the cloud

      Nowdays its very cheap to hire super computers that run a lot faster and can run a English dictionary of 284 million words in around 55 min for around $40 so how secure is WPA and WPA2 now?

      http://www.wpacracker.com/index.html

    • #38993
      hayabusa
      Participant

      Nice!  Sure saves time, if they truly have the setup to handle it, as they claim.  (Wouldn’t surprise me, and was bound to show up, sooner or later.)

      Then again, there’s no guarantee, still, that it’ll be in a dictionary (the smart ones WON’T use dictionary words, or even easy permutations…)

    • #38994
      hayabusa
      Participant

      @Jamie.R wrote:

      …so how secure is WPA and WPA2 now?

      So I’d say, still VERY secure, if on WPA2, assuming the person BEHIND the password / passphrase puts their thought into it.  Advances will come, over time, but the reality is, if the person / people implementing do it right, it’s still pretty solid.

    • #38995
      Anonymous
      Participant

      That is ture hayabusa.

    • #38996
      hayabusa
      Participant

      Actually, I’ll go one step further on this, just to clarify my thoughts…

      Certainly, for the low value, it’s worth using in a pentest, to TRY to crack the protection, and get in.  I think, even more, that the value of this lies more for security auditors, to ensure that a company DID do the smart thing, and took proper care / precaution in selecting their passphrases / keys, etc. 

      So not saying there’s no value in this service.  Just that, if you’re a pentester, you’ve got to know that IF you’re going against a network where the admins had half a clue, you’re liable to hit a dead end (albeit much more quickly  :P)

    • #38997
      WCNA
      Participant

      That brings up one the ironic things about pentesting. Failing to break in is a good thing. Unfortunately, companies don’t know whether the failure to break in was due to good security or a poor pentest. Luckily, standards are being adopted.

    • #38998
      jsm725
      Participant

      So this brings up an interesting question. Yes we could do this to speed up the process of cracking WPA/WPA2, but should we do this?

      What are the implications of giving client information to a third party that doesn’t have a contractual obligation to the client? What type of agreement are you making with WPACrack before you hand over a .pcap of client data?

    • #38999
      hayabusa
      Participant

      @jsm725 – Personally, I’d strip the pcap down to only the auth packets needed to crack the WPA.  Additionally, one would HOPE, anyway, that any IP’s in the pcap are internal, and that there’s nothing publicly indentifiable in there.  This is all assuming I use their service, to begin with.

      That’s my take, anyway…

      @WCNA – agreed, and good that folks are working towards some standards.  Either way, though, if I were to hire someone to pentest me, I’d want a detail of their methods and attacks they attempted, so I could decide, for myself, about the ‘quality’ of the services they performed.  A GOOD pentest report WILL include the technical details and steps, for the technical folks to review, afterwards.

    • #39000
      hell_razor
      Participant

      @WCNA wrote:

      That brings up one the ironic things about pentesting. Failing to break in is a good thing. Unfortunately, companies don’t know whether the failure to break in was due to good security or a poor pentest. Luckily, standards are being adopted.

      This is why setting up a honeynet with some “open” doors might be a good thing.  If they find it, and get in and identify it as such, then they may know their stuff.  If they either do not find it or cannot get in and effectively identify it, then I would question their ability.

    • #39001
      Anonymous
      Participant

      I agree with all comments so far. and yes as long you have a good team in place your wifi should be fine.

      So should companies invest in or configuare better security for there wifi ? or should they still think WPA/WPA2 is fine to keep them safe.

      I know a lot of companies that have there wifi setup with WPA2 and that is about as far as it goes.

    • #39002
      hayabusa
      Participant

      To me, it all depends on the purpose of the wifi, etc.  If it’s mission critical stuff, many customers I deal with STILL require a forced VPN login, after authenticating to the wifi, to reach internal systems.  This is sensible, and adds just one more layer to break through, should an attacker get past the original wireless authentication.

      IMHO, you can NEVER be TOO safe, however, you also have to weigh usability / support costs against ‘security’, and come up with the best mix for your organization.

    • #39003
      n4zty
      Participant

      Hey guys this topic truly interest me since im from the howardforums.com and we are discussing ways of bypassing the wpa2 key for wifi tethering on the samsung galaxy indulge and seems no one has been able to get around it i dont suppose any of ya might know a way to get around this if not then i suppose we will have to keep looking around.

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?