Barry Manilow Highlights 'Three Strikes' Law Stupidity > Fine unsecured APs

reply to fAcEtIOUs

Re: Fine unsecured APs

Just google WPA2 crack and you will see tons of howtos. The basics method has been around for at least a couple of years.

It does, indeed, take time to brute-force the WPA/2 keys. However, the whole "GPU-based cracking" approach speeds things up dramatically.

Now imagine someone with an SLI, quad-core laptop. That's two GPUs and four 'CPUs'.

Now imagine someone with an SLI, I7 laptop. That's two GPUs and eight "CPUs" crunching the data at an incredible rate.

reply to DataRiker

Pride goeth before destruction, and a haughty spirit before a fall.

reply to Ian
Ian

The thing you are leaving out of the equation is the human element. The vast majority of users will only use common phrases, which (generally) narrows down the choices to a few hundred thousand variations(which is where GPUs can really shine). Since one can passively grab the encrypted phrase and brute force it off line, it drops the attackers risk to almost zero. Add this to the fact that the vast majority of people seldom change their pass phrase more than once a year, and it becomes obvious how easy access can be obtained.

»dookie.dkearns.ca/?p=49

Above is an example of breaking a probably above average password. The tools used to break it are all open source (no cost). It probably took less than 15 minutes from start to finish.

You can change my original question to how(and who) decides if a pass phrase is strong enough? Remember one can add any pass phrase one wishes to one's attack dictionary. You can even link it to things like john the ripper, that will generate even your example password. It is just a matter of time. With the use of rainbow tables and simple parallel processors(GPUs), the time required is dramatically reduces.

Firstly, there are no rainbow tables ( technically precomputed hash tables) large enough to store anything but "worded" dictionaries. Even good dictionaries contain several languages and are enormous, hundred's and thousands of gigabytes.

Secondly, a good password, say 21+ characters when chosen properly is secure against any GPU or CPU attack ( assuming WPA or WPA2 ).

To reiterate, even the fastest GPU on the market is just a drop in the bucket when it comes to brute forcing anything but the lamest passwords.

reply to Ian
1st. In reality that is a relatively secure password as compared to what is commonly used. Yes, much stronger(and longer) passwords can (and probably should be) used, but the fact is that they are not.

The other thing you are missing (again) is that people do not (generally) use the vast majority of words in the (regular) dictionary. The vast majority of passwords(actually used) use a very small subset of those words. First names, god, and other key words, are still used in the vast majority of passwords. Even the selection of "random" characters chosen in a password is subject to human limitations. People will generally only use characters that they can easily type (in other words, ones that they commonly use).

Edit: After auditing a lot of small business over the last few years, VERY few had even a 15 character pass phrase much less a 21 character.

I agree 100%. Bad passwords are to blame, not a falsely accused "cracked" cipher like WPA and WPA2.

Also I would like to note that anything above 8-9 characters is a formidable password ( assuming its not in the dictionary )

My issue is with the fact that people assume a rainbow table is helpful. I have found most passwords contain a NAME + some simple number like "Austin21" for example.

You can kiss that rainbow table goodbye.

You can include anything in the table that you like (and most do include digits).

Here is a popular table and its discussion.

»www.renderlab.net/projects/WPA-tables/

Some highlights would include: checking 18,000password/sec on a 700Mhz PIII(using a paralell GPU would increase this by a factor of the number of streaming processors in the GPU), the current large list is 33GB and includes the top 1000 SSID list from wigle.net. There is current hardware available (for adding to the list) that can calculate 9000 pass phrases/sec.

Yes you could, but its pointless. (most do NOT include digits, nor special characters - almost all include dictionaries)

That is why experts completely dismiss rainbow table's that include digits(they become too large and self defeating - it starts taking more time to index than to "use"). You will never see a rainbow table include "Austin21" for example. In fact your table attack will fail on my simple password.

Why? because it would require an almost infinite amount of memory and time to pre-compute.

Even adding 1-3 characters permutations on a simple dictionary is impossible given todays memory constraints.

The point I've been beating to death is raindow tables are only good for dictionary attacks. That will be true for a long long time.

Given this and the fact that an AP "salts" its password hash with this, your on an impossible uphill battle. Your never going to win without some fundamental flaw in the Cipher, which thus far nobody has shown.

Also, I am very familiar with the PreComputed Hash table on the internet, including the one you posted. What they don't tell you is that it will fail well over 99% of the time. ( actually, I've never heard of successful cases in the wild of success )

33 GB is extremely small for a hash table. Professional tables range from 1 - 50 Terabytes and are still very unlikely to find keys on all but the easiest passwords.

Also, your assumptions about common passwords has never been proven. Its such a common misconception that has been debunked numerous times.

From my own observations, the vast vast majority of passwords are a person's last name + a digit, or a street number+name. (again such passwords make tables useless)

Also, a valid counter point is that, again taken from my own area and experience, most people rename their AP's to some unique name. The iconic "linksys" is becoming all to rare these days.

This stops Precomputed tables dead. You have to recompute the table for each AP name ( and thus defeating its purpose entirely).

Yes, SSID is salted(which I and the links referred to). Keep in mind one(at least) of the major ISPs that installs wireless uses a standard format (2WIREXXX, XXX is three digits). Here is a link to a "salt" table(short one) that lists many of these and other common ones:

»mirror.fpux.com/Rainbow_Tables/w···SSID.txt

Within range of my place I have over twenty APS using SSID off of this list. In some cases there are multiple APs using the same SSID.