WPA-PSK Security Myths
Although not strictly related to WPA-PSK cracking, there are two security myths that deserve debunking.
Myth 1: Disabling the SSID Broadcast Secures your WLAN
"Cloaking" your SSID might sound good on the surface. But programs like Kismet that are capable of monitoring wireless network traffic are also able to "decloak" access points by listening to traffic between the clients and the access point.
For Kismet, this process takes only a few minutes of relatively light network traffic. Disabling the SSID broadcast really makes it only slightly harder for potential attackers to connect to your AP (they now have to type the SSID instead of clicking on it).
Myth 2: Filtering MAC Addresses Secures Your WLAN
This idea again sounds good on the surface: limit the computers that can connect by their MAC addresses. There are two problems with this technique.
1) Physically maintaining the table of acceptable MAC addresses becomes more burdensome as your network grows.
2) MAC addresses can be easily spoofed.
Chances are, if you are being attacked by someone who has the know-how to get past WPA, they will most likely spoof their MAC when they connect anyway, to avoid detection in your router's logs (by a possible failed MAC filter pass).
Kismet, in particular, excels at this with its AP "clients" view which lists, among other things, client MAC addresses, which we see in Figure 14 below.
Figure 14: Kismet Client List with MAC Addresses
Spoofing your MAC address (in Linux) is as simple as this:
bt ~ # ifconfig ath0 hw ether AA:BB:CC:DD:EE:FF bt ~ # ifconfig ath0 up bt ~ # ifconfig ath0 ath0 Link encap:Ethernet HWaddr AA:BB:CC:DD:EE:FF UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:26 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1092 (1.0 KiB) TX bytes:590 (590.0 b)
In Windows, a majority of network drivers also allow you to easily change MAC address.
Figure 15: Windows MAC Address Configuration
WPA-PSK Security Tips
You now know how to break weak WPA-PSK keys. Now make sure that it doesn't happen to you by using two simple techniques.
Tip #1: Use strong passphrases!
Conventional wisdom says that the longer and more random the password, the better. But do you really need 64 character randomly-generated passphrases to be safe from being hacked?
Dan Godin's article has a few factoids that are helpful to keep in mind as you decide how long and how random your password should be. Assuming an attack checks for all combinations of all 95 letters, numbers, and symbols available on a standard English-language keyboard and uses a desktop computer with an Intel Core i7 980x processor:
- Cracking a five character passphrase takes a few hours
- Six characters takes about a day
- Seven characters takes more than 10 days
This Ethical Recruiting Alliance article provides another data point, this one assuming the use of a Radeon HD 7970 graphics processor ($400 - $500 typically) to speed up cracking:
- A five-character password can be cracked in five seconds.
- A six-character password can be cracked in seven seconds.
- A seven-character password may take 13 hours to crack.
- An eight-character password may take 57 days to crack.
- A nine-character password may take 15 years to crack.
So now you know why more sites and services are requiring passwords of at least 8 characters using a mix of upper and lower case letters and numbers!
It should be noted that those times are for a brute force scenario. As we showed in our examples, simple words can be cracked fairly quickly if they are in the dictionary or are a mutation of a dictionary word. Our nine-character password gilbert28 fell to our Nvidia 9800GT in less than an hour because of the dictionary attack. Using the word Password as your password would fall in seconds to most attackers. The key is combining words and padding your own combination of special characters to the end.
Steve Gibson's GRC has two tools to help you with passwords. His Perfect Passwords "Ultra High Security Password Generator" will generate totally random 63/64 character passwords. Really safe, but impossible to remember.
Perhaps more useful is Steve's Interactive Brute Force Password Search Space Calculator. This tool takes the opposite approach to the Generator, taking passwords you create and spitting back information about their complexity. If you use this tool, however, be sure to read the background information on the page so that you know what your test results mean!
As for that "simple" classymoon359 password that stumped CloudCracker. Steve's tool reported that it would have taken 2.9 weeks to crack using a "Massive Cracking Array Scenario" running at 100 trillion guesses a second. But since CloudCracker runs best case at only 671 guesses/second, the "Online Attack Scenario" (1,000 guesses/second) results of 55.79 million centuries would be an better indication of how long an attacker would need unless he/she had a very optimized dictionary.
It might seem counter-intuitive, but an easy to remember password of TimRouterHouseFatCat17### would take 7.66 hundred million trillion centuries to crack in a massive cracking array scenario. Whereas something seemingly complex like G8sloves$ could possibly be cracked in just under 2 hours. In the quest for more secure passwords, it's easy to make them harder to remember and less secure. Using these tips and tools will hopefully make the opposite true for you.
After spending some time with the Calculator, you just might decide to update a few of your passwords! I know I did.
Tip #2: Change your SSID from its default
Since a WPA key is salted with the SSID, it makes sense to change your AP's SSID to render precomputed hash tables useless (assuming you change it to something non-obvious). This forces the attacker to start from square one by either generating a hash table or using just a straight dictionary attack.
So, now you know how crackers can attack wireless networks that use weak WPA / WPA2 PSK keys and the simple countermeasures that you can take to ensure that it doesn't happen to you.
With a strong key and good security practices, a wireless LAN secured by WPA / WPA2 is definitely not an easy target.