From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 13:57:04 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A185016A418 for ; Tue, 20 Nov 2007 13:57:04 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id 6421813C469 for ; Tue, 20 Nov 2007 13:57:04 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 96BE57A6C; Tue, 20 Nov 2007 07:56:43 -0600 (CST) Received: from build64.tcbug.org (unknown [208.42.70.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcbug.org (Postfix) with ESMTP id 2E18D10AA863; Tue, 20 Nov 2007 07:56:42 -0600 (CST) From: Josh Paetzel To: freebsd-security@freebsd.org Date: Tue, 20 Nov 2007 07:56:38 -0600 User-Agent: KMail/1.9.7 References: <200711191643.lAJGh3jb027972@lava.sentex.ca> <200711191321.44398.josh@tcbug.org> <4742225B.6020107@foster.cc> In-Reply-To: <4742225B.6020107@foster.cc> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart13195010.E1FQb4yoQL"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200711200756.42344.josh@tcbug.org> Cc: "Mark D. Foster" Subject: Re: testing wireless security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2007 13:57:04 -0000 --nextPart13195010.E1FQb4yoQL Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 19 November 2007 05:55:07 pm Mark D. Foster wrote: > Josh Paetzel wrote: > > When I looked in to this it seemed that the current state of affairs is > > that WPA can only be broken by brute-forcing the key. I don't recall if > > that could be done 'off-line' or not. My memory is that the needed info > > to attempt bruteforcing could be done by simply receiving....no need to > > attempt to associate to the AP was needed. I'm not really interested = in > > disseminating links to tools that can be used to break wireless securit= y, > > but simple google searches will give you the info you need.....and the > > tools are in the ports tree for the most part. > > > > Fortunately WPA allows keys that put even resource-rich attackers in to > > the decade range to bruteforce. > > That would not appear to be a limitation of aircrack-ng > http://www.freshports.org/net-mgmt/aircrack-ng/ > > aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can > recover this keys once enough encrypted packets have been captured. > It implements the standard FMS attack along with some optimizations > like KoreK attacks, thus making the attack much faster compared to > other WEP cracking tools. In fact aircrack is a set of tools for > auditing wireless networks. > > That said, I haven't (yet) tried it myself ;) Well, if you were to read your own link for a bit you'd eventually find... http://www.aircrack-ng.org/doku.php?id=3Dcracking_wpa Quoting from the page.... WPA/WPA2 supports many types of authentication beyond pre-shared keys.=20 aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows= =20 the network as having the authentication type of PSK, otherwise, don't both= er=20 trying to crack it. There is another important difference between cracking WPA/WPA2 and WEP. Th= is=20 is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, wher= e=20 statistical methods can be used to speed up the cracking process, only plai= n=20 brute force techniques can be used against WPA/WPA2. That is, because the k= ey=20 is not static, so collecting IVs like when cracking WEP encryption, does no= t=20 speed up the attack. The only thing that does give the information to start= =20 an attack is the handshake between client and AP. Handshaking is done when= =20 the client connects to the network. Although not absolutely true, for the=20 purposes of this tutorial, consider it true. Since the pre-shared key can b= e=20 from 8 to 63 characters in length, it effectively becomes impossible to cra= ck=20 the pre-shared key. The only time you can crack the pre-shared key is if it is a dictionary wor= d=20 or relatively short in length. Conversely, if you want to have an unbreakab= le=20 wireless network at home, use WPA/WPA2 and a 63 character password composed= =20 of random characters including special symbols. =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart13195010.E1FQb4yoQL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBHQueaJvkB8SevrssRAkHVAKCZUK3FVIoZOgmQUSvgC/XA/jgL9wCgkkuL Q3gFjNU5UNSH9bIRiys9Cfo= =arkb -----END PGP SIGNATURE----- --nextPart13195010.E1FQb4yoQL--