Cracking WPA2-PSK in the Cloud | A Cost Effective Solution for Brute Force Attacks

Here attached is a powerpoint lecture slide written by Fotios Lindiakos and Ed Rowland. This is also available to view on LiveShare.