Forum

A very useful 10-page security analysis on WPA/WPA2 PSKs - very useful for study purposes. Not only does it demonstrate a WPA2 PSK being cracked using the OG150, it discusses the mechanics behind the PSK cracking process and more....

http://www.og150.com/tutorials.php
Go to: Wireless Pre-Shared Key Cracking (WPA, WPA2)

Thanks for posting this.

Excellent Article! Tried it out on my limited setup using 2 Linux boxes (First one as AP, another operating in Monitor/Attacker Mode) and one STA(using WZC / XP). Few interesting observations as under:
1. The only thing noteworthy here is that the crack works for so long as the PSK is a dictionary word. Tried using the default linux dictionary (w/o any mods) for that matter.
 
2. In the event of an uncommon(aka non-dictionary) word/string being set as PSK, then it requires the same to be added into the dictionary file.

3. The 4-way handshake may not get captured always and so trick around by forcing fake De-Auth (from the attacking machine) and chances are high to get the 4-way handshake captured

4. May not work in a MIMO setup that uses spatial streaming. (At least not working for me currently)
   Hope this helps. Once again thank you Darren.
Regards

Hi there, glad you found it useful! My comments below: 1) This is correct, you must have the PSK in a dictionary (or alternatively try and brute force). 2) As per the above, this is correct. You could try and brute force or pre-compute raindow-tables to try and 'find' the PSK. 3) You will also find that you don't actually need all 4 packets in the WPA 4-way handshake. From memory, you can crack with 2 packets - feel free to test. 4) I wasn't aware of this limitation??? Thanks Darren