.

WPA WPA2 Cracking no longer a problem

<<

millwalll

Post Mon Mar 28, 2011 8:13 am

WPA WPA2 Cracking no longer a problem

Hi All,

Many of us know that cracking WPA and WPA2 keys was never 100% secure. However as long as the Key used was complex and long enought it was not a easy process to brutt force the key, as it would take days,week,monts even.

Introduing the cloud

Nowdays its very cheap to hire super computers that run a lot faster and can run a English dictionary of 284 million words in around 55 min for around $40 so how secure is WPA and WPA2 now?

http://www.wpacracker.com/index.html
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 28, 2011 9:04 am

Re: WPA WPA2 Cracking no longer a problem

Nice!  Sure saves time, if they truly have the setup to handle it, as they claim.  (Wouldn't surprise me, and was bound to show up, sooner or later.)

Then again, there's no guarantee, still, that it'll be in a dictionary (the smart ones WON'T use dictionary words, or even easy permutations...)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 28, 2011 9:12 am

Re: WPA WPA2 Cracking no longer a problem

Jamie.R wrote:...so how secure is WPA and WPA2 now?


So I'd say, still VERY secure, if on WPA2, assuming the person BEHIND the password / passphrase puts their thought into it.  Advances will come, over time, but the reality is, if the person / people implementing do it right, it's still pretty solid.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

millwalll

Post Mon Mar 28, 2011 9:17 am

Re: WPA WPA2 Cracking no longer a problem

That is ture hayabusa.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 28, 2011 9:24 am

Re: WPA WPA2 Cracking no longer a problem

Actually, I'll go one step further on this, just to clarify my thoughts...

Certainly, for the low value, it's worth using in a pentest, to TRY to crack the protection, and get in.  I think, even more, that the value of this lies more for security auditors, to ensure that a company DID do the smart thing, and took proper care / precaution in selecting their passphrases / keys, etc. 

So not saying there's no value in this service.  Just that, if you're a pentester, you've got to know that IF you're going against a network where the admins had half a clue, you're liable to hit a dead end (albeit much more quickly  :P)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon Mar 28, 2011 11:53 am

Re: WPA WPA2 Cracking no longer a problem

That brings up one the ironic things about pentesting. Failing to break in is a good thing. Unfortunately, companies don't know whether the failure to break in was due to good security or a poor pentest. Luckily, standards are being adopted.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

jsm725

User avatar

Newbie
Newbie

Posts: 36

Joined: Mon Mar 22, 2010 5:13 pm

Post Mon Mar 28, 2011 12:15 pm

Re: WPA WPA2 Cracking no longer a problem

So this brings up an interesting question. Yes we could do this to speed up the process of cracking WPA/WPA2, but should we do this?

What are the implications of giving client information to a third party that doesn't have a contractual obligation to the client? What type of agreement are you making with WPACrack before you hand over a .pcap of client data?
CISSP, PCI-QSA, OSWP
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 28, 2011 12:27 pm

Re: WPA WPA2 Cracking no longer a problem

@jsm725 - Personally, I'd strip the pcap down to only the auth packets needed to crack the WPA.  Additionally, one would HOPE, anyway, that any IP's in the pcap are internal, and that there's nothing publicly indentifiable in there.  This is all assuming I use their service, to begin with.

That's my take, anyway...

@WCNA - agreed, and good that folks are working towards some standards.  Either way, though, if I were to hire someone to pentest me, I'd want a detail of their methods and attacks they attempted, so I could decide, for myself, about the 'quality' of the services they performed.  A GOOD pentest report WILL include the technical details and steps, for the technical folks to review, afterwards.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Mon Mar 28, 2011 12:36 pm

Re: WPA WPA2 Cracking no longer a problem

WCNA wrote:That brings up one the ironic things about pentesting. Failing to break in is a good thing. Unfortunately, companies don't know whether the failure to break in was due to good security or a poor pentest. Luckily, standards are being adopted.


This is why setting up a honeynet with some "open" doors might be a good thing.  If they find it, and get in and identify it as such, then they may know their stuff.  If they either do not find it or cannot get in and effectively identify it, then I would question their ability.
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

millwalll

Post Mon Mar 28, 2011 12:55 pm

Re: WPA WPA2 Cracking no longer a problem

I agree with all comments so far. and yes as long you have a good team in place your wifi should be fine.

So should companies invest in or configuare better security for there wifi ? or should they still think WPA/WPA2 is fine to keep them safe.

I know a lot of companies that have there wifi setup with WPA2 and that is about as far as it goes.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 28, 2011 2:56 pm

Re: WPA WPA2 Cracking no longer a problem

To me, it all depends on the purpose of the wifi, etc.  If it's mission critical stuff, many customers I deal with STILL require a forced VPN login, after authenticating to the wifi, to reach internal systems.  This is sensible, and adds just one more layer to break through, should an attacker get past the original wireless authentication.

IMHO, you can NEVER be TOO safe, however, you also have to weigh usability / support costs against 'security', and come up with the best mix for your organization.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

n4zty

Newbie
Newbie

Posts: 1

Joined: Sun Apr 03, 2011 7:35 pm

Post Sun Apr 03, 2011 7:40 pm

Re: WPA WPA2 Cracking no longer a problem

Hey guys this topic truly interest me since im from the howardforums.com and we are discussing ways of bypassing the wpa2 key for wifi tethering on the samsung galaxy indulge and seems no one has been able to get around it i dont suppose any of ya might know a way to get around this if not then i suppose we will have to keep looking around.

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software