March 17, 2015

We often get to hear from customers: We use WPA2-PSK, so you will not be able to crack it in your Pentest. We don’t use WEP. Well, 8 of 10 Wifi Pentests we perform result in a full crack of the so-called secure WPA2-PSK.

Now why is that? Performing an action to capture the WPA handshake is a piece of cake really. The biggest challenge Pentesters and the bad guys face alike, is to crack the WPA2 key. You usually need a lot of processing power, large rainbow tables with pro-computed hashes or both. Having dictionary and permutation dictionary files can easily result in hundred of Gig.

But hang on, why is it yet so easy? Well there are numerous cloud cracking services out there. Upload the WPA handshake, wait a day and get the result delivered by email.

What can users and companies do to secure their WPA-PSK?

  • Don’t leave it to the ISP factory default. It’s usually set to numeric and at best numeric and alphanumeric values
  • Choose a wise PSK with can’t be found in a dictionary or permuted dictionary
  • Adding a number or a special character at the end is NOT the solution
  • Change the PSK every 3 to 6 months
  • Move away from PSK and use EAP-TTLS or EAP-TLS

For those interested in trying a cloud cracker:

As always, use at your own risk and only against your own network or with the customer authorization as part of a Pentest.