How does someone attack a WPA/WPA2 wireless network? I have read on the two main approaches: dictionary and rainbow tables. How do you use rainbow tables in conjunction with your tool of choice? I went over to Free Rainbow tables (http://freerainbowtables.com) and the tables seemed to be listed in the order of the type of hash they use. What type of hash do WPA/WPA2 PSK use? Also I had read about using WPS to get the router's PIN; is it possible to reset the WPA/WPA2 PSK using that access?
Asked
Active
Viewed 1.4k times
1 Answers
6
WPA-PSK iterates your SSID and Pre-shared key through a HMAC-SHA1 hash function into a "raw" 256 bit key called the Pairwise Master Key (PMK). The PMK (which you are trying to brute-force) is presumably held by both the client and the router. When they are authenticating, they derive a key known as the Pairwise Transient Key (PTK) using: The client and router MACs, client and router nonce values, and of course the PMK. It is only when you capture the MACs and nonces as well as some cryptographic checksums (the so-called 4-way handshake) that you can attempt to brute force. Your software will attempt to generate its own PMK using a wordlist and see if the PTK generated with the contestant PMK and captured data matches the checksums you captured.
WPA cracking can only be done by dictionary attacks. In terms of wordlists versus rainbow tables, tables are basically precomputed hashes of words to improve cracking time at the expense of filesize and preparation. If two words are in the wordlist, the tables generated from that wordlist will find both words in the same amount of time.
I have had the most success using aircrack-ng. If you don't use linux, download and load up a livecd with Kali which has it pre-installed, as well as other helpful tools for packet analysis. Aircrack also has a large amount of wiki documentation with beginner-friendly lingo.
Sam S
- 71
- 1