3.7 - Speeding attacks against WPA/WPA2 encryption
- So far so good, but trouble could arise if the dictionary contains hundred of thousands of entries, because in that case the resources taken by CPU in terms of time and processing could be huge.
- The function PBKDF2 hashes the passphrase and the SSID over 4096 times, before outputting the 256 Pre Shared Key. Then, this obtained key is verified against the MIC used in the four-way WPA handshake. To speed up the whole process, it is possible to precalculate the Pre Shared Key for the passphrase.
- For that purpose, the tool genpmk (generator of PMK, Pairwise Master Key) can be used:
- The option -f takes the used dictionary, -s is about the SSID, and the -d option indicates the name of the output file, for instance "archivoPMK":
- It is important to notice that both the passphrase and the SSID are used to calculate the PMK. The process can take a lot of time, depending on the size of the dictionary. A message is periodically output every 1000 passphrases:
- So on ... until more than 789000 entries of diccionario.txt, the generation of PMK file is ended up:
- The command ls shows the new created file "archivoPMK":
- Now, there are a number of tools designed to take profit of "archivoPMK", for instance airolib-ng and Pyrit:
- The command "airolib_ng" creates the database "archivoAircrackPMK" based on former database "archivoPMK":
- The command ls shows the new created file "archivoAircrackPMK":
- Feeding aircrack-ng with database "archivoAircrackPMK" and "archivoWPA-01.cap", the key is found in just 8 seconds !!
- So, the difference in time is huge, from 18 minutes to 8 seconds. Although the creation of "archivoPMK" takes a lot of time, depending of the dictionary size, it could be calculated just once for each specific dictionary and SSID. So, whenever the passphrase is changed by the network administrator, the precalculated database could be apply to speed up the cracking of the key.
- Even faster, just in 3 seconds, the tool Pyrit offers the same results: