WPA / WPA2 Cloud Cracking

Author: Martin Voelk
February 17, 2016

In a recent Pentesting engagement for a client we came across across a large WPA2 PSK deployment with 6 different SSIDs. As the customer used generic SSID names such as VOIP-5GHz and INTERNAL-STAFF, which do not allow to trace the customer back, we decided to try one of those numerous Cloud cracking services.

The results were stunningly good. Out of 6 WPA2 handshakes 4 were cracked (incl. the most important ones). Funnily enough the secured GUEST Network wasn’t crackable with a rainbow attack.


This highlights the danger of WPA/WPA2 PSK once again. The key is only as secure as the complexity. We advice Enterprise RADIUS multi factor authentication with client site certificates and preferably RSA tokens instead.



April 14, 2015

Wireless Penetration Tests are one of my favourite subjects. It allows a Penetration Tester to dismantle s0-called security in 90% of all times whilst sitting in the car park outside the company being tested. Attack vectors against Wireless Networks are plentiful and unlike with Web App Pentesting or large scale Network Pentesting, no expensive tools are needed. When it comes to software, Kali Linux once again is the choice. However, whilst Kali has a lot of good Wifi Pentesting tools, it doesn’t come with a very cool script called PwnSTAR. This script is basically all a Wifi Pentester needed to launch Cracking, Evil Twin and other MITM attacks against the tested network. Due to its open source code, it’s very customizable and adaptable.

Some features:

  • Honeypot
  • WPA handshake capture and cracking
  • Sniffing
  • web server with dnsspoof
  • Karmetasploit
  • Browser_autopwn

As always, only use this script against your own Wifi Network or if you have the written permission of the customer undergoing a Pentest engagement with you.



March 17, 2015

We often get to hear from customers: We use WPA2-PSK, so you will not be able to crack it in your Pentest. We don’t use WEP. Well, 8 of 10 Wifi Pentests we perform result in a full crack of the so-called secure WPA2-PSK.

Now why is that? Performing an action to capture the WPA handshake is a piece of cake really. The biggest challenge Pentesters and the bad guys face alike, is to crack the WPA2 key. You usually need a lot of processing power, large rainbow tables with pro-computed hashes or both. Having dictionary and permutation dictionary files can easily result in hundred of Gig.

But hang on, why is it yet so easy? Well there are numerous cloud cracking services out there. Upload the WPA handshake, wait a day and get the result delivered by email.

What can users and companies do to secure their WPA-PSK?

  • Don’t leave it to the ISP factory default. It’s usually set to numeric and at best numeric and alphanumeric values
  • Choose a wise PSK with can’t be found in a dictionary or permuted dictionary
  • Adding a number or a special character at the end is NOT the solution
  • Change the PSK every 3 to 6 months
  • Move away from PSK and use EAP-TTLS or EAP-TLS

For those interested in trying a cloud cracker:


As always, use at your own risk and only against your own network or with the customer authorization as part of a Pentest.


Cracking WPA/WPA2 PSK

Author: Martin Voelk
November 30, 2014