Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

WPA cracking.


stealth-'s Avatar
Ninja Extreme
0 0

Hey guys,

Forms have been quiet so I figured I'd pose a (stupid?) question. I recently cracked into a WPA encrypted network the standard way (Force deauth, capture handshake, crack..), and was actually very surprised at the speed it took to run through my dictionary list. The 10 character passphrase was cracked within about 40 seconds at a speed averaging about 500/kps.

If my calculations are right, then a fifteen character passphrase should pan out like this:

2^15 = 32768 possible values 32768/500kps = 65.536 seconds to try all possible values.

Did I do something wrong there? I don't know a whole lot about bit entropy, but the idea that it takes just over a minute to genuinely bruteforce a fifteen character password is shocking. I have serious doubts that many users use a passphrase longer than 10, much less 15, so wouldn't this effectively make WPA encryption unsecure for the typical user (who has no clue what's going on)?


fuser's Avatar
Member
0 -1

stealth- wrote: Hey guys,

Forms have been quiet so I figured I'd pose a (stupid?) question. I recently cracked into a WPA encrypted network the standard way (Force deauth, capture handshake, crack..), and was actually very surprised at the speed it took to run through my dictionary list. The 10 character passphrase was cracked within about 40 seconds at a speed averaging about 500/kps.

If my calculations are right, then a fifteen character passphrase should pan out like this:

2^15 = 32768 possible values 32768/500kps = 65.536 seconds to try all possible values.

Did I do something wrong there? I don't know a whole lot about bit entropy, but the idea that it takes just over a minute to genuinely bruteforce a fifteen character password is shocking. I have serious doubts that many users use a passphrase longer than 10, much less 15, so wouldn't this effectively make WPA encryption unsecure for the typical user (who has no clue what's going on)?

I have to admit that was the fastest I've seen a WPA password got cracked.

I think in your case, you probably got lucky, or that you have a very good dictionary to back you up in cracking the wpa password. And it's can be as secure as how the user sets it up: if the passphrase is long and hard to guess, the longer it'll take for the cracker to bruteforce (or for you to guess it)

check this link for those interested in figuring out how to do it: http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks


stranac's Avatar
Member
0 0

stealth- wrote:

If my calculations are right, then a fifteen character passphrase should pan out like this:

2^15 = 32768 possible values 32768/500kps = 65.536 seconds to try all possible values.

Did I do something wrong there?

You did something wrong. Your calculations are fine, except for one small detail: there are more than 2 characters possible.

For lowercase letters only there would be 26^15 = 1677259342285725925376 values possible.


stealth-'s Avatar
Ninja Extreme
0 0

stranac wrote: [quote]stealth- wrote:

If my calculations are right, then a fifteen character passphrase should pan out like this:

2^15 = 32768 possible values 32768/500kps = 65.536 seconds to try all possible values.

Did I do something wrong there?

You did something wrong. Your calculations are fine, except for one small detail: there are more than 2 characters possible.

For lowercase letters only there would be 26^15 = 1677259342285725925376 values possible.[/quote]

Ah, that's right! Like I said, I'm not exactly skilled with bit entropy. Thanks for the correction :)

62^15 = 768909704948766668552634368 768909704948766668552634368/500/60/60/24/30/12 = 49441210451952589

49441210451952589 years sounds much better, but signifigantly higher than I imagined. Is that right?


ghost's Avatar
0 0

sorry if this sounds retarded but how could you crack into WEP or WPA protected network. I know i am a noob at hacking and stuff but everyone has a starting point. Thanks.


stealth-'s Avatar
Ninja Extreme
0 0

haky2g wrote: sorry if this sounds retarded but how could you crack into WEP or WPA protected network. I know i am a noob at hacking and stuff but everyone has a starting point. Thanks.

There are a plethora of articles all over the web that explain this, and I believe one was actually linked to in an above post. Look into tools like aircrack, google it, and you'll do fine.


ghost's Avatar
0 0

Well, didn't you change your tone to a friendlier one in a big hurry? :P Anyhow, you're still generous with your numbers, 62 would only account for upper case, lower case and numbers; no other symbols accounted for. Even if we just take the standard ascii table minus the first bunch of special values, we'd still end up with ((2^7)-32)^15 combinations. And that's just for the set 15 character length, it still leaves out the 1, 2, 3 … 13, 14 lengths you'd try before reaching 15. Why you are surprised about the dictionary being quick eludes me. A dictionary contains far, far less instances to try, just to begin with. A long time to bruteforce is pretty much how these things are designed. The thought is generally that you shouldn't be able to reverse it and so, the option you are left with (trying combinations) should realistically take too long to manage within a reasonable amount of time since there really is no other way to defend against it.


stealth-'s Avatar
Ninja Extreme
0 0

COM wrote: Well, didn't you change your tone to a friendlier one in a big hurry? :P

Heh, so you noticed that? I reread his question and realized I was being a bit harsh.

Anyhow, you're still generous with your numbers, 62 would only account for upper case, lower case and numbers; no other symbols accounted for. Even if we just take the standard ascii table minus the first bunch of special values, we'd still end up with ((2^7)-32)^15 combinations. And that's just for the set 15 character length, it still leaves out the 1, 2, 3 … 13, 14 lengths you'd try before reaching 15.

I know, I figured the number I was left for 62 characters was still large enough to get what I was asking across, however.

Why you are surprised about the dictionary being quick eludes me. A dictionary contains far, far less instances to try, just to begin with. A long time to bruteforce is pretty much how these things are designed.

I was surprised at the dictionary attacks speed because I was imagining something along the lines of an hour, likely more. I suppose after cracking WEP in about 5 minutes, I was expecting WPA to take at the very least longer than WEP did, regardless of the method.

The thought is generally that you shouldn't be able to reverse it and so, the option you are left with (trying combinations) should realistically take too long to manage within a reasonable amount of time since there really is no other way to defend against it.

Yeah, I understand the idea behind it, it's just a few trillion years seems ridiculous and I figured my math must've been off.

Thanks for the response, COM.


ghost's Avatar
0 0

Yall are missing one MINOR detail. If for example the password is aardvark, and your all encompassing dictionary is 30MB, it will find aardvard in about 2 seconds. However if your password is the much shorter xray, it will take about 10-15 minutes (or longer). It has more to do with where in the dictionary the correct password is found than how long or complex the password is. Just my $.02


ghost's Avatar
0 0

yeah you do must have a good dictionary cuz all my network connections are wpa and backtracks wordlists are all outdated. i downloaded the 14mb wordlist collection and even those didnt crack the passphrase. i know there is a 30Gb wordlist but it would take a very long time even if your speed is 4000 keys/s.


stealth-'s Avatar
Ninja Extreme
0 0

txwooley wrote: Yall are missing one MINOR detail. If for example the password is aardvark, and your all encompassing dictionary is 30MB, it will find aardvard in about 2 seconds. However if your password is the much shorter xray, it will take about 10-15 minutes (or longer). It has more to do with where in the dictionary the correct password is found than how long or complex the password is. Just my $.02

We didn't "miss" that, we didn't talk about it because it was obvious enough already. The password I was referencing in this text was far down the alphabet, not to worry.

Also, for future references please remember to check the date of threads before you dig them up from the grave.