1 / 19

Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado

Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado. Rodney Beede Ryan Kroiss Arpit Sud. 2011-05-02. Topics. The Team Introduction WPA 1/2 Architecture Master Node Worker Node Test Methodology Results & Conclusions Future Work Questions.

jolie
Download Presentation

Distributed WPA Cracking CSCI5673 - Distributed Systems Spring 2011 University of Colorado

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed WPA CrackingCSCI5673 - Distributed SystemsSpring 2011University of Colorado Rodney Beede Ryan Kroiss Arpit Sud 2011-05-02

  2. Topics • The Team • Introduction • WPA 1/2 • Architecture • Master Node • Worker Node • Test Methodology • Results & Conclusions • Future Work • Questions

  3. Introduction • Cracking WiFi • WEP - easy • WPA - hard • Brute Force • Not practical • 8 character minimum • Dictionary • Common passwords • coWPAtty by Joshua Wright • Generate rainbow table • Search rainbow table

  4. Introduction - Our Idea • Distributed key generation • Already done • Distributed table lookup • Not done • Web service • Fast lookup • Modify existing code

  5. WPA a.k.a. WPA1 • WPA stands for WiFi Protected Access • Meant to replace WEP • WEP failed to meet its security goals • Comes in two flavours • WPA-PSK* (Pre-Shared Key) which uses TKIP • WPA-Enterprise more secure but requires RADIUS authentication server * also known as WPA-Personal

  6. WPA2 • Successor to WPA • Makes PSK more secure as it uses CCMP instead of TKIP • Both WPA-PSK and WPA2-PSK are susceptible to password cracking attacks • No known attacks against Enterprise flavors • The Lesson is....

  7. Attacking WPA-PSK • Authentication handshake required for cracking WPA-PSK • Authentication handshake happens when a client connects to AP (and also when the client "thinks" it is no longer authenticated) • Packet capture is 3-step process • Place wireless card in monitor mode("listen all") • Start packet capture • Send a deauthentication packet to wireless client to induce authentication handshake • A script is provided that performs the above 3 steps

  8. Architecture

  9. Master Node • Java web application • Accepts jobs • Upload .cap file • SSID name • Queues job • Runs 1 at a time • Tracks worker status • NOT LOADED • LOADED • RUNNING • FINISHED • ERROR

  10. Master Node (cont) • Start / Kill worker clients • Remote ssh • Hand out table offsets • Records web app log • Job Run • User submits job • Master saves to NFS share • Master tells workers • When ready • TCP packet • Location of files and output destination • Master checks SOLUTION file

  11. Worker Node • Started by master • Loads rainbow table into memory • 1000 files x 40MB = 40GB (5GB per worker) • Giant byte array with pointers per SSID • Creates socket to listen for messages from master • Possible message types • START • STATUS • KILL

  12. Worker Node (cont) • STATUS - returns worker status • KILL - kills current job (if applicable) • START command creates new thread • Looks up SSID • Finds corresponding portion of rainbow table • Leverages coWPAtty for password look up • If password is found • Worker outputs solution to file • Master tells other workers to stop • Otherwise, workers report FINISHED after reading through table

  13. Original coWPAtty • Read records in rainbow table • Records contain length, passphrase, and PMK • PMK -> PTK (requires capture data) • PTK -> MAC • Grab key MIC • Compare with MIC found in capture data

  14. Serial Run once and done Reads data from disk Runs on one machine Quick start-up time Less opportunity for optimizations Distributed Runs as a service Loads data into memory Runs on N machines Slow start-up time More opportunity for optimizations Serial versus Distributed

  15. Test Methodology • 996,358 word rainbow table • 1,000 SSIDs • 40MB / SSID • 40GB total size • 8 worker nodes • 1 master node • Cisco C210 M1 (on loan from Cisco) •  Two Intel Xeon E5540 (2.5GHz) • 8 logical CPUs •  72GB RAM • Sixteen 10K RPM SAS 6.0 gbps 146GB drives • RAID5

  16. Test Methodology (cont) • Packet capture data with SSID linksys available in SVN • Test data created with the following keys: • First in Dictionary: !8zj39le • Middle in Dictionary: }ttringe • Last in Dictionary: korrelie • Gathered data for time taken to find solution from Master and worker logs • Compared to original coWPAtty running on a single node • Results shown on next slide are average of times recorded by the 3 of us

  17. Results & Conclusions • First in dictionary • Serial = 8 milliseconds • Distributed = 5 milliseconds • Middle in dictionary • Serial = 3056 milliseconds • Distributed = 742 milliseconds • Last in dictionary • Serial = 6014 milliseconds • Distributed = 767 milliseconds • Seemingly small • Scalable • Ideal for web service

  18. Future Work • GUI client for data capture • Distribute table generation • Hybrid disk/memory approach • Thousands of heterogeneous clients • Like SETI@HOME • Rewrite in Java or C++ • Simpler code • Improved data structures

  19. Questions? http://code.google.com/p/distributed-wpa-cracking/ Tips for a secure PSK wireless network: • Use a unique SSID (not linksys or home) • Have a long* & unique key; use special characters *max. 63 characters

More Related