14 DAY TRIAL // A new commercial cloud-based service dubbed "WPA Cracker" aims at cracking the pre-shared keys of WPA-protected wireless networks. The pentesting tool taps into a 400-CPU cluster and can go through a dictionary of 135 million words in 20 minutes.
Wi-Fi Protected Access (WPA) is a security standard for protecting data transfer over wireless networks, which replaced the now outdated and vulnerable Wired Equivalent Privacy (WEP). There are two versions of WPA, which employ different encryption algorithms.
WPA with Temporal Key Integrity Protocol (TKIP) was meant as a temporal solution to help migration to WPA2. Weaknesses have been discovered in WPA-TKIP and the protocol is now deemed vulnerable. WPA2 employs an AES-based encryption algorithm called CCMP, which is considered fully secure.
The most common WPA2 implementation is through an authentication mechanism called a Pre-shared key (PSK) mode. The pre-shared key is usually a passphrase of eight or more ASCII characters, which the wireless client knows in advance. However, like any password-based approach, this implementation is theoretically vulnerable to brute-force attacks.
Moxie Marlinspike, an independent security researcher, who earlier this year disclosed a high-profile SSL attack vector, was involved in the creation of "WPA Cracker." The service employs what is known as a dictionary attack, which leverages 135 million word combinations, phrases, numbers, symbols, and elite speak, commonly used in WPA pre-shared keys.
A single use of the service costs $34 and will go through the entire dictionary in a maximum of 20 minutes. There is also a half-mode option, which takes double the time, but costs half the price. Attempting the same task on a mainstream computer will take an average of five days to complete, not to mention that one would first need to create a similar dictionary on their own.
The service is aimed at penetration testers and network auditors, but there are no guarantees. "The job costs the same whether we find your password or not. You're paying for either the recovery (which is most often the case), or the knowledge that if you were to build an exhaustive 135 million word dictionary file and run your handshake against it for five days, you'd find nothing," the creators explain.
In order to use "WPA Cracker," a customer needs to provide the WPA handshake packets exchanged between the access point and a client. These can be captured with Wireshark or some other traffic snooping tool and needs to be uploaded to the service.
The network's Extended Service Set Identifier (ESSID) is also required because it is used to "salt" the pre-shared key. The result is sent back to the customer via e-mail when the test is done.