dalepearson wrote:Question to those who do regular Wireless Pen Tests, when do you decide to throw in the towel when it comes to WPA based attacks, and is this predefined contractually with the client?
The reason I ask is that, obviously you have the dictionary and brute force attacks, and as you can sniff the handshake and then work offline you really do have forever to test various rainbow tables, keyword lists and other techniques, but when do you decide enough is enough, and you will happily tell your client based on the techniques used the choice of passphrase in use is acceptable.
Of course you could simply review the passphrase if they offered it to you and make a judgement call on how likely it would appear in someones lists when attacking, but that would kinda defeat the Wireless Pen Test.
This is a good question.
As the password approaches true randomness, the statistical possiblities become
overwhelming, even for an eight-character password. For example, if one considers
that all of the keys on the keyboard can be used to construct the password, then
there are 95-raised-to-the-8th-power possibilities. This is 6,634,204,312,890,625
possible passwords. (I don't even know what the number is? A quadrillion?) Aircrack-ng,
which is the best cracker I've found so far, tests about 220 keys per second on a
1.9GHz cpu. At that rate, it would take 956,223 years ,... or about the time for
another Ice Age to come and go ... to crack it.
Adding just one character increases that time exponentially.
But, of course, most humans don't choose passwords randomly. In fact, humans really
don't anything randomly. They opt for patterns which loom in their memories. Thus,
the development of brute force dictionaries.
I have a dictionary of wpa 8-char passcodes which is 1.2 million entries and have yet
to crack an interesting WPA-TKIP-PSK access point with it. So obviously people
with valuable data do not use crap passwords.
If anyone has any ideas on this, I'd be interested in hearing them.