3.7
- Speeding attacks against WPA/WPA2 encryption
- So
far so good, but trouble could arise if the dictionary contains
hundred of thousands of entries, because in that case the resources
taken by CPU in terms of time and processing could be huge.
- The
function PBKDF2 hashes the passphrase and the SSID over 4096 times,
before outputting the 256 Pre Shared Key. Then, this obtained key is
verified against the MIC used in the four-way WPA handshake. To speed
up the whole process, it is possible to precalculate the Pre Shared
Key for the passphrase.
- For
that purpose, the tool genpmk (generator of PMK, Pairwise
Master Key) can be used:
- The option -f takes the used dictionary, -s is about the SSID, and the -d option indicates the name of the output file, for instance "archivoPMK":
- It
is important to notice that both the passphrase and the SSID are used
to calculate the PMK. The process can take a lot of time, depending
on the size of the dictionary. A message is periodically output every
1000 passphrases:
- So
on ... until more than 789000 entries of diccionario.txt, the
generation of PMK file is ended up:
- The
command ls shows the new created file "archivoPMK":
- Now,
there are a number of tools designed to take profit of "archivoPMK",
for instance airolib-ng and Pyrit:
a)
airolib-ng
- The
command "airolib_ng" creates the database
"archivoAircrackPMK" based on former database "archivoPMK":
- The
command ls shows the new created file "archivoAircrackPMK":
- Feeding
aircrack-ng with database "archivoAircrackPMK" and
"archivoWPA-01.cap", the key is found in just 8 seconds !!
- So,
the difference in time is huge, from 18 minutes to 8 seconds.
Although the creation of "archivoPMK" takes a lot of time,
depending of the dictionary size, it could be calculated just once
for each specific dictionary and SSID. So, whenever the passphrase is
changed by the network administrator, the precalculated database
could be apply to speed up the cracking of the key.
b)
Pyrit
- Even
faster, just in 3 seconds, the tool Pyrit offers the same results:
