To decrypt WPA/WPA2 encrypted high-speed crack of the truth-vulnerability warning-the black bar safety net

ID MYHACK58:62200922564
Type myhack58
Reporter 佚名
Modified 2009-03-19T00:00:00


For wireless WPA encryption environment, in access to the WPA Handshake Authentication package, the attacker will through brute force mode for WPA password cracking, but also by the prior establishment of a targeted dictionary, then dictionary crack(attack). For most wireless access point AP, this will be an effective method. Because of the fact that: the vast majority of administrators, maintenance personnel, home users of security awareness and do not have their own think so high, at least over the past year, the author has encountered numerous set for a birthday or simple words for the WPA-PSK password.

So, is it possible to say, as long as there is enough space, well thought out dictionary, hack WPA actually it is mainly a matter of time. Really just so? Do not know if you carefully pay attention too not, according to the now mainstream single machine environment configured in WPA crack rate is also maintained at 1 0 0~~300k/s(k/s refers to the crack when per second calls to key number), in such a cracking rate, to put a with a lowercase letter and number combinations of 5-bit WPA password, break open, we come to the basic probability theory knowledge to estimate it:

(2 6+1 0)?= 6 0 4 6 6 1 7 6;

Crack all of the time spent will be:

6 0 4 6 6 1 7 6/(3 6 0 0×3 0 0)~~ 6 0 4 6 6 1 7 6/(3 6 0 0×1 0 0),that cost 5 5. 9 8 7~~167.962 hours. If converted into the number of words, probably needs 2~~7 days. This is also just a 5-digit WPA password, if the use of WPA password as plain lowercase letters and the length in the 1 0-bit number or more, it is the fastest time required is 5 4 4 6 2 6 1 day, i.e. 1 4 9 2 1 year!! Really is the day digits!!! If the password using a combination of uppercase and lowercase letters+numbers+special characters, then, I'm afraid to even see where you'd say: still do not consider the crack?

So, previously described to obtain the WPA handshake, performing the crack in fact only applicable so in the other using a simple password, that is, because the cracking rate is too slow, so on the other side using a slightly more complex password, this conventional method is not too many combat abilities or even completely lost crack meaning.

If anyone on the probability of knowledge is slightly lacking, or feel that the calculated crack time is too troublesome, you can to the following on this site, look, this TOP offers an online estimate password crack time service, very convenient. URL:, you can see an obvious Password Calculator title, that password estimate.

In the following sections, can be input to calculate the password of the possible length, using a computer to crack rate, is used to crack computer number, a password, a combination is possible(uppercase and lowercase letters, numbers, wildcards, or all), after complete, click below to Calculate(calculate), in which the bottom can give a brute-force estimate of time. The following figure 2, You can see the estimated use of lowercase letters and numbers into 5-digit password, in a single machine to 30k/s rate hack take the time of 2 4 days!!


Figure password estimation service set contents

See here, perhaps some readers will think: you can upgrade the hardware of the device., such as CPU, memory, and the like. Well, upgrading your hardware can indeed in a certain extent, enhance the hack, but that is also very limited, such as on the current terms, the ordinary stand-alone computer under the memory maximum will also be able to upgrade to 4G, the CPU is nothing more than the latest high cache Quad-core processor. Such a configuration for just our example of the 1 0-bit WPA passwords, cracking time or in years to calculate!! Well, those advanced hackers is how to do? Don't just rely on simply upgrading hardware? Here we unveil the high-speed hack before, the first about some concepts:


Can say long-term cryptography is the study of people and very few don't know this. Many years ago, foreign hackers found simply by importing a dictionary, using and target the same algorithm to crack, its speed is actually very slow, in terms of efficiency can not meet the practical needs. After by a lot of to try and summarize, hackers found that if you can achieve directly to the establishment of a data file, which previously recorded the use and target use the same algorithm to calculate the generated Hash of the hash value, in the need to crack when direct calls to this file for comparison, the cracking efficiency can be greatly, or even hundreds of nearly a thousand nearly million-fold increase, such a prior structure of the Hash hash of the data file in security circles is called Table table(file). Rainbow Tables

