8

Using this as an example for WPA key calculation (link):

Network SSID:   linksys54gh
WPA passphrase: radiustest
Hexadecimal key:    9e9988bde2cba74395c0289ffda07bc41ffa889a3309237a2240c934bcdc7ddb

I get a hexadecimal key.

I would like to know if there is a possibility to obtain the WPA passphrase by knowing the hexadecimal key and SSID only.

So let's assume I have this:

Network SSID:tomato
Hexadecimal key:    e3c60cdcb07f9b73c5998f02746510b9065be13765a24ca66b5b0f379aba2b08

How can I obtain the WPA passphrase by knowing the hex Key / SSID? Is it even possible?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
PeeS
  • 215
  • 1
  • 2
  • 8

1 Answers1

12

The details of the calculation for obtaining the key are described in the link you mentioned:

For WPA-PSK encryption, the binary key is derived from the passphrase according to the following formula:

Key = PBKDF2(passphrase, ssid, 4096, 256) The function PBKDF2 is a standardized method to derive a key from a passphrase. It is specified in RFC2898 with a clear explanation on how to compute it. The function needs an underlying pseudorandom function. In the case of WPA, the underlying function is HMAC-SHA1.

PBKDF2 is a key derivation function that uses a hashing algorithm that servers two purposes. One is to make the process of obtaining the inputs of the function very difficult, and the second to make slow down the brute-forcing process.

To my knowledge, there is no published research that would recover the passphrase from the PBKDF2 output in a reasonable time. Your only option is to brute-force it, that means trying every possible passphrase and applying the process you mentioned and seeing if the output matches your key. There is special hardware, software and even services to make this process faster.

oclHashcat and Pyrit will bruteforce WPA and will use GPUs to make the process faster.

CloudCracker service will try 300 million words in 20 minutes for $17 on your keys.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50