Barry Manilow Highlights 'Three Strikes' Law Stupidity > Fine unsecured APs

reply to Lazlow

Re: Fine unsecured APs

You can include anything in the table that you like (and most do include digits).

Here is a popular table and its discussion.

»www.renderlab.net/projects/WPA-tables/

Some highlights would include: checking 18,000password/sec on a 700Mhz PIII(using a paralell GPU would increase this by a factor of the number of streaming processors in the GPU), the current large list is 33GB and includes the top 1000 SSID list from wigle.net. There is current hardware available (for adding to the list) that can calculate 9000 pass phrases/sec.

Yes you could, but its pointless. (most do NOT include digits, nor special characters - almost all include dictionaries)

That is why experts completely dismiss rainbow table's that include digits(they become too large and self defeating - it starts taking more time to index than to "use"). You will never see a rainbow table include "Austin21" for example. In fact your table attack will fail on my simple password.

Why? because it would require an almost infinite amount of memory and time to pre-compute.

Even adding 1-3 characters permutations on a simple dictionary is impossible given todays memory constraints.

The point I've been beating to death is raindow tables are only good for dictionary attacks. That will be true for a long long time.

Given this and the fact that an AP "salts" its password hash with this, your on an impossible uphill battle. Your never going to win without some fundamental flaw in the Cipher, which thus far nobody has shown.

Also, I am very familiar with the PreComputed Hash table on the internet, including the one you posted. What they don't tell you is that it will fail well over 99% of the time. ( actually, I've never heard of successful cases in the wild of success )

33 GB is extremely small for a hash table. Professional tables range from 1 - 50 Terabytes and are still very unlikely to find keys on all but the easiest passwords.

Also, your assumptions about common passwords has never been proven. Its such a common misconception that has been debunked numerous times.

From my own observations, the vast vast majority of passwords are a person's last name + a digit, or a street number+name. (again such passwords make tables useless)

Also, a valid counter point is that, again taken from my own area and experience, most people rename their AP's to some unique name. The iconic "linksys" is becoming all to rare these days.

This stops Precomputed tables dead. You have to recompute the table for each AP name ( and thus defeating its purpose entirely).

Yes, SSID is salted(which I and the links referred to). Keep in mind one(at least) of the major ISPs that installs wireless uses a standard format (2WIREXXX, XXX is three digits). Here is a link to a "salt" table(short one) that lists many of these and other common ones:

»mirror.fpux.com/Rainbow_Tables/w···SSID.txt

Within range of my place I have over twenty APS using SSID off of this list. In some cases there are multiple APs using the same SSID.

I have found that most who leave an AP in its default state, never even bother putting a password on.

Besides that, have you ever penetration tested with these tables? I promise a 0% success rate.

Also, many isp's who set up wireless networks as part of installs, set a password for the account owners - never heard of simple words being used as a pass phrase.

Again, the most common types of passwords of non tech-savvy people I have come across are always "Name+Number" combinations, rendering a hash table useless ( even more useless I should say )

Pretty soon, routers will start using a pseudo random seed for the SSID salt, regardless of whether or not an SSID is chosen, but even that is just a formality. Nobody is cracking anything but so called "lame" passwords for a very very long time.

To make things even worse, most routers sold within the past few years default to WPA2, which unless someone finds some major flaw are immune to Precomputed attacks.

Yes, I have ran those tests with the security audits I have done. Very few APs survived without penetration. Most of the companies removed wireless, running cat6 is really not that difficult or expensive. The ones that required a wireless AP used various methods to limit the time it was in operation. A simple method is to put it on the same circuit that the lights are on. The current versions of attack software apply equally well to WPA2 as it does to earlier security measures (note the repost in GolfnSun's post as well as it being mentioned in several of my links).

GOLFnSun's post makes a lot of the points (not all) that I have been trying to make. In absolute terms a password with less than 20(?) characters is not out of reach of current hardware/software attack capability, but virtually no one is using passwords of that length. It also points out what I have been saying all along, people only use a small subset of the possible passwords out there. One does not need to run the entire (as in Websters) dictionary, one only needs to run a very small subset. This also applies to ones table. You can (and many do) include such things as first name +2 digits. These types of passwords are included in hash table becuase (as you pointed out) it is a popular format that people use. Another similar common thing people use is to substitute "15" for "is', as in name15god (an amazingly popular password).

As I pointed out earlier, this same software can be linked to software like john the ripper (and others) to apply pure brute force (try absolutely every character if necessary).

If your cpu can generate all the hashes in a table in 6 minutes, I am sure there are a lot of people who would like to be your friend.

Going into meetings with clients having valid macs, ssids, and pass phrases is why the vast majority of clients stopped using wireless. In the long term wireless cost more in exposure, than wiring for cat6.

Any cpu on the market can RUN a simple dictionary in a few minutes. Your talking about computing the hashes from scratch (which takes my cpu overnight usually). Which tells me you have no idea about what you are saying.

And most corporate environments have password rules defined, such that they must contain special characters and what not ( never seen corporate networks use SSID's or MAC ADDY's for any purpose)

Please, I will be willing to shut up if you can prove to us that you can break random wpa keys as easily as you say. Any type of verifiable evidence will do. Perhaps we can have a public challenge? There are lots of BBR members here from everywhere. I say 20 random AP's secured by WPA, I will bet that not one will fail.

If your really having that much trouble securing wireless AP's please send your business to me.