Wi-Fu - Attacking WPA-PSK - Part 2

5/21/2018 Wi-Fu - Attacking WPA-PSK - Part 2

1/3

You are here: Home // Wi-Fi // WPA Attacks // Attacking WPA-PSK - Part 2 AAA

Home Intelligence Gathering Wi-Fi Vulnerable by Design Misc Contact

Search...

MostRead in Wi-Fi

Attacking WPA-PSK

Without Wireless

Clients

WPA2-PSK Evil Twin

Attack

WPA2-PSK Rainbow

Table Attack

Wi-Fi Protected Setup

KoreK's ChopChop

Attack - Part 1

Attacking WPA-PSK - Part 2

Details

Category: WPA/2

Published on Saturday, 18 January 2014 19:30

Recap

The image below s hows a basic flow of the information required to derive the

PSK and PTK for a WPA network.

There is a lot of information that goes between the wireless client and access

point. But when you think about it, you will realise that all of these parameters,

bar one, is sent in plaintext. An attacker silently sniffing the network traffic will

learn of all these values, except the original passphrase entered by the user.

Bruteforce

Due to the high-computational tasks to be carried out, the process of

bruteforcing the passphrase is rather slow.

1. The attacker makes a guess at the passphrase (from a dictionary

or other wordlist source)

2. This passphrase is used with the SSID and put through the

PBKDF2 function, producing a PSK (which may or may not be

correct)

3. This PSK is used with the captured information from the 4-way

handshake and put through the PBKDF2 function again. This

produces a PTK.

4. The attacker uses this information to calculate a MIC - which is

then checked against the MIC in the captured packets.

5. If the MIC matches, the original passphrase was correct; if not the

entire process is repeated with the next passphrase.
http://wi-fu.co.uk/wi-fi/wpa-attacks/106-wpa2-psk-rainbow-table-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/109-attacking-wpa-psk-without-wireless-clientshttp://wi-fu.co.uk/wi-fi/wpa-attacks/95-attacking-wpa-psk-part-2http://wi-fu.co.uk/wi-fi/wep-attacks/87-korek-s-chopchop-attack-part-1http://wi-fu.co.uk/wi-fi/wpa-attacks/107-wi-fi-protected-setuphttp://wi-fu.co.uk/wi-fi/wpa-attacks/106-wpa2-psk-rainbow-table-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/108-wpa2-psk-evil-twin-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/109-attacking-wpa-psk-without-wireless-clientshttp://wi-fu.co.uk/contacthttp://wi-fu.co.uk/mischttp://wi-fu.co.uk/vulnerable-by-designhttp://wi-fu.co.uk/wifihttp://wi-fu.co.uk/intelligence-gatheringhttp://wi-fu.co.uk/http://wi-fu.co.uk/wi-fi/wpa-attackshttp://wi-fu.co.uk/wifihttp://wi-fu.co.uk/


2/3

Copyright 2014 - Material is f or educational purposes only

JC omments

< Prev Next >

A Word on WPA2-PSK

Even though WPA2 us es different encryption schemes and functions;

because what we are really attacking is a weak pass phrase, the attack

process for WPA2 is identical to WPA.

Add comment
http://wi-fu.co.uk/wi-fi/wpa-attacks/96-wpa2-psk-dictionary-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/94-attacking-wpa-psk-part-1http://www.joomlatune.com/


3/3

Wi-Fu - Attacking WPA-PSK - Part 2

Documents

Transcript of Wi-Fu - Attacking WPA-PSK - Part 2