# A cloud service to crack WPA/WPA2



## Hybrid_theory (Jul 26, 2010)

Thought this to be interesting. You can use it to test your wireless security. It probably won't work as easily if you use central auth for wireless.

Rest of the article:http://blogs.techrepublic.com.com/security/?p=4097&tag=results;CR1



> In 2008, I speculated about the future of distributed security cracking. That future has arrived, in the form of a $17 “cloud” based service provided through the efforts of a security researcher known as Moxie Marlinspike. It is effective against pre-shared key deployments of both WPA and WPA2 wireless networks.
> 
> The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35, you can get the job done in about half the time. Because it is a dictionary attack using a predefined 135-million-word list, there is no guarantee that you will crack the WPA key, but such an extensive dictionary attack should be sufficient for any but the most specialized penetration testing purposes.
> 
> ...


----------



## hat (Jul 26, 2010)

They just use a dictionary? Good luck getting in to mine.


----------



## Easy Rhino (Jul 26, 2010)

yea, the idea of distributed cracking is intriguing, but their setup is fail. no way anybody is getting into mine just by going through a dictionary.


----------



## slyfox2151 (Jul 27, 2010)

yeah this is not brute force as they claim :*(... its also not much faster then running your own crack on Cuda using your high end video card instead of the CPU.




if your using WPA chances are you wont be using a dictionary word if your smart enough... witch pritty much confirms this service would only be usefull to crackers out there who want to abuse it. its worthless to anyone who would use it to test security.

any WPA encription is pritty much uncrackable over 10 charators long using all forms of charactors (!fh24) ect.. it would take months to years with multiple GPUs/CPUs trying to brute force it.



i toyed with cracking my own Wifi routers, trying all forms of WEP WPA WPA2 tkip aes...


----------



## VulkanBros (Jul 27, 2010)

wait a second....2 month ago I had a network security firm hired to test my company´s wireless networks.

The lowest encryption we use is WPA2 AES/TKIP with a 13 character encryption code.
The highest encryption we use is a mix of radius servers, mac filtering, static ip´s and randomly keys.

WPA2 AES/TKIP: With various packet sniffing and other winky (Linux tools) it took them 13 hours to crack the key.

The high encryption network: The leaved the Linux laptop with all its fabulous tools for 7 days.
They did not succeed ....... 

And remember - this was a professional network security company

So it sounds to me - that this "cloud" thing is no other than a money machine....


----------



## slyfox2151 (Jul 27, 2010)

VulkanBros said:


> wait a second....2 month ago I had a network security firm hired to test my company´s wireless networks.
> 
> The lowest encryption we use is WPA2 AES/TKIP with a 13 character encryption code.
> The highest encryption we use is a mix of radius servers, mac filtering, static ip´s and randomly keys.
> ...



this cloud is not doing the same thing that your security company did. there are a few different ways to crack WPA2, this is just a simple large word list.
your security company would not have tried to crack it via a password list if it was long and complex. there is simply to many variations... the word list would be MASSIVE.... over petabytes...... (50  million average words in a .txt file comes 300-500mb uncompressed)


the last time i checked, a GTX260 did about 120000 passwords per second... if you had a complex password just 8 charactors long it would take over 1933 years to break.
or if it was not so complex, just letters and numbers, 59 years. 

if you clustered a lot of GPUs together then you may get the time to crack down to a resonable scale.


----------



## Easy Rhino (Jul 27, 2010)

slyfox2151 said:


> this cloud is not doing the same thing that your security company did.



yes. more than likely the firm ran a shit ton of programs both on and off your network. some were brute force but others were packet sniffing high traffic areas and snooping out local machines that have lame passwords or weak encryption and trying man in the middle attacks on them.


----------



## RejZoR (Jul 27, 2010)

Good luck with my full ASCII 64 character password


----------



## slyfox2151 (Jul 27, 2010)

RejZoR said:


> Good luck with my full ASCII 64 character password



PFT i could crack that.... gimme a 9MM handgun  job done in 5 minutes

if thats not convincing.. take out the Shotgun


----------



## razaron (Jul 27, 2010)

there're 1.02*10^77 possibilities for my wireles security, and thats using hex. if it was ascii the possible passwords would equal 4.09*10^151. both of these are alot are alot bigger than the meager 370 million word dictionary.


----------



## Dark_Webster (Jul 27, 2010)

Gosh, it's better to crack it yourself, keep the money even if it takes some days do decipher the password.


----------



## Hybrid_theory (Jul 28, 2010)

> Gosh, it's better to crack it yourself, keep the money even if it takes some days do decipher the password.


 $17 is a lot cheaper than having company resources dedicated to running to crack the network. It also takes technician time which can be expensive.


----------



## Geofrancis (Jul 30, 2010)

i tried the gpu cracking on a 9600gso and it done 6000 per second. with a 8 digit a-z password that come with isp's routers it would take a year.

 i was thinking of building a gpu server with 4x 9800gx2's so i could do it in under a month. but lack of funds screwed that up


----------



## Easy Rhino (Jul 30, 2010)

can't you just set your router to block requests from a mac address after it tried a bunch of times?


----------



## Hybrid_theory (Jul 30, 2010)

Maybe, depends on the flexibility of the firmware. But if that happened they could spoof their MAC every so often.


----------



## Easy Rhino (Jul 30, 2010)

Hybrid_theory said:


> Maybe, depends on the flexibility of the firmware. But if that happened they could spoof their MAC every so often.



true, but that would mean it would take a lot longer. it would not be worth it for the cracker and they would just move onto a different target. unless of course you have government secrets on your network


----------



## Hybrid_theory (Jul 30, 2010)

The thing to keep in mind with this service too, is that you capture traffic for X amount of hours and then send it to the cloud to analyze it and break the key. So preventative measures such as MAC filtering won't work in this situation.

But if an attacker is trying to brute force a wireless network and gets kicked off. Well they could probably  integrate into the script to change MAC every so often. Or they would move to another target if financial gain is not enough.


----------



## Easy Rhino (Jul 30, 2010)

Hybrid_theory said:


> The thing to keep in mind with this service too, is that you capture traffic for X amount of hours and then send it to the cloud to analyze it and break the key. So preventative measures such as MAC filtering won't work in this situation.
> 
> But if an attacker is trying to brute force a wireless network and gets kicked off. Well they could probably  integrate into the script to change MAC every so often. Or they would move to another target if financial gain is not enough.



hrm, but to capture traffic you have to be on the network unless using a man in the middle attack. but in that case you already have to know a bunch of information about the network.


----------



## Hybrid_theory (Jul 30, 2010)

Wireless broadcasts beacons and other SSID information packets. So you can basically sniff that stuff for a long time and then analyze it. The service though is that you do this to your own network, and send the data to the cloud.


----------



## Disparia (Jul 30, 2010)

I don't believe it wouldn't matter. One would only need to grab enough data and have the service (or their own tools) hack away at it. If successful, return and rape the network.

Like WEP, except that WEP fails so fast that you can find a WLAN, sit there, wait for the key to be figured out, then break in.



Edit, heh, a little late hitting the post button.


----------



## 3volvedcombat (Jul 30, 2010)

Just take fits mega reg.

equip it with some 4 GTX 480's

Overclock them just a tad and have them on water cooling 

You would have alot of cores for a cluster of processing



but that is still not fast enough so.

but just a though hmmm


----------



## Hybrid_theory (Jul 30, 2010)

Might be cheaper to buy a bunch of like 5 year old pcs for $200 each and cluster em or something


----------



## blkhogan (Jul 30, 2010)

slyfox2151 said:


> PFT i could crack that.... gimme a 9MM handgun  job done in 5 minutes
> 
> if thats not convincing.. take out the Shotgun


That would work. Until you ran into someone (like me) that has bigger and badder guns waiting. 
I had a friend for shits and giggles try and crack my network. He's cracked it before in about 3 days time. He had a dedicated gpu box with 3 or 4 260's working on it. He bet me $100 that he could crack it under 7 days max. Hahahaha.... I won. Still havent seen a dime from him though. Im more than safe in the area I live in. Its a neighborhood of older retired folks.


----------



## Hybrid_theory (Jul 30, 2010)

> That would work. Until you ran into someone (like me) that has bigger and badder guns waiting.
> I had a friend for shits and giggles try and crack my network. He's cracked it before in about 3 days time. He had a dedicated gpu box with 3 or 4 260's working on it. He bet me $100 that he could crack it under 7 days max. Hahahaha.... I won. Still havent seen a dime from him though. Im more than safe in the area I live in. Its a neighborhood of older retired folks.



Retired hackers that worked for crimelords in the 80s


----------



## claylomax (Jul 30, 2010)

Just right now, from my room I can detect 10 WiFi connections: 4 use WPA, 4 use WEP and the other 2 use no security key at all. Most of the people don't know about this and they just set up the router and leave it on a shelf and that's it. By the way they all use the same channels: 1, 6 and 11.


----------



## Hybrid_theory (Jul 30, 2010)

Yeah 1,6 and 11 are the most common as those are the only 3 that done over lap when in one area.


----------



## dr emulator (madmax) (Jul 30, 2010)

hat said:


> They just use a dictionary? Good luck getting in to mine.



yes but i already know yours


----------



## Geofrancis (Jul 30, 2010)

To sniff a wPa key you just need to leave a computer monitoring the wireless network untill someone logs on so it can record the handshake then you are free to usewhatever software or hardware you want to break it. 

The problem is you need a shit load of processing power to break it. My 1.8ghz phenomx4 can do 1200/s compared to a 9600gso 96 shaders that does 6000. If you had a computer like the fastra 2 with 6 gtx 295s and a gtx280 in it I estimate you could do a 8 digit password in a week


----------



## dr emulator (madmax) (Jul 30, 2010)

VulkanBros said:


> wait a second....2 month ago I had a network security firm hired to test my company´s wireless networks.
> 
> The lowest encryption we use is WPA2 AES/TKIP with a 13 character encryption code.
> The highest encryption we use is a mix of radius servers, mac filtering, static ip´s and randomly keys.
> ...



got to agree with ya there, as who is going to say i want my money back after they've tried to do something ilegal

i could just imagine some foo going hey mr policeman they ripped me of, 

policeman says how ,

they say, well i tried to steal my neighbours wifi key ,

oh really says mr policeman lets talk about this down at the station


----------



## Hybrid_theory (Jul 30, 2010)

> got to agree with ya there, as who is going to say i want my money back after they've tried to do something ilegal



It's only illegal if you dont have permission. So in a case like this, there would be signed and agreed to documents on both parties.


----------



## Geofrancis (Jul 31, 2010)

i take it no one has read this article about renting cloud computing to do a brute force attack using rented servers?

http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html


they use elcomsoft distributed password recovery to do it. i have tested this software to build my own distributed cluster using my server to host it and all my friends computers to break it.


----------

