Wpa2 Psk Hack Cracker Password Free Windows
Marisol Stgermain
Passwords that are long, random and unique are the most difficult to crack. But humans tend to use weak passwords made up of familiar phrases and numbers. Mike Meyers demonstrates just how easy it is to hack a weak Wi-Fi password in this episode of Cyber Work Applied.
(0:00- 0:24) WPA and WPA2 are very good encryptions. If you're using WPA, you're using RC4, but you're using TKIP with that. If you're using WPA2 while you're using AES with CCMP, then you are not going to be able to crack these passwords, except for one little problem.
Wpa2 Psk Hack Cracker Password Free Windows
(0:25- 1:35) The problem is that the initial connection between a wireless WPA or WPA2 client to an access point has what we call a four-way handshake. Not that many years ago, there was a small weakness discovered in this four-way handshake that allows us to do something very interesting.
With WPA and WPA2, think more instead that you've got this guy who's really good at turning the numbers on a bicycle lock and then pulling on it. So you can go up to this guy and say, "Hey, try 0000," and he could do that real quick and pull on it.
If you wanted to, you could tell this guy, start with all zeros and then just keep going and go to 9999. Now, if there were only 10,000 different permutations that would work great. But with WPA or WPA2, take that same bike lock analogy and turn it from four digits to like 128 digits. So it would take that guy, even if he was fast, a very, very long time to go through all these.
(1:36- 2:15) Luckily for us, we know that human beings don't use good, randomized, long passwords. We know that most human beings are going to use a phrase and then a number. Or their pet's name and then the date they were born, or the number of kids they have and their wife's name and the date that they got married. Little, simple, things like that.
And if we know that, we can tell the guy who's spinning on that bicycle lock, "No, no, no. Don't start at the zeros, just try all of these first." So we've got to give this WPA, WPA2 cracker what we call a dictionary file.
(2:16- 3:07) Now, a dictionary file is nothing more than a big text file full of tens of millions of different types of permutations of well-known words, numbers and all kinds of different things. Now you think, "Whoa, tens of millions." Well, compared to 128th power stuff, at 10 million even my laptop, give it a day, could knock all that stuff out. So it makes a big difference.
We'll put a really weak password on here, then we're going to go back over to the Kali box and in this case, what we're going to do is we're still going to monitor the traffic, but we're just going to wait for somebody to authenticate, and we got them. We'll run the cracker, and with luck, since it's a weak password, we're going to be able to get it pretty easily.
The next thing I'm going to do is go over to Wireless Security, and we're going to take off WEP, and let's go to WPA Personal. This type of attack will work with a WPA or WPA2 personal shared key. So I've already got a password here, and I want to keep it.
Now, what I've got here is I've got airodump still running on my screen. If you take a look right here at the top, you're going to see there's NOTSECUREWPA. You can even see that it's WPA and it's running TKIP. No great surprise there, and there's the MAC address for it.
The right answer is simple. Use long, complex private shared keys when you're dealing with WPA and WPA2. A lot of people recommend that you don't use any human words and make sure you use at least 20 characters, which can sometimes be long to remember, but boy, does it make it secure.
Bianca Gonzalez is a writer, researcher and queer Latina brain cancer survivor who specializes in inclusive B2B insights and multicultural marketing. She completed over 400 hours of community service as a college student.
Last week's feature explaining why passwords are under assault like never before touched a nerve with many Ars readers, and with good reason. After all, passwords are the keys that secure Web-based bank accounts, sensitive e-mail services, and virtually every other facet of our online life. Lose control of the wrong password and it may only be a matter of time until the rest of our digital assets fall, too.
Take, for example, the hundreds of millions of WiFi networks in use all over the world. If they're like the ones within range of my office, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found wasn't encouraging.
First, the good news. WPA and WPA2 use an extremely robust password-storage regimen that significantly slows the speed of automated cracking programs. By using the PBKDF2 key derivation function along with 4,096 iterations of SHA1 cryptographic hashing algorithm, attacks that took minutes to run against the recent LinkedIn and eHarmony password dumps of June would require days or even weeks or months to complete against the WiFi encryption scheme.
What's more, WPA and WPA2 passwords require a minimum of eight characters, eliminating the possibility that users will pick shorter passphrases that could be brute forced in more manageable timeframes. WPA and WPA2 also use a network's SSID as salt, ensuring that hackers can't effectively use precomputed tables to crack the code.
I started this project by setting up two networks with hopelessly insecure passphrases. The first step was capturing what is known as the four-way handshake, which is the cryptographic process a computer uses to validate itself to a wireless access point and vice versa. This handshake takes place behind a cryptographic veil that can't be pierced. But there's nothing stopping a hacker from capturing the packets that are transmitted during the process and then seeing if a given password will complete the transaction. With less than two hours practice, I was able to do just that and crack the dummy passwords "secretpassword" and "tobeornottobe" I had chosen to protect my test networks.
To capture a valid handshake, a targeted network must be monitored while an authorized device is validating itself to the access point. This requirement may sound like a steep hurdle, since people often stay connected to some wireless networks around the clock. It's easy to get around, however, by transmitting what's known as a deauth frame, which is a series of deauthorization packets an AP sends to client devices prior to it rebooting or shutting down. Devices that encounter a deauth frame will promptly rejoin an affected network.
Using the Silica wireless hacking tool sold by penetration-testing software provider Immunity for $2,500 a year, I had no trouble capturing a handshake established between a Netgear WGR617 wireless router and my MacBook Pro. Indeed, using freely available programs like Aircrack-ng to send deauth frames and capture the handshake isn't difficult. The nice thing about Silica is that it allowed me to pull off the hack with a single click of my mouse. In less than 90 seconds I had possession of the handshakes for the two networks in a "pcap" (that's short for packet capture) file. My Mac never showed any sign it had lost connectivity with the access points.
I then uploaded the pcap files to CloudCracker, a software-as-a-service website that charges $17 to check a WiFi password against about 604 million possible words. Within seconds both "secretpassword" and "tobeornottobe" were cracked. A special WPA mode built-in to the freely available oclHashcat Plus password cracker retrieved the passcodes with similar ease.
Cracking such passcodes I had set up in advance to be guessed was great for demonstration purposes, but it didn't provide much satisfaction. What I really wanted to know was how much luck I'd have cracking a password that was actually being used to secure one of the networks in the vicinity of my office.
So I got the permission of one of my office neighbors to crack his WiFi password. To his chagrin, it took CloudCracker just 89 minutes to crack the 10-character, all-numerical password he used, although because the passcode wasn't contained in the entry-level, 604 million-word list, I relied on a premium, 1.2 billion-word dictionary that costs $34 to use.
My fourth hack target presented itself when another one of my neighbors was selling the above-mentioned Netgear router during a recent sidewalk sale. When I plugged it in, I discovered that he had left the eight-character WiFi password intact in the firmware. Remarkably, neither CloudCracker nor 12 hours of heavy-duty crunching by Hashcat were able to crack the passphrase. The secret: a lower-case letter, followed two numbers, followed by five more lower-case letters. There was no discernible pattern to this password. It didn't spell any word either forwards or backwards. I asked the neighbor where he came up with the password. He said it was chosen years ago using an automatic generation feature offered by EarthLink, his ISP at the time. The e-mail address is long gone, the neighbor told me, but the password lives on.
No doubt, this neighbor should have changed his password long ago, but there is a lot to admire about his security hygiene nonetheless. By resisting the temptation to use a human-readable word, he evaded a fair amount of cutting-edge resources devoted to discovering his passcode. Since the code isn't likely to be included in any password cracking word lists, the only way to crack it would be to attempt every eight-character combination of letters and numbers. Such brute-force attacks are possible, but in the best of worlds they require at least six days to exhaust all the possibilities when using Amazon's EC2 cloud computing service. WPA's use of a highly iterated implementation of the PBKDF2 function makes such cracks even harder.
7fc3f7cf58