Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes, you need the key to decrypt, but getting the key is not difficult for WEP [0], and only moderately difficult [1][2] for WPA PSK, if I understand correctly.

[0] http://www.cyberciti.biz/tips/howto-crack-wirless-wep-104.ht... "The actual computation takes about 3 seconds"

[1] http://www.renderlab.net/projects/WPA-tables/ "computed hash tables for the 1000 most common SSIDs against a million common passphrases"

[2] http://securityandthe.net/2008/10/12/russian-researchers-ach... "This means that a WPA or WPA2 key could be cracked in days or weeks instead of years."



On the contrary, it is moderately difficult for WEP and almost impossible for WPA, if the key is long, and very very hard otherwise.

For WEP, the actual cracking is the easiest part, it's gathering all the IVs that's a hassle.

For WPA, the rainbow tables only cover common SSIDs and passwords, which doesn't really give you a very high probability of cracking it. The research in the third link you posted hasn't been made practical yet, as far as I know.


If you have a WLAN NIC that supports traffic injection, gathering IV:s can be done in a few minutes.

http://www.aircrack-ng.org/doku.php?id=simple_wep_crack


I know, I've been doing it for a while. It still isn't trivial, you need to get the handshake, do the replay attack, gather enough IVs, crack them, etc. It takes 5 minutes, but it's not plug and play.


It is more than "moderately difficult" to recover WPA keys; what you're looking at are tools and techniques used to crack passphrases for WPA.


Can you explain what makes it more than moderately difficult? Are you saying that getting the ssid and passphrase is not enough to get the key, or am I misunderstanding?


WEP can be broken given enough packets since it sends a portion of the key in each packet enabling the user to simply collect packets and break the key. There's a lot an attacker can do such as fake authentication with the server to force it send more of the necessary packets, etc.

WPA on the other hand cannot be broken like this. WPA is broken by capturing the handshake between the router and a user. This handshake can then be brute forced with a dictionary. The reason it's so difficult to crack is because the encryption key is salted with the essid of the router making rainbow tables extremely difficult to pre-compute. However, if the user uses a standard essid that came with the router, then pre-computed rainbow tables can most likely be found for it. They can be computed though while capturing the handshake, and I find it's beneficial to create the rainbow tables if you have a large dictionary.

Take a look at aircrack-ng for a lot more detail. This is just a basic overview of it all.


When people talk about WEP insecurity, they are talking about fundamental flaws in the protocol that make the passphrase almost irrelevant.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: