7

I use WPA2 encryption. But I know even that can be cracked with the aircrack suite. And a lot of users may not use strong passwords. I've read that while cracking WIFI keys the only noticeable difference is the rate of traffic. So is there a way to detect whether my network is under attack from such tools ?

P.S: A solution without the use of IDS will be appreciated. Also, are most IDS' able to detect these attacks ?

Grim Reaper
  • 518
  • 1
  • 4
  • 14

3 Answers3

6

Yes, if they are trying to break into your network in a particularly obvious way, but no for the general method of attacking WPA2 with a weak pre-shared key.

If they are trying to brute force into your network by repeated attempted logins (e.g., exploit the flaws of WPS - Wifi "Protected" Setup ), you can listen in on the network traffic, you would see the large fraction of unsuccessful login attempts. (Or even easier your wireless AP logs failed wifi login attempts).

This would require setting up wireshark on a computer that has a wifi card that can listen in promiscuous mode to the traffic. I've heard that this cannot be done in windows (not a windows user so I am not sure of this), so you may have to use linux or a Mac.

Granted most attacks on WPA2 do not work like this (excluding those on WPS). Most attacks work by observing someone else's successful WPA2 handshake (listening in promiscuous mode) to a given access point (knowing the BSSID). Then locally run take that handshake through a password cracking program until they find a match. This cracking is done entirely by eavesdropping and offline cracking, so would not be detectable.

However, these attacks are computationally expensive and will only work in practice against weak passwords or slightly stronger passwords with a common SSID (like NETGEAR / linksys / default / dlink / wireless / Home). This is because the actual password used is a combination of the SSID + preshared key. Rainbow tables (precomputed tables) are generated for common SSID's, and when used, increase the speed of recovering your password. It is advised to change your networks SSID to something unique.

If you have a passphrase that is high entropy (not likely to be in any dictionary attack) and a unique ssid, these offline attacks against your network will be unsuccessful.

Community
  • 1
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • 2
    "Weak" is really relative. While I typically use pretty long passphrases, when we start talking about wireless there is a very strong tendency toward "weak" passphrases just because of how we use them. If you are just going to use it with laptops and workstations, no problem. If, however, you plan to join your phone to it, your wife, kids and guests will hate you when you tell them the password/phrase is j(I@l*$l"!ajjJiJWDOWAJ8(%. For this reason, even in business, we tend to do a bad job. The real "right" solution to this is WPA2 with EAPOL/802.1X and certificates. – David Hoelzer Jul 14 '13 at 02:10
  • 1
    @DavidHoelzer. Yup, a preshared password is weird. My passphrase for an private key/cert or encrypted file? 80+ bit high entropy random passphrase. My WPA2 password? Meaningful short (~8 words) English sentence based on an inside joke containing rare/fake words (like 'fisticuff' or 'nanopenis'), not based on a quote (complex enough that I'm comfortable; easy enough my wife will use it). This is easier than maintaining an authentication server when I just don't want neighbors on my home network (not concerned about eavesdropping unencrypted traffic) as HTTPS should be used for secrets. – dr jimbob Jul 14 '13 at 02:41
  • 1
    The bigger threat is that my passphrase is not secret. Devices will store WiFi passwords in clear-text, or at least reversible encryption; anyone get access to your computer for a few seconds can extract the passphrase. Furthermore, some devices (android phones, chrome OS for example) will *by default* sync these wifi passwords to the cloud for you. So if you share your wifi password with anyone who uses one of these devices, its likely they have those share settings on their phone, so your password isn't really secret anymore. Granted setup is easier (as it syncs to all devices). – dr jimbob Jul 14 '13 at 02:43
3

Unfortunately, if someone is attacking your key it can all be done very passively. As an attacker all that I need to observe is the five way handshake used to perform the initial authentication when joining the network, thereby obtaining the current group key. Here's a video that discusses/demonstrates: http://www.youtube.com/watch?v=u-dqi23oaS8&feature=c4-overview&playnext=1&list=TLrF5jHoe-gO8

If I'm patient I can just sit with my sniffer waiting for you to reboot a computer or wait for a computer to join. At that point I really have everything necessary to break the key.

If I'm less patient I can speed this process up. At the same time, however, I am making myself more visible. If I begin to fire deauthentication packets at hosts then they will temporarily lose connectivity. When they automatically reconnect I once again can obtain the handshake. However, this does allow you to have an indicator that someone is at a minimum messing with you or possibly even trying to break your key; several disconnects despite no change in signal strength.

Ultimately, breaking the key is all done offline. This means that there are very few indications. If after breaking the key the attacker is passive, simply gathering data, there is no way to detect him since he is not radiating any RF.

David Hoelzer
  • 615
  • 4
  • 9
  • WRONG! It takes 1 deauth management packet to deauth the entire router. He won't notice 1 packet. The answer to this question is simple... Prevention is always better than detection. Spend the money on a Enterprise level Router so deauth packets are ignored from outside the network. And always have a 10+ alphanumeric password that is not a real word. Rainbow tables are dead... GPU WPA2 Password Cracking is the norm now. The average 100 dollar video card can check 250k passwords a sec. –  Jun 03 '14 at 08:38
  • 1
    Jeff - at risk of sounding argumentative, 250k a sec is still not a patch on a rainbow table. I still prefer the 'instant crack' a rainbow table gives you, especially as it is effectively free for most users. – Rory Alsop Jun 03 '14 at 13:50
  • 1
    I am in agreement with Rory here, utilizing a GPU on a WPA2 handshake seems like a waste of time. I'd much rather be using it for cracking salted hashes or gaming than sitting around doing something that can be done more easily by utilizing some network bandwidth one time (to download the table). – DeepS1X Mar 31 '17 at 19:21
2

It may also be prudent to examine your connected devices log periodically to check if any unknown MAC addresses have joined to your network (not entirely viable in large networks).

user47526
  • 39
  • 1