Slashdot Mirror
WPA Weak Key Cracker Posted
Glenn Fleishman writes "The folks at TinyPEAP released a cracking tool to break Wi-Fi Protected Access (WPA) keys. WPA is the replacement for weak WEP keys in the original 802.11b specification. Robert Moskowitz of ICSA Labs released a paper almost exactly a year ago documenting how WPA keys that were short and lacked randomnness could be subject to cracks. This tool automates the process. Moskowitz advised choosing passphrases of more than 20 characters or generating random keys of at least 96 bits, but preferably 128 bits. Some tools exist to produce better keys, including chipmaker Broadcom's SecureEZSetup (in selected hardware) and Buffalo Technologies' hardware-based AOSS for automatic key generation and propagation. Enterprise-based WPA with 802.1X doesn't have this weakness: each user gets a long WPA key that's randomly generated and uniquely assigned--and can be frequently changed during a session."
When you really think about it, by nature wireless networking can never be too secure. I mean, your data is being broadcasted across the air to another point. Think about it.
Call me and my voicemail! 914-713-6795. (wow, I have the balls to post my voip number on
Is there any opensource project for HOST AP that does changing WPA keys?
Is there an opensource project that even does WPA?
(First Post)
l37 734 4ax0ring k0mm3nc3!!!
http://shit.slashdot.org/article.pl?sid=04/11/05/2 143226
I don't under stand why anyone would want to use WEP or WPA seeing as their just a simple single layer encryption method. Using MAC-Filtering is NOT that hard! Compared to WEP and WPA, Mac-Filtering based WLAN security is uncrackable.
... and in the DRM, bind them.
The odds of Joe sixpack going the extra step of making a 20 character key is not good. WiFi setups are all the rage and now can all be broken into even after you spend an hour telling someone that they have to use WEP.
Stay tuned for new sig...
What's the big deal? Kismac has had this feature for a while. I hope i'm missing something.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
Now that D-link and others sell routers with wireless and VPNs all in one box, just VPN with IPSec to your own network and that way you have everything running as securely as you can with a normal VPN. Sure, it's easier to sniff the traffic in the air, but it can still be sniffed on a wire too.
Leaving my WAP wide open all the time allows experienced crackers to access all the best pr0n sites with ease via my connection. All I then have to do is check the logs and Voila! There they are! Saves me looking for them and having to wade thru the pop-ups and bogus sites!
there's not really any good excuse for a weak wpa key. My router will generate a random 128bit key.
Kind of funny. I have our wireless router locked down with a 128bit key and only accepting connections from mine and my roommates' MAC addresses. But one of my neighbors has a wide open access point that I can connect to whenever I wan't.
I don't really want to, but I could.
No real point to this post except that you should attempt even minimal security (Unlike my neighbor).
I would have liked to see a tool that will verify if your chosen key is 'secure' or not.
Would have made the crack software look a little less black-hat, to the uninitiated.
Just an idea.
This is why I setup a stand alone wifi network that when ever war-drivers discover my "wireless network" everything they visit gets redirected to goatse. The result, I've observed is usually a loud exclamation followed by the sound of screeching tires and burnt rubber.
Next i'll observe when I secretly host a wifi network near starbucks and replace everything with a small mirror of www.khaaan.com.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
I'm sorry, but here we read from left to right; not top to bottom.
Weakness in Passphrase Choice in WPA Interface
By Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of TruSecure Corp
Use of PSK as the key establishment method
WPA and 802.11i provide for a Pre-Shared Key (PSK) as an alternative to 802.1X based key establishment. A PSK is a 256 bit number or a passphrase 8 to 63 bytes long. Each station MAY have its own PSK, tied to its MAC address. To date, vendors are only providing for one PSK for an ESS, just as they do for WEP keying.
When a PSK is used instead of 802.1X, the PSK is the Pairwise Master Key (PMK) that is used to drive the 4-way handshake and the whole Pairwise Transient Key (PTK) keying hierarchy. There is a straightforward formula for converting a passphrase PSK to the 256-bit value needed for the PMK.
This paper will look into the risks of using a PSK and particularly the risk associated with a passphrase-based PSK.
How the PSK is used in WPA and 802.11i
The PSK provides an easily implemented alternative for the PMK as compared to using 802.1X to generate a PMK. A 256bit PSK is used directly as the PMK. When the PSK is a passphrase, the PMK is derived from the passphrase as follows:
PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)
Where the PBKDF2 method is from PKCS #5 v2.0: Password-based Cryptography Standard. This means that the concatenated string of the passphrase, SSID, and the SSIDlength is hashed 4096 times to generate a value of 256 bits. The lengths of the passphrase and the SSID have little impact on the speed of this operation.
The PTK is a keyed-HMAC function using the PMK on the two MAC addresses and the two nonces from the first two packets of the 4-Way Handshake. This is why the whole keying hierarchy falls into the hands of anyone possessing the PSK, as all the other information is knowable.
The Intra-PSK attack
The normal practice is to have a single PSK within an ESS. To generate any PTK, a device only needs to learn the two MAC addresses and nonces (and the selected ciphersuite). All of this is available in the initial exchange, from the ASSOCIATE through the 4-Way Handshake. Any device can passively listen for these frames and then generate the PTK. If the device missed these frames, it can send a DISASSOCIATE against the STA and force the STA to perform the ASSOCIATE through the 4-Way Handshake again.
Thus even though each unicast pairing in the ESS has unique keys (PTK) there is nothing private about these keys to any other device in the ESS.
The offline PSK dictionary attack
A station that does not know a passphrase-based PSK can attack it with an offline attack. This is effective for an outsider where there is a single PSK in the ESS, or an insider where there are unique PSKs.
The 802.11i standard points out that:
A passphrase typically has about 2.5 bits of security per character, so the passphrase of n bytes equates to a key with about 2.5n + 12 bits of security. Hence, it provides a relatively low level of security, with keys generated from short passwords subject to dictionary attack. Use of the key hash is recommended only where it is impractical to make use of a stronger form of user authentication. A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks.
The PTK is used in the 4-Way handshake to produce a hash of the frames. There is a long history of offline dictionary attacks against hashes. Any of these programs can be altered to use the information in the 4-Way Handshake as input to perform the offline attack. Just about any 8-character string a user may select will be in the dictionary. As the standard states, passphrases longer than 20 characters are needed to start deterring attacks. This is considerably longer than most people will be willing to use.
This offline attack should be easier to execute than the WEP attacks.
Using Ran
...if your key is asdf - the attack is based on a dictionary. This weakness relies on human nature after all.
Btw: The Tips and Tricks section of this newsletter is a good ressource if you want to create passes which are harder to guess.
I don't read replies by ACs.
Just rubbing it in.
Guess it's not time to abandon treating all wireless hosts as bastions and using SSH to tunnel/authenticate just yet then.
Treat wireless just like you do a student network and everything will be fine.
Beep beep.
Comment removed based on user account deletion
D-Link's install software for the AirPlusXtremeG WiFi adapters generates a 60 digit random hexadecimal number for use as a pre-shared key.
The Daily Mirror is one of the United Kingdom's largest newspapers. Here is their front page on the day after the election (PDF file): Daily Mirror Front Page: How could 59,054,087 people be so dumb?.
Dude, I would seriously lay off the 18 cup a day coffee diet.
So, I know it's not foolproof, but does anyone have suggestions on how to increase wireless security?
1. Regularly change WEP keys?
2. Use a proxy server to access internet, and disable direct access via access point?
3. Turn off router and computers when you're not using them?
Any others?
The friendliest digital photography forums on the net!
How many home networks really need to allow random MAC addresses access?
This issue is a bit more complicated than you think.
How about technologies of the future that you can just wait around for. I am sure in 5 years the hardware then will be able to crack stuff now in a matter of seconds. So why not record now... be patient(5 year wait).. and then crack.
------
insert sig here,here, and here
As an aside to the above point, the original "WEP" stood for "Wired Equivalency Protocol." They chose that because it acknowledged that wires weren't inherently secure either. It's name didn't claim security at all... just that it was equivalent to a wire. The inside joke was that that didn't mean anything from a security standpoint either.
Correction: 64 4-bit hexadecimal keys, for 256 bits total. According to the article, not breakable.
I know traffic has been declining to this site but please have a little dignity left. Posting cracks on slashdot? What next, hosting the latest music, movies and software. I would hope the moderators would do a better job sifting through stories. Lots of good stories are getting rejected while dupes and stuff like this gets posted all the time. It's just a shame to see this site suffering from the same problems big media conglomerates have.
