Slashdot Mirror

← Back to Stories (view on slashdot.org)

WPA-PSK Cracking As a Service

Posted by kdawson on from the get-out-of-the-cafe-quicker dept.

An anonymous reader writes "Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"

30 of 175 comments (clear)

  1. Build a dictionary! by Anonymous Coward · · Score: 5, Insightful

    So for $34 you can make sure your password is part of their dictionary?

    1. Re:Build a dictionary! by supernova_hq · · Score: 4, Funny

      No no no no, when you submit your password it will only appear as ***** to them.

    2. Re:Build a dictionary! by theTerribleRobbo · · Score: 2, Funny

      Holy shit. How did you get my password?

  2. Re:One problem by ctmurray · · Score: 3, Insightful

    I think the tool is not being sold to people wanting to crack into a WiFi network, rather selling to people so that they can test their WiFi network.

  3. "test your key", riiiiight by SuperBanana · · Score: 2, Interesting

    While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes

    Anyone interested in testing their own key would not care about it taking 5 days. During a weekday, you're not around most of the time anyway. I doubt anyone cares enough to spend $40 for something that can be done for free.

    --
    Please help metamoderate.
  4. Well at least you can say Moxie has Moxie. by al0ha · · Score: 4, Insightful

    $34 to see if your password can survive a dictionary attack? Hell pay me $20 and I'll gladly save you some money and provide you with a password guaranteed to be unbreakable by brute force. I'll even sign an NDA to ensure I don't disclose it to anyone but rest assured even I won't be able to remember it!

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
    1. Re:Well at least you can say Moxie has Moxie. by chill · · Score: 5, Interesting

      I'll save 'em the full $34.

      Go here: https://www.grc.com/passwords.htm

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:Well at least you can say Moxie has Moxie. by Urd.Yggdrasil · · Score: 4, Informative

      Pfft, that's only pseudo random data, why settle when you can get true random data.

      https://www.fourmilab.ch/hotbits/secure_generate.html
      https://www.random.org/passwords/

    3. Re:Well at least you can say Moxie has Moxie. by wagnerrp · · Score: 2, Informative

      That's great if you have a compliant device. I spent two hours trying to figure out why my mom's Nokia wasn't working with such a passphrase. I finally got tired of typing in such a long phrase and truncated it to 15 or so characters only to find it instantly working. Turns out while it lets you type in long phrases, it will silently fail to use them in a completely undocumented deficiency.

    4. Re:Well at least you can say Moxie has Moxie. by Power_Pentode · · Score: 5, Funny

      Pfft, that's only pseudo random data, why settle when you can get true random data

      No "random" data that you get from the net should be trusted. I throw old 16-sided gaming dice to generate a transparent X-Y grid, which is then set over the top of my cat's litter box. The positions of the cat turds are normalized against a reference litter box and fed into a fancy matrix algorithm, the output of which is SHA4 hashed and truncated to make the WPA2 key.

    5. Re:Well at least you can say Moxie has Moxie. by VoidCrow · · Score: 2, Insightful

      But that's vulnerable to a statistical analysis of the preferred distribution of cat turds. Maybe you should randomise it by giving them catnip every time they take a dump?

    6. Re:Well at least you can say Moxie has Moxie. by blair1q · · Score: 2, Funny

      "I trained your cat to turd in predefined locations. I'm now 0wning your box."

      That string is my WPA-PSK password! How did you get it!

  5. From the Article... by BulletMagnet · · Score: 3, Interesting

    "Marlinspike declined to say who operates his compute cluster"

    I guess he can't come out and say he's using botted boxes, right?

  6. Re:One problem by Korbeau · · Score: 5, Funny

    I think the tool is not being sold to people wanting to crack into a WiFi network, rather selling to people so that they can test their WiFi network.

    [x] Check this box if you are above the age of 18 and promise not to use this tool for malicious intends.

    [BUY NOW!!!]

  7. It's actually $17 for 40 min. by Anonymous Coward · · Score: 2, Informative

    ...$34 is the super-fast price.

  8. Re:One problem by vivian · · Score: 5, Insightful

    Alternatively you could actually not be an asshat, get on with your neighbour and negotiate with them (over a 6 pack of beer) to allow legal access in the event of an outage.

  9. who uses WPA anyways? by Gothmolly · · Score: 2, Funny

    Who uses WPA or WEP anyways? Either you leech your neighbor's unprotected WiFi, you live far enough away from other homes so that your signal doesn't leave your property, or you maintain a separate DMZ of wireless IPs that can't get into the good stuff, but can access the Internet.

    Next people will say that MAC address security is actually meaningful.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:who uses WPA anyways? by mlts · · Score: 4, Interesting

      Believe it or not, there are some embedded devices which don't have the CPU juice for WPA2, so they were given a BIOS update so they can run something better than WEP as some form of security. WPA has its issues, but it sure beats WEP.

      The best wireless setup is to have two wireless SSIDs. Your internal one that runs off of WPA2-Enterprise, RADIUS server, and smart cards. Then an external one that has a stern packet filter and throttling mechanism. This way, people can log on your open wireless to check E-mail, but Limewire and other P2P apps will be stopped. Of course, someone can jump that, but if they do that, its not your problem anymore.

