WPA / WPA2 Cloud Cracking

Author: Martin Voelk
February 17, 2016

In a recent Pentesting engagement for a client we came across across a large WPA2 PSK deployment with 6 different SSIDs. As the customer used generic SSID names such as VOIP-5GHz and INTERNAL-STAFF, which do not allow to trace the customer back, we decided to try one of those numerous Cloud cracking services.

The results were stunningly good. Out of 6 WPA2 handshakes 4 were cracked (incl. the most important ones). Funnily enough the secured GUEST Network wasn’t crackable with a rainbow attack.


This highlights the danger of WPA/WPA2 PSK once again. The key is only as secure as the complexity. We advice Enterprise RADIUS multi factor authentication with client site certificates and preferably RSA tokens instead.



March 17, 2015

We often get to hear from customers: We use WPA2-PSK, so you will not be able to crack it in your Pentest. We don’t use WEP. Well, 8 of 10 Wifi Pentests we perform result in a full crack of the so-called secure WPA2-PSK.

Now why is that? Performing an action to capture the WPA handshake is a piece of cake really. The biggest challenge Pentesters and the bad guys face alike, is to crack the WPA2 key. You usually need a lot of processing power, large rainbow tables with pro-computed hashes or both. Having dictionary and permutation dictionary files can easily result in hundred of Gig.

But hang on, why is it yet so easy? Well there are numerous cloud cracking services out there. Upload the WPA handshake, wait a day and get the result delivered by email.

What can users and companies do to secure their WPA-PSK?

  • Don’t leave it to the ISP factory default. It’s usually set to numeric and at best numeric and alphanumeric values
  • Choose a wise PSK with can’t be found in a dictionary or permuted dictionary
  • Adding a number or a special character at the end is NOT the solution
  • Change the PSK every 3 to 6 months
  • Move away from PSK and use EAP-TTLS or EAP-TLS

For those interested in trying a cloud cracker:


As always, use at your own risk and only against your own network or with the customer authorization as part of a Pentest.


Cracking WPA/WPA2 PSK

Author: Martin Voelk
November 30, 2014