No announcement yet.

WiFi - Compromising WPA

  • Time
  • Show
Clear All
new posts

  • WiFi - Compromising WPA

    Even though WPA and WPA2 are stronger and more secure than WEP, exhaustive attacks are still available to the determined attacker. Attacks against wireless networks can be passive or active in nature. An attack is considered passive if the wireless network s detected by sniffing information. An attack is considered active if the network is uncovered by injecting probe requests to elicit a response from the target.

    Offline attacks
    If an attacker is able to capture the handshake between the client and the AP an offline attack may be possible. This require for the attacker to be in close enough proximity to see the traffic but with a unidirectional antenna such as a Yagi or an parabolic antenna this is possible without having to be close enough to attract attention. The attacker will attempt to recover the keys from the handshake recorded from the captured traffic and then crack the keys offline. This attack works because the handshake occurs completely in the clear, making it possible to capture enough information to break the key.

    Deauthentication attack
    A deauthentication attack approaches the problem of observing the handshake between the client and the access point by tricking the client to reconnect. The attacker will, on behalf of the authenticated client, send a deauthentication packet to the access point which results in the client being disconnected. This usually results in the client attempting to reconnect without the end user being involved. When the client reconnects the authentication happens and the handshake will occur giving the attacker the ability to capture the key.

    Brute-Force WPA and WPA2 Keys
    This is an exhaustive brute force attack and can take a very long time and require a lot of computing power. For this to work, the attacker must already have the keys obtained by other means.

    Mitigation of WEP and WPA Cracking
    Needless to say, WPA2 should be used when ever possible and strong keys should be implemented. If a high level of security is a requirement the use of WPA2 Enterprise may be considered. No system will ever be completely secure but that should not be the goal. The goal is to make the wireless network so secure that the gain from penetrating it is less than the cost to penetrate it.

    Here are some mitigations to provide better security
    • Use a complex password or passphrase as the key. Using the same rules as when choosing any other secure password is acceptable.
    • Use server validation on the client side to allow the client to have a positive ID of the access point it is connected to.
    • Eliminate WEP and WPA and move to WPA2 where available.
    • Use encryption standards such as CCMP, AES and TKIP.
    • Change the shared keys on a fairly regular basis.

    Some threats can be classified as access control, integrity and confidentiality targeted attacks.
    Certified Security Geek