Hacking & Solutions: Cracking WEP and WPA2-PSKBy CWNP On 03/20/2008 - 9 Comments
This article is presented as part of hacking + solution track for Wireless Security Expo 2008. Before reading the solutions article, make sure you have watched the hacking video. Videos are available by registering here .
Cracking WEP is old-hat, but the newer WPA/WPA2-Personal can be cracked too. See how its done and see how to secure against it.
Cracking WEP is fast and easy with commonly available Windows- or Linux-based tools. The length of the WEP key, 40- or 104-bit, is practically irrelevant, and with the software tools currently available, any novice can crack WEP in minutes given enough captured data. With users being added to the WLAN every day in most enterprises and the amount of data going over the WLAN growing exponentially, capturing enough data to crack WEP is often simple.
The moral of the story with WEP is simply that it should never be used when stronger authentication and encryption mechanisms are available.
Cracking WPA/WPA2-Personal (which uses a passphrase) is a much more difficult task than cracking WEP, but it still isn't an overwhelming task. Given the right dictionary file(s) and the latest versions of WPA cracking tools, cracking WPA/WPA2-Personal can happen in a short time if a very strong passphrase isn't used by the network administrator. The Wi-Fi Alliance suggests at least 20 characters with lower case, upper case, numbers, and special characters and use of WPA2 over WPA whenever possible.
Tools such as Aircrack-ng can be easily used both for cracking WEP and WPA/WPA2-Passphrase. Since Aircrack-ng is available for Windows, it gives the ability to do sophisticated hacking to a novice. Use of WPA/WPA2-Personal should be limited to small installations such as SOHO - hence the name "Personal" - or very specific scenarios in SMB installations (like VoWLAN phones). When WPA/WPA2-Personal is used, it is best for only the network administrator to have the passphrase. He/she would enter it into every laptop, VoWLAN phone, handheld PC, or other wireless device manually without giving it to the user. Of course this is not scalable, but it's more secure than having 5-50 users knowing the passphrase.
More secure alternatives to static WPA/WPA2-Personal passphrases have been developed, such as Ruckus Wireless's Dynamic PSK solution. More information on this solution can be found here: http://www.ruckuswireless.com/pdf/fs-dynamic-psk.pdf
If you just can't bring yourself to make a strong passphrase, there are tools just for this purpose, such as Juiper's PassAmp utility (a free download) and the website:
Having tools like these will help you get past the mental block of creating such strong passphrases.