      I do see one use for MAC address security, and its more of a legal thing than computer protection. If a security breach criminal case winds up in court, and you can prove a potential intruder was bypassing your MAC security, it might land a conviction. Otherwise, someone can make up a story of you allowing people to have your WPA2 passwords, etc.

  10. Re:One problem by Gothmolly · · Score: 3, Insightful

    Isn't it cheaper, easier, and less douchebaggy to just get an aircard?

    --
    I want to delete my account but Slashdot doesn't allow it.
  11. Re:400 CPU cluster or 400 node botnet? by mzito · · Score: 5, Informative

    Actually, in this case, it's very straightforward. He's using Amazon EC2. EC2 charges by the hour, and all you have to do is spin up the number of servers you want. In fact, I happened to run the numbers on what the costs are for running 50 "8-core" servers, and it happens to be...$34/hour. So, what he did was say, "If I run two jobs an hour, I make a small amount of money. If I run 4-5 jobs per hour, I make more money"

    This is, of course, a textbook use case for EC2, and I'm surprised no one has done it sooner.

    --
    me@mzi.to
  12. Re:Cloud? (not a) by frosty_tsm · · Score: 4, Interesting

    They don't discuss it, but I wonder if they don't just fire up 400 Amazon instances, do the work, then shut them off. For $34 (an oddly specific number), they can't afford to have 400 CPUs around. However, if they allocate on a job-by-job basis, then their overhead is very low.

    This kind of work (high computation, high parallelization, infrequent request) might be the most brilliant and non-obvious use of cloud computing. Low overhead due to using someone else's hardware (rather than having 400 CPUs laying around). If this is truely what they are doing, I am very impressed.

  13. $34? I can undercut that. by smchris · · Score: 3, Funny

    For $30 I'll run the command-line random number generator I found on the web and send you a 60 digit number.

    If you act today, that's only 50 cents a number!

  14. Re:One problem by Anonymous Coward · · Score: 2, Funny

    If their password appears in a dictionary, even one of 135 million words, then you could probably impress that client with shadow puppets, or blowing bubbles.

  15. Re:One problem by cbiltcliffe · · Score: 2, Insightful

    Because I really find value in testing my OWN network.

    If you don't, then you don't really understand security.
    The point is, these dictionaries are already available to the people with their evil bit set.
    If you're going "nobody's going to figure out this password," especially if you're running a business, you really should be _making sure_ that nobody's going to figure it out, rather than going on faith.

    Unless you have a multi-tens-of-millions word dictionary yourself, so you can make sure that your WPA passphrase isn't in it, you're not properly protecting your network.

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
  16. Re:If it can be brute forced you're doing it wrong by Fnord666 · · Score: 2, Funny

    Nobody is going to brute force my randomly generated 63 character alphanumeric key. Not before a vulnerability in the encryption appears or the hardware gets replaced with a new standard

    I thought this was how you brute forced a password in less than 30 minutes.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  17. Re:One problem by Just+Some+Guy · · Score: 3, Interesting

    Living in fear must suck, huh? I have 4 open WiFi networks available to me at the moment (in a subdivision with 1/2-acre lots, not in a dense apartment complex). I've hopped onto a neighbor's network when my phone was out, and I have DHCP logs showing when they've been on mine. If I got hit with a subpoena, it'd be a piece of cake to show how many other people are using my router. That's a lot better approach for me and my neighbors than shutting each other out in a moral panic.

    --
    Dewey, what part of this looks like authorities should be involved?
  18. Re:Cloud? (not a) by wagnerrp · · Score: 4, Interesting

    A medium 'high-cpu' linux instance at Amazon is $0.17/hr.

    ($0.17/hr) x (20min) x (400 instances) = $22.66666... +50% = exactly $34

  19. Re:One problem by Jedi+Alec · · Score: 2, Funny

    Any clued neighbor wouldn't be allowing others onto their wi-fi.

    Considering my neighbour is hot, blonde and single, if she wants to use my connection to download pr0n I'm sure we can come to some sort of arrangement...

    --

    People replying to my sig annoy me. That's why I change it all the time.
  20. Re:One problem by GameboyRMH · · Score: 2, Insightful

    Well then it sounds like you have enough users connecting for plausible deniability. If it's only you and your neighbor sharing a private AP, you have the downsides of both the single-house private AP (no plausible deniability) and open AP (can't be sure what's passing over your network) approaches. The blame will fall on the owner of the connection that handled the offending traffic. If he downloads loli or pop culture warez over your connection and the authorities / the MAFIAA take notice, you're fucked, and all he has to do (assuming router logs are nonexistent / have been rotated out) to get off the hook is delete your AP password from his machine (which he can do when he sees the cops bust down your door / your name in the media). Once it's your word against his, you'll just seem like a guilty pedo / pirate trying to blame it on the neighbor.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  21. Re:And Slashdot is promoting this by geekmux · · Score: 2, Insightful

    And this matters because..

    #1: It's IT-related

    #2: It's Security IT-related

    #3: Within IT, it has to do with one of the most prevalent technologies in use today.

    #4: And finally, it's here, because it sure as hell ain't gonna show up on CNN or the nightly news "tech" corner. Well, at least not for another 6 months or so, when it's "breaking news" to them.