Mine is qwerty
I had started on a dictionary cracker for WPA keys, but it was for a class project and once the class was over, the project pretty much was as well. Not being much experiened in POSIX I/O for network and wireless interfaces, I had no idea what to do to put in those parts and was kind of torn on whether to take time out to learn it. It's still on sourceforge if anyone wants to finish it, i.e. add in the bits for acquiring actual packets.
Maybe we can modify it for AES/CCMP keys. They still use passphrases, right?
Anything confidential needs to be encrypted with VPN, SSL, or something similar. Period.
Sure you can turn WEP or WAP on...but don't stake all your data on it. Use what's tested and trusted by the rest.
For those who are interested in checking out your own security (I'm just about to do this!) the WPA Cracker that has been released is available here: WPA Cracker.
:S
I wonder if 13 characters is short
Until people start securing their wireless networks with SOMETHING, wireless will always have a bad reputation. As nice as it would be, we aren't allowed to use wireless in office... period. BTW, I'm surfing /. from my neighbors unsecured WAP.
*Sigh*
Point taken - I won't put anything important on my wireless access, but then again, I am about as likely to have someone out here care about spoofing me as I am to have some gang-bangers drive the 50 miles to my "hood" and rough me up.
Computers are becoming more like regular life - assume someone will someday see what is on your computer, just like your are probably being watched by security/traffic cameras all the time.
heh, "play nice", even when you think no one is watching and you will be ok.
This issue is a bit more complicated than you think.
I am a part-time sysadmin for a small company. My most important duties are things other than administration. Yet, all the administration in the company is done by me.
This was an EXTREMELY important piece of information to me. I had been under the impression that "anything WPA has not been broken yet, and is inherently more secure than WEP".
Now I need to figure out how to reconfig those APs to talk 802.1x to a server, which is going to be so not fun, but a lot more fun than having discovered a fait accompli break-in.
Newsflash - Weak Keys Crackable !
uh, no shit...
- He writes: "WPA is the replacement for weak WEP keys in the original 802.11b specification". This is wrong. "weak key" ist a crypographic term for - wonder - weak keys, like 128 bit, consisting of 1's only (1111111111111...). For like 30 years, even WEP, has taken measures to prevent this kind of keys during use. WEP's problem in fact is the deterministic generation of IV's of the keystream, not weak keys.
-
"Moskowitz advised choosing passphrases of more than 20 characters or generating random keys of at least 96 bits, but preferably 128 bits." That's also misunderstood. The PSK (pre shared key) even when not using 802.1X is always 256-bit. It's generated -from- a passphrase that you type in. A passphrase like "abc" e.g. contains less than 16 bits of security. So a WPA key generated from the passphrase "abc", although still being 256-bit, can be cracked within the time of a 16 bit brute force attack. This is done by simply generating WPA keys from all passphrases between "aaa" and "zzz". So you always use 256 bit keys (PSK's), but they can be generated from much smaller passphrases.
- "each user gets a long WPA key". See above. The keys are always the same size of 256 bit. When using 802.1X there is only maximum "randomness". That's the difference. It think the poster still thinks that WPA works like WEP where you actually use different key lengths.
One could think that I'm very picky about his words. I think not. Especially in cryptography it is important to know exactly what part of a cryptographic chain you're talking about, when talking about weaknesses. TinyPEAP seems to be just a tool for people like the original poster and script kiddies, who are in fact NOT knowing what they are talking about. It's just a bruteforce tool to try out WPA passphrases. This is supposingly faster for people using short passphrases than bruteforcing keys directly.That's the inside joke.
KisMAC has had this function for a long time. Someone used it at Hope 2004 to their wifi key. In addition, Josh Wright has had a working copy available for linux for some time. The LiveCD from Remote-exploit.org (Auditor) has included this tool for about a month now. This is not new...
You're kidding right? MAC filtering provides absolutely no added security. Once the encryption is broken, spoofing a MAC address is trivial.
You're assuming your adversary is a determined attacker, not your neighbor who's too lazy/clueless to choose his access point in his laptop's configuration utility. MAC filtering works perfectly well in this case.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)