Cracking WPA Protected WiFi in Six Minutes

Tuesday, January 18, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Using WPA/WPA2 to protect your wireless network has been stressed for quite a while now. But, just how long would it take to crack a WPA-PSK protected wireless network?

Well, according to recent reports, security researcher Thomas Roth says with his brute force program he was able to break into a WPA-PSK protected network in about 20 minutes. And with recent updates to the program, the same password would take about 6 minutes!

People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so. But it is easy to brute force them” Roth said.

How is this possible you ask? Roth’s program uses the power of the Cloud, Amazon’s cloud, using EC2 computers to be exact.

And what kind of power is available? I am not sure exactly which Amazon cloud package Roth used with his program.

But a quick glance at the Amazon EC2 website shows that a Cluster GPU Quadruple Extra Large Instance provides access to 22 GB of memory, 33.5 EC2 Compute Units, 2 x NVIDIA Tesla “Fermi” M2050 GPUs, 1690 GB of local instance storage, 64-bit platform, and 10 Gigabit Ethernet.

And it looks like you can access up to eight of these systems before you need to fill out a special request form for additional servers.

Amazon charges 28 cents per minute for the service Roth used. And with his program checking 400,000 possible passwords per second cracking WPA just became pretty cost effective.

But using the cloud to brute force is nothing new to Roth, according to The Register:

Roth is the same researcher who in November used Amazon’s cloud to brute force SHA-1 hashes. Roth said he cracked 14 hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes. He told The Register at the time he’d be able to significantly reduce that time with minor tweaks to his software, which made use of “Cluster GPU Instances” of the EC2 service.

Amazon is not too keen on Roth using the cloud for cracking passwords. According to an Amazon spokesman, using the cloud service to create a tool to show how security can be increased is okay. But don’t use it to actually crack passwords:

“Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorization.”

Using a long complex password would prolong the time to brute force the password, but the Cloud based cracker program sounds impressive indeed.

Want to know more? Roth is scheduled to speak on this topic at the BlackHat 2011 DC seminar later this month and plans on making the software publicly available.

Cross-posted from Cyber Arms

Possibly Related Articles:
171716
General
Hacking Cloud WiFi WPA Brute Force
Post Rating I Like this!
Default-avatar
Taz Wake Interesting article and it is a shame I cant make Black Hat as I would like to find out more.

I do have a question though - is this system really only able to try 400,000 passwords per minute?

If we accept that a password consisting of 8 alpha numerics has 53 trillion combinations (source: http://www.lockdown.co.uk/?pg=combi) then it would take this system about 252 years to brute force it.

Is there a decimal place error somewhere here?
1295366846
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Taz, sorry, it is 400,000 passwords per second. My bad.

1295378241
Default-avatar
Taz Wake Nice one - thanks for the clarification!

Great article.
1295388466
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Thanks Taz, appreciate it! I can't believe I didn't catch that! :)
1295394311
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley Nice article, yeah there were blogs last year about this. Need one of their clusters with decent GPU's and something like this http://hashcat.net/oclhashcat/
1295429075
Default-avatar
Liam McKay 400,000 passwords per second doesn't cut it either.

To brute force an 8 char alphanumeric (62 possible chars) string in an average time of 6 minutes would require something in the order of 300 billion passwords per sec.

Further reading confirms he is in fact talking about a dictionary attack, not brute force (which by definition is systematically checking all possible keys until the correct key is found)

Nothing has changed, WPA is as strong as the chosen pass phrase.
1303523713
Default-avatar
George Papandreou hi! nice blog about cracking a wpa wireless netword...but i ahve a question for you ... my wpa2-psk (aes) is:

!Fo96T%#__()ITk?NbV:>?"434G

I wrote it on my own ...is it complex and a 63 length password....

IS IT CRACKABLE ..?? can you crack it ?
CAN ONE OF THE BEST HACKERS CRACK THIS ??
do hackers use a dictionary attack or bruteforce attack to crack a wpa password ...or they have other ways ?? (exploit vulnerabilities) ??

please explain ..

thank you !
1338306298
Default-avatar
George Papandreou sorry my password is !Fo96T%#__()ITk?NbV:>?"434G
1338306342
Default-avatar
George Papandreou .....i cant paste the whole password ...i dont know why.....
my password is 63 length key ....that look like the above about complexity ...
1338306425
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.