Slashdot Mirror
WPA Weak Key Cracker Posted
Glenn Fleishman writes "The folks at TinyPEAP released a cracking tool to break Wi-Fi Protected Access (WPA) keys. WPA is the replacement for weak WEP keys in the original 802.11b specification. Robert Moskowitz of ICSA Labs released a paper almost exactly a year ago documenting how WPA keys that were short and lacked randomnness could be subject to cracks. This tool automates the process. Moskowitz advised choosing passphrases of more than 20 characters or generating random keys of at least 96 bits, but preferably 128 bits. Some tools exist to produce better keys, including chipmaker Broadcom's SecureEZSetup (in selected hardware) and Buffalo Technologies' hardware-based AOSS for automatic key generation and propagation. Enterprise-based WPA with 802.1X doesn't have this weakness: each user gets a long WPA key that's randomly generated and uniquely assigned--and can be frequently changed during a session."
When you really think about it, by nature wireless networking can never be too secure. I mean, your data is being broadcasted across the air to another point. Think about it.
Call me and my voicemail! 914-713-6795. (wow, I have the balls to post my voip number on
http://shit.slashdot.org/article.pl?sid=04/11/05/2 143226
The odds of Joe sixpack going the extra step of making a 20 character key is not good. WiFi setups are all the rage and now can all be broken into even after you spend an hour telling someone that they have to use WEP.
Stay tuned for new sig...
What's the big deal? Kismac has had this feature for a while. I hope i'm missing something.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
It does not have to be cracked, MAC filtering does not prevent from others listening the network.
Um, do you know how easy it is to spoof MAC addresses? Very easy.
Leaving my WAP wide open all the time allows experienced crackers to access all the best pr0n sites with ease via my connection. All I then have to do is check the logs and Voila! There they are! Saves me looking for them and having to wade thru the pop-ups and bogus sites!
there's not really any good excuse for a weak wpa key. My router will generate a random 128bit key.
Kind of funny. I have our wireless router locked down with a 128bit key and only accepting connections from mine and my roommates' MAC addresses. But one of my neighbors has a wide open access point that I can connect to whenever I wan't.
I don't really want to, but I could.
No real point to this post except that you should attempt even minimal security (Unlike my neighbor).
I would have liked to see a tool that will verify if your chosen key is 'secure' or not.
Would have made the crack software look a little less black-hat, to the uninitiated.
Just an idea.
Jesus christ, I hope you don't have a job in security. If all your packets are unencrypted, anybody can sniff them, see what MAC addresses are recieving traffic, and thus are on the whitelist. From there, it's a simple matter to spoof the MAC in software. This feature is built into linux, windows and OS X. The myth that MAC addresses are a universally unique identifier is dangerous and has to be dispelled.
This is why I setup a stand alone wifi network that when ever war-drivers discover my "wireless network" everything they visit gets redirected to goatse. The result, I've observed is usually a loud exclamation followed by the sound of screeching tires and burnt rubber.
Next i'll observe when I secretly host a wifi network near starbucks and replace everything with a small mirror of www.khaaan.com.
There is no sanctuary. There is no sanctuary. SHUT UP! There is no shut up. There is no shut up.
Umm simple. I would just change the MAC address on my laptop to match the address in the WAP and reconnect. Many cards allow you to change the MAC address in software.
Now, where do I pickup my monkey?
"ifconfig wlan0 hw ether [mac address]" sets your wlan card's mac address under Linux. There is probably a way to do so under Windows as well.
you need to brute-force check each MAC adress. there are ways to make this harder in the router.
...if your key is asdf - the attack is based on a dictionary. This weakness relies on human nature after all.
Btw: The Tips and Tricks section of this newsletter is a good ressource if you want to create passes which are harder to guess.
I don't read replies by ACs.
NOT really a good idea to start a thread about morons, and then act like one.
_YOUR_ wlan card may have the MAC address burned into it. Once ALL NIC did. I think it was more than 10 years ago that I saw my first NIC that DID NOT HAVE a MAC address (it was all zeroes, and expected to be set in software).
_MY_ wlan card will _CERTAINLY_ let me change the MAC address - under Linux _or_ Windows.
http://www.theboyz.biz/Computers, parts, electronics, small appliances and more!
If you're not living on the edge, you're just taking up space!
Guess it's not time to abandon treating all wireless hosts as bastions and using SSH to tunnel/authenticate just yet then.
Treat wireless just like you do a student network and everything will be fine.
Beep beep.
Once again I draw your attention to the problems with making conclusions about the entire world based on your one example.
This is a *trivial* exercise, and certainly does not require any hard-wiring.
http://www.theboyz.biz/Computers, parts, electronics, small appliances and more!
If you're not living on the edge, you're just taking up space!
Do your homework. Look up Supplicant, XSupplication, HostAP, 802.11i for Linux, 802.1x for Linux, etc, etc, etc... Lots of things going on.
ITMT... This crack is only for weak keys with WPA-PSK. Not applicable to WPA enterprise or WPA2.
My Linksys card allows me to change the MAC on Windows... it's trivial to do.
The other poster sowed how easy it is to do this in Linux.
94% of Repubs and 21% of Dems voted to renew the Patriot Act
Comment removed based on user account deletion
i love when idiots like you post on nerd sites and make an ass of yourself.. you should have posted anonymously, your nerd creds have been lost, you can never show your face here again as StarWreck.. time to make a new username or never come back, you ruined it
and while yes this is a troll.. its not a pure troll.. had you posted only your first post then replied to the replies with something like "oh i wasn't aware of that, sorry, i guess i was wrong"... then you'd be fine.. but you keep replying saying you are right and everyone else is wrong.. when everyone else is right and you're wrong..you're probably not stupid, you made a simple mistake, but then you acted like an ass about it and now you ruined your slashdot name
No, you don't have to do this. Once the WEP key is broken (or if there is no WEP key, just MAC filtering), you simply listen to the traffic to get a MAC address that's allowed, and use that.
Regards,
--
*Art
So, I know it's not foolproof, but does anyone have suggestions on how to increase wireless security?
1. Regularly change WEP keys?
2. Use a proxy server to access internet, and disable direct access via access point?
3. Turn off router and computers when you're not using them?
Any others?
The friendliest digital photography forums on the net!
How many home networks really need to allow random MAC addresses access?
This issue is a bit more complicated than you think.
Sure you can change your MAC Address, but then you have to change the MAC Address to one that is valid. If no one is on the network, but you can hear it by simply wardriving, its not going to do anybody any good.
How about technologies of the future that you can just wait around for. I am sure in 5 years the hardware then will be able to crack stuff now in a matter of seconds. So why not record now... be patient(5 year wait).. and then crack.
------
insert sig here,here, and here
As an aside to the above point, the original "WEP" stood for "Wired Equivalency Protocol." They chose that because it acknowledged that wires weren't inherently secure either. It's name didn't claim security at all... just that it was equivalent to a wire. The inside joke was that that didn't mean anything from a security standpoint either.
Correction: 64 4-bit hexadecimal keys, for 256 bits total. According to the article, not breakable.
I know traffic has been declining to this site but please have a little dignity left. Posting cracks on slashdot? What next, hosting the latest music, movies and software. I would hope the moderators would do a better job sifting through stories. Lots of good stories are getting rejected while dupes and stuff like this gets posted all the time. It's just a shame to see this site suffering from the same problems big media conglomerates have.
Anything confidential needs to be encrypted with VPN, SSL, or something similar. Period.
Sure you can turn WEP or WAP on...but don't stake all your data on it. Use what's tested and trusted by the rest.
For those who are interested in checking out your own security (I'm just about to do this!) the WPA Cracker that has been released is available here: WPA Cracker.
:S
I wonder if 13 characters is short
Until people start securing their wireless networks with SOMETHING, wireless will always have a bad reputation. As nice as it would be, we aren't allowed to use wireless in office... period. BTW, I'm surfing /. from my neighbors unsecured WAP.
*Sigh*
Point taken - I won't put anything important on my wireless access, but then again, I am about as likely to have someone out here care about spoofing me as I am to have some gang-bangers drive the 50 miles to my "hood" and rough me up.
Computers are becoming more like regular life - assume someone will someday see what is on your computer, just like your are probably being watched by security/traffic cameras all the time.
heh, "play nice", even when you think no one is watching and you will be ok.
This issue is a bit more complicated than you think.
Nevada's Ministry of Propaganda for the Democrats: UNR
Could someone explain to me what that has to do with WPA? or D-Link keys?
)9TSS
MAC adresses are universally unique identifiers, except for a few duplicate runs in cheap-ass brand NICs.
It's just that they cannot be authenticated in any way. It's like allowing only people who claim to be you on your network, rather than people who can prove it in some way.
SCO employee? Check out the bounty
- He writes: "WPA is the replacement for weak WEP keys in the original 802.11b specification". This is wrong. "weak key" ist a crypographic term for - wonder - weak keys, like 128 bit, consisting of 1's only (1111111111111...). For like 30 years, even WEP, has taken measures to prevent this kind of keys during use. WEP's problem in fact is the deterministic generation of IV's of the keystream, not weak keys.
-
"Moskowitz advised choosing passphrases of more than 20 characters or generating random keys of at least 96 bits, but preferably 128 bits." That's also misunderstood. The PSK (pre shared key) even when not using 802.1X is always 256-bit. It's generated -from- a passphrase that you type in. A passphrase like "abc" e.g. contains less than 16 bits of security. So a WPA key generated from the passphrase "abc", although still being 256-bit, can be cracked within the time of a 16 bit brute force attack. This is done by simply generating WPA keys from all passphrases between "aaa" and "zzz". So you always use 256 bit keys (PSK's), but they can be generated from much smaller passphrases.
- "each user gets a long WPA key". See above. The keys are always the same size of 256 bit. When using 802.1X there is only maximum "randomness". That's the difference. It think the poster still thinks that WPA works like WEP where you actually use different key lengths.
One could think that I'm very picky about his words. I think not. Especially in cryptography it is important to know exactly what part of a cryptographic chain you're talking about, when talking about weaknesses. TinyPEAP seems to be just a tool for people like the original poster and script kiddies, who are in fact NOT knowing what they are talking about. It's just a bruteforce tool to try out WPA passphrases. This is supposingly faster for people using short passphrases than bruteforcing keys directly.I was under the impression that all NIC's had a hard coded MAC address.
You can change the MAC address via software in the NIC driver, but that doesn't physically change the hardware MAC, it simply changes what the driver reports the MAC address as being.
Am I wrong here?
The frame control that contains the MAC header in an 802.11 packet is always unencrypted. So the list of MAC addresses is available at once, before key cracking.
You are correct. You are wrong. Even if some cards have immutable "burned in MAC addresses" (I not aware of any) the fact remains that most of them allow you to set the MAC address. The bad guy merely has to buy the card that lets him do what he wants to do. Even if you only buy fixed address cards, he's not so restricted. So, even if only one model of one brand allowed this technique, you would still be screwed. And, AFAIK, it's the majority of cards which allow it, not even a minority. And, yes, it really does change the address on the air.
ifconfig wlan0 hw ether [mac address]
In Windows, there is a nice program called Mac Makeup to do it for you.
Both of these methods do work for wireless cards. I tested it fairly extensively when I setup my own wifi network.
Ceci n'est pas une sig.
:wq!
KisMAC has had this function for a long time. Someone used it at Hope 2004 to their wifi key. In addition, Josh Wright has had a working copy available for linux for some time. The LiveCD from Remote-exploit.org (Auditor) has included this tool for about a month now. This is not new...
Do you know what a sig (AKA "signature") is? I want to make fun of my school in my sign, and many sigs are offtopic, since you want to make that point.
You are just ignorant.
this is my sig
You're kidding right? MAC filtering provides absolutely no added security. Once the encryption is broken, spoofing a MAC address is trivial.
You're assuming your adversary is a determined attacker, not your neighbor who's too lazy/clueless to choose his access point in his laptop's configuration utility. MAC filtering works perfectly well in this case.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)