The most famous of the Tables is Rainbow Tables, i.e., the security community often refer to the rainbow table, which is based on the Windows user account that LM/NTLM hash to crack object. Simple to explain, in Windows2000/XP/2 0 0 3 system, the account password is not plaintext, but rather by Microsoft, the definition of the algorithm, save for one cannot directly identify the file, which is usually said SAM file, this file work in the system because it is called so can not be directly crack. But we can use it to Hash that the hash of the extraction, in order to facilitate import to Pro Tools crack, is extracted from the password hash similar to the following:

| Administrator:5 0 0:96e95ed6bad37454aad3b435b51404ee:64e2d1e9b06cb8c8b05e42f0e6605c74::: Guest:5 0 1:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: user1:1 0 0 1:732b2c9a2934e481cd0a8808b19097ef:778620d5d5de064154e689fa4790129f::: user2:1 0 0 2:a042f67a99758fd727b99b2375d829f9:6127ee12a83da34fc19953e538e4d580:::

If a traditional hack way, whether it is local or network online crack, the efficiency is not very high. The actual test, a single-machine environment, the crack a 1 4 digits long containing upper and lower case letters as well as numbers of irregular password, usually need to 3~~9 hours, The time value will be with the password complexity and computer performance difference upgrading to a few days or even months. Although most people will not use such complex passwords, but for many current password is complex enough and the length is more than 1 Bit 0 password such as“Y1a9n7g9z0h7e”, or will make hackers a headache endless.

2 0 0 3 year 7 month in Lausanne, Switzerland Federal Institute of technology Philippe Oechslin published the results of some experiments that he and the security and cryptography laboratory(LASEC)uses a time-memory the alternative method, so that password cracking efficiency is greatly improved. As an example, they will be a commonoperating systemthe password cracking speed by 1 minutes 4 1 seconds, lifting The to 1 3. 6 seconds. This approach utilizes large look-up table for encryption of the password and by the people input text for matching, thereby accelerate the key of the desired calculation. This is referred to as“memory-time balance”method means using a memory hack to reduce the crack password the time required.

Thus, some inspired by the hackers prior to the production contains almost all the possible password in the dictionary, then it is all converted into the NTLM Hash of the file, so, in the actual hack, you do not need to be password and the Hash to convert between that can directly through the file in the Hash hash than to crack a Windows account password, saving a lot of system resources, so that efficiency can be greatly improved. Of course, this is just a simple expression, the use of this method at the international level is called Time-Memory Trade-Off, that just said“memory-time balance”method, some places will also be translated into“time—memory alternating operation of the law”. Its principle can be understood as within the memory for time, can be represented by the following figure 3 shows:


Figure of the famous“memory-time balancing”method the operational principle figure

The specific algorithm aspects of the content herein is no longer involved, for Want of a more advanced level of Inquiry, the reader, can be careful with reference to 2 0 0 3 in this Chapter detailed documentation of the Making a Faster Crytanalytical Time-Memory Trade-Off, and 2 0 0 5-year document of the Time-Memory Trade-Offs: False Alarm Detection Using Checkpoints on later in this section will give a link.

It is because of Rainbow Tables exist, so that ordinary computer in 5 minutes crack 1 4 bit long enough to complex the Windows password for the account as possible.


Figure the Windows account for Rainbow Tables to crack

As seen in Figure 4, similar to the c78j33c6hnws, the yemawangluo178, the 3 8 9 1 1 7 7 0 This Windows account password of almost all in the 1 8 0 seconds, i.e. 3 minutes within the break out, the shortest took only 5 seconds, the individual a little longer the password is cracked open no more than 3 minutes.

Since here we are talking about is the Wireless Security section, so this is under Windows Tables technique is no longer in-depth examples. The interested reader can be from the article listed later in the web site to see more relevant information. WPA-PSK Hash Tables

Now, the understanding of“memory-time balance”method and the Table of the presence of meaning, let us return to the wireless field, to crack WPA-PSK is the same meaning. In 2 0 0 6 held in RECON 2 0 0 6 Security Conference, one from the Openciphers organization named David Hulton of security personnel detailed presentation using the WPA-PSK Hash Tables to crack the technical details, giving attendees a great shock.

Shown below is the meeting referenced on the WPA encryption and a master key to the match such as the establishment of the WPA Tables required for the concept of the diagram, in which, MK is the password of the original, the PMK is through the PBKDF2 calculation of the resulting value, the PTK is in the PMK on the basis of pre-computation to generate the WPA Hash, this Hash will be used and the WPA handshake in the value of the control, if the match is the password.


Figures for WPA encryption Tables to crack the schematics

This uses a similar Rainbow Tables principle, by Pre-Compute that the pre-operation mode, to carry out in advance of operations to generate WPA-PSK encryption Hash, so set up the WPA-PSK Hash Tables, as previously envisaged as effectively greatly enhance the cracking efficiency. In General, it can be the previous 1 0 0~~3 0 0 key/s of the ordinary single-machine crack rate, upgrade to 3 0, The 0 0 0~~1 0 0 and 0 0 0 key/s, lifting nearly 3 00~~1 0 0 0 times!!! This is the domestic and international wireless hack currently used to crack technique, some underground organizations, and even individual uphold the dedication, to explore the essence of the spirit of hacking through improved optimization of code and other ways so that the crack rate broke through 1 5 0, 000 K/s, but also enhance the space. This speed means nothing if then the displacement into the latest hardware configuration? Intelligent you understand.

The following figure 6 is the in cowpatty to obtain the WPA handshake packet for WPA Table to crack the interface, you can see in the import Table after the crack rate reached 6, 5 2 2 8 pass/second.


Figure in Cowpatty for WPA Tables to crack the interface

I think, for many wireless users, this is the real nightmare. The ancient Greek philosopher Socrates once said so a word: “know thyself.” But in fact most of the time hacking back rampant, and many network and security managers either the attacker's technology is only 略知皮毛, or you simply know nothing about, and don't even know their in after called the security configuration after the network architecture, the actual facing any kind of risk.

Although some public art, maybe it will lead to individual malicious people to pay attention, but for the wireless security the concept of popularity and in-depth understanding, help many have been completed or are in the process for wireless network planning of the uniformed government agencies, large and medium-sized enterprises and specific sectors, more clearly recognize the Wi-Fi of the risk, so as to improve their deficiencies, to avoid unnecessary losses, it is the Book of choice.

Of course, it is noted that the Tables of the establishment did not imagine so easy, on the establishment itself is concerned, its efficiency is very low, plus you need to specify the pre-attack AP's SSID, you want to build a set for all the common access point, and using a simple password of WPA-PSK Hash Tables, which generates a file occupies hard disk space minimum also to 1~~3G. Requires in-depth understanding of the WPA Table of the reader, can to the this called The Church of Wifi wireless hacking organization to learn more content, the organization of the official site is http://www. churchofwifi. org, the organization in the past two years success has established a huge WPA Table library, and will simplify the WPA-PSK Hash Table version offering free download for many wireless hacking terms, this is indeed a gospel, but unfortunately, even a simplified version, its size has more than 30G.

Interested readers can go to download this simplified version of the Table the seed file, the Table Full Download back size 3 3. 54GB, it is noted that to generate the Table based on the dictionary even after the hacker organization of the screening, but due to different national conditions, so the inside part of the content may not be suitable for domestic use. For example, although someone will use the name as a password, in a foreign country may be similar to BruceLee such name in English, but by the domestic may be Lilianjie such Pinyin.


Figure 30G WPA Hash the download page

However, for a wireless network administrator, and can not therefore breathe a sigh of relief, the real nightmare has only just begun, because this method is also applicable to crack WPA2 encryption. Moreover, some foreign underground advanced hacker organization, also has been established up to 500G detailed WPA/WPA2 attack Table library, and even some basic sound of the WPA-PSK Hash Tables already in the hack on the website to start a public sale, only need to pay 1 2 0 dollars or so, you will have 8 sheets contains the WPA-PSK Hash Tables DVD disc via Fedex directly delivered to your hand.