Cracking WPA PSKs in the Cloud

Posted by Jake Reynolds on April 03, 2012 Link 

ve our own wireless security assessment methodology for various WiFi authentication and encryption schemes commonly observed. I thought I'd write a bit about how we handle WPA/WPA2 personal (pre-shared keys). Unlike cracking WEP, which is a crypto-attack, cracking a WPA PSK involves a dictionary attack against a captured WPA handshake. The exception to this is PIN-based WiFi Protected Setup (WPS), which can be brute-forced in 11,000 max attempts with tools like Reaver. It goes without saying that a dictionary attack is only as good as the dictionary in use. I like to perform these tests using two dictionaries: One giant, stupid, dictionary, and one small targeted dictionary.
My big dictionary is a 1.1+ billion word monster. It contains only words between 8 and 63 characters just like the WPA standards for ASCII passphrases. It is an amalgamation of many known, good password dictionaries and can be found in this excellent blog entry about dictionaries by G0tmi1k. You need a lot of horsepower to test this many words against a captured handshake but that's where the "cloud" comes in and we'll get to that later.

My custom dictionary is always a list of words that pertain to the client and network I am attempting to crack. I often use tools to help streamline this process. For example, CeWL (Custom Word List Generator) by Robin Wood is a tool that will spider a given target site and dump words it encounters into a custom dictionary. Another tool useful for this purpose is the CUPP (Common User Passwords Profiler) by Muris Kurgas. This tool takes input terms and can add numbers, special chars, and l33t 5p34k to the values.

This gets us to the cloud. A dictionary attack against a WPA PSK requires a captured 4-way handshake, the target network's ESSID, and of course the dictionary itself. Testing 10,000 PSK values is equivalent to hashing 9.8GB of data through SHA1. Extrapolate that out to my dictionary of 1.1B+ words and that's like SHA1 hashing 1,078TB or 1.078PB. That takes quite a few cycles, cycles I don't have readily available.

Never fear, CloudCracker is here. For $17.00, they'll test your WPA handshake against a 300,000,000 word dictionary in around 20 minutes. That's a pretty solid value prop. I'd bet they have a higher quality dictionary than me. This is a great service for home users who want to test their WPA security. However, it became obvious that we could never use this service for our clients after reading their Privacy Policy. I'd be selling CloudCracker short if I didn't mention that their service will also crack NTLM hashes and encrypted PDF files.

I need a solution that gives me more control. Enter Pyrit and Amazon EC2. Pyrit lets you use CPU cores and GPU cores together, in parallel, to crack WPA PSKs. It turns out that the job of computing WPA PMKs is better handled by massive numbers of cores operating concurrently than a handful of very powerful cores. The chart below shows the performance of common GPUs in PMKs (pairwise master key, a salted PSK) per second.

EC2 just so happens to have an instance they call "Cluster GPU Quadruple Extra Large Instance" which has two NVIDIA M2050 GPUs. These aren't the best GPUs for this type of work by a long shot but they do have 448 cores apiece and will certainly outshine anything I happen to have laying around. The price is also right at $2.10 an hour. I launched an instance and installed Pyrit from source. A quick benchmark gets me above 46,000 PMKs per second.

During an actual attack this setup gets me well north of 50,000 PMKs/s. At this rate Pyrit will run through my huge dictionary in just under 6 hours and will cost about $12.00. That's OK for me right now but adding more power is as simple as setting up more of these instances and running Pyrit in parallel. Tom's Hardware reports gaining an additional 18,000 - 20,000 PMKs/s for each additional EC2 instance without code optimization. The suboptimal scaling is a result of network and other bottlenecks.

If you want to avoid this type of attack without changing from WPA personal mode, just make sure your PSK is long, and not anything that would ever be in a dictionary. The passphrase, "Th3rE'sn0Way_You'dGueS5#tH!s" is a good example. Oh, and disable WPS on your access point.

Security threats are all around us. Are you prepared?
Not sure? Lets Talk.