Cracking WPA - exploiting poor design techniques

networking
socialengineering

(Monkey Wrench) #1

So, you need an uplink. You fire up your WiFi scanning and see only WPA’s around…

There are multiple attack vectors available, but you know that a proper passphrase can take years to bruteforce, even with a GPU farm, and that the ISPs have started issuing routers with WPS protections. Dictionary attack…? Well, yeah, maybe, but let’s say you ended up in a region which uses specific language patterns, and just for that reason, you smirk at your terabytes of compressed dicts, thinking how useless they are at this moment…

You start thinking how dishing out a few bucks for a disposable data plan isn’t such a bad thing, and then you smirk again, 'cause you know your relationship with data; in the words of Billy Idol: “… more, more, mooooreee! …”

You close your eyes and remember the words of your teachers: “Everything is a system. And every system created by man is inherently fallible, young one. Remember that, and you will find a way.”

You take a closer look at your scan output. Hmmm, some of those SSIDs look like the APs have default configurations. For instance: [VendorName-somestring] and [ISPName-somestring].
You make a quick search on your backup link (always have a backup link) with queries that go on the lines of:

  • [Vendor] + SOHO AP + [Year range guesstimate] + user manual
  • [ISP] + support + ‘How to set up…’
  • ‘Help’ + ‘I forgot my wifi password’ + [ISP] OR [Vendor]
    And you end up with a few manuals to scan through for any useful info…

Skimming through them, first thing you notice are bullets on pictures depicting passphrase entry.
You count them.
Eight is the prevailing length of the default passphrase (WPA minimum). You discard the rest for now, because you remember the ‘mantra of the low hanging fruit’ and you concentrate on the AP’s which in their SSID have the name of the vendors / ISPs in whose manuals you saw len == 8.
You give their manuals a closer look and in the same time search for usual / default passes of those vendors / ISPs.

You find out that two of them use numeric only passphrases. “Really…?”, you think…
“Numeric only, len 8”. Worth a shot =)

Monitor, deauth (God bless wireless TV sets and smartphones, always a client), WPA handshake is yours.
crunch > pipe > aircrack (or one volume from a set of num dicts, always handy) and you go to have a beer / light a spliff / watch a game / play a game / sleep / work on world domination plans…
You come back and the screen shows … key found. A simple eight long numeric code.
You punch it in … and it works. You have the uplink. Congratz =)


Moral of the story:

Today we really have algorithms which are ‘unbreakable’ (economically unfeasible to bruteforce / crack).
And they do get implemented by default.
But they are worth crap if the design / implementation engineer was to lazy to ‘spice up’ the default settings.

Remember that every human design is fallible and always try to think ‘where is the human factor in the implementation’.
And learn from other people’s mistakes.


#2

Nice hahaa, this shows how something that is thought of as “totally random and unbreakable” can be broken just like that.


(Command-Line Ninja) #3

Dude. Seriously? This. Was. AWESOMEEE! This is a lot like the Hacking John Doe article by @Ninja243. I am a really big fan of this style of explaining things in a story-like style. It really draws you in and makes it easy to read.

This article in itself made me rethink that bruteforcing WPA2 isn’t completely un-feasable, especially with a big badass GPU :wink:


#4

Would be nice to have some sort of hacking fanfiction subcategory under an Entertainment section.


#5

I’ve been looking around for something like that.


#6

Great job mate! Really loved the story and how true the moral is! No matter how good something is-how they are implemented can really have a big affect on how secure they are as well.


#7

@ivlb Classical but priceless ! Good job mate !


(Command-Line Ninja) #8

Very very true. Brilliant point!