
Cracking WPA networks with MacRuby - knoopx
http://knoopx.net/2011/12/14/cracking-wpa-networks-with-macruby
======
inconditus
Correct me if I'm wrong, but this isn't a brute force attack, its a dictionary
attack. A brute force attack would go through every iterattion, like 00001,
00002...

~~~
hmottestad
true, it's a dictionary attack.

    
    
      keys = File.read("./dictionary.txt").lines.to_a.reverse

------
trotsky
As a followup we will demonstrate that technically advanced attacks on the ssh
protocol are unnecessary when we are breaking in to a predetermined account
with the password 'aardvark'.

------
borski
How is this news? Connecting to a WPA protected AP to brute force a single
character (256 times) isn't particularly impressive or useful. The speed at
which the connects happen still make this impractical for large-scale attacks
(or, attacks on an entire keyphrase).

------
macrael
What are the 256 keys the author cycled through? Does WPA only have 256
possible keys?

~~~
willscott
WPA does not only have 256 keys.

The author decided to show that if he knew all but one character of his
network password, he could bruteforce the missing character. To that end, he
took all 256 possibilities for that character, and computed the resulting
keys. Then tried connecting with those keys.

This shows a connection rate of 30 attempts/2 minutes which is 0.25/second.
That is not practical for most attacks.

~~~
macrael
Is there any reason the attacker would know all but one character? This seems
pretty silly.

~~~
daeken
The way my cable modem is set up, there are only 16 bits of the WPA key that
aren't shared with the MAC address in an obvious way. Because of the
configuration, it's impossible for me to change this. So anyone with this
knowledge can break into my network by changing two characters -- pretty
trivial.

~~~
notphilatall
Who on earth do you have service with that doesn't let you set your own WIFI
password?

~~~
daeken
Time Warner Wideband. I work around it by having a router behind the modem
which firewalls off the rest of the network -- I treat the modem's side as
completely untrusted. Not perfect, but it works.

------
DasIch
I've been wondering why know one hasn't written an application yet that breaks
into a W-Lan Network as an alternative to typing in a password.

Obviously there are some legal considerations in certain countries regarding
development, possession and usage of such an application but the risk seems to
be rather small if you restrict network services, change the MAC and use End-
to-End encryption. Besides you might even get away with calling it a tool for
penetration tests.

------
mef
Great demo of a new MacRuby API, not so great demo of cracking a wireless
network.

