Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud 2011-05-02.

Published byEvan Sims Modified over 8 years ago

Similar presentations

Presentation on theme: "Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud 2011-05-02."— Presentation transcript:

1 Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud 2011-05-02

2 Topics The Team Introduction WPA 1/2 Architecture Master Node Worker Node Test Methodology Results & Conclusions Future Work Questions

3 Introduction Cracking WiFi o WEP - easy o WPA - hard Brute Force o Not practical o 8 character minimum Dictionary o Common passwords coWPAtty by Joshua Wright o Generate rainbow table o Search rainbow table

4 Introduction - Our Idea Distributed key generation o Already done Distributed table lookup o Not done Web service Fast lookup Modify existing code

5 WPA a.k.a. WPA1 WPA stands for WiFi Protected Access Meant to replace WEP o WEP failed to meet its security goals Comes in two flavours o WPA-PSK* (Pre-Shared Key) which uses TKIP o WPA-Enterprise more secure but requires RADIUS authentication server * also known as WPA-Personal

6 WPA2 Successor to WPA Makes PSK more secure as it uses CCMP instead of TKIP Both WPA-PSK and WPA2-PSK are susceptible to password cracking attacks No known attacks against Enterprise flavors o The Lesson is....

7 Attacking WPA-PSK Authentication handshake required for cracking WPA- PSK Authentication handshake happens when a client connects to AP (and also when the client "thinks" it is no longer authenticated) Packet capture is 3-step process o Place wireless card in monitor mode("listen all") o Start packet capture o Send a deauthentication packet to wireless client to induce authentication handshake A script is provided that performs the above 3 steps

8 Architecture

9 Master Node Java web application Accepts jobs o Upload.cap file o SSID name Queues job o Runs 1 at a time Tracks worker status o NOT LOADED o LOADED o RUNNING o FINISHED o ERROR

10 Master Node (cont) Start / Kill worker clients o Remote ssh o Hand out table offsets Records web app log Job Run 1.User submits job 2.Master saves to NFS share 3.Master tells workers 1.When ready 2.TCP packet 3.Location of files and output destination 4.Master checks SOLUTION file

11 Started by master Loads rainbow table into memory o 1000 files x 40MB = 40GB (5GB per worker) Giant byte array with pointers per SSID Creates socket to listen for messages from master Possible message types o START o STATUS o KILL Worker Node

12 Worker Node (cont) STATUS - returns worker status KILL - kills current job (if applicable) START command creates new thread o Looks up SSID o Finds corresponding portion of rainbow table o Leverages coWPAtty for password look up o If password is found  Worker outputs solution to file  Master tells other workers to stop o Otherwise, workers report FINISHED after reading through table

13 Original coWPAtty Read records in rainbow table Records contain length, passphrase, and PMK PMK -> PTK (requires capture data) PTK -> MAC Grab key MIC Compare with MIC found in capture data

14 Serial versus Distributed Serial o Run once and done o Reads data from disk o Runs on one machine o Quick start-up time o Less opportunity for optimizations Distributed o Runs as a service o Loads data into memory o Runs on N machines o Slow start-up time o More opportunity for optimizations

15 Test Methodology 996,358 word rainbow table o 1,000 SSIDs o 40MB / SSID o 40GB total size 8 worker nodes 1 master node Cisco C210 M1 (on loan from Cisco) o Two Intel Xeon E5540 (2.5GHz)  8 logical CPUs o 72GB RAM o Sixteen 10K RPM SAS 6.0 gbps 146GB drives  RAID5

16 Test Methodology (cont) Packet capture data with SSID linksys available in SVN Test data created with the following keys: o First in Dictionary: !8zj39le o Middle in Dictionary: }ttringe o Last in Dictionary: korrelie Gathered data for time taken to find solution from Master and worker logs Compared to original coWPAtty running on a single node Results shown on next slide are average of times recorded by the 3 of us

17 Results & Conclusions First in dictionary o Serial = 8 milliseconds o Distributed = 5 milliseconds Middle in dictionary o Serial = 3056 milliseconds o Distributed = 742 milliseconds Last in dictionary o Serial = 6014 milliseconds o Distributed = 767 milliseconds Seemingly small o Scalable o Ideal for web service

18 Future Work GUI client for data capture Distribute table generation Hybrid disk/memory approach Thousands of heterogeneous clients o Like SETI@HOME Rewrite in Java or C++ o Simpler code Improved data structures

19 Questions? http://code.google.com/p/distributed-wpa- cracking/ Tips for a secure PSK wireless network: Use a unique SSID (not linksys or home) Have a long* & unique key; use special characters *max. 63 characters

Download ppt "Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado Rodney Beede Ryan Kroiss Arpit Sud 2011-05-02."

Similar presentations

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).

1 Practical stuff Crack the WPA key of this laptop. SSID: « Philips WiFi » Password list and cowpatty table available on CD (only useful today).
Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
IEEE 802.11i IT443 Broadband Communications Philip MacCabe October 5, 2005

IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
Crack WPA Lab Last Update 2014.06.11 1.0.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WPA Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.

Understanding and Achieving Next-Generation Wireless Security Motorola, Inc James Mateicka.
MIS 5212.001 Week 12 Site:

MIS Week 12 Site:
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
MIS 5212.001 Week 13 Site:

MIS Week 13 Site:
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Encryption, Privacy, & Authentication Chris R Chris H Mindy C.

Encryption, Privacy, & Authentication Chris R Chris H Mindy C.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Similar presentations

Ads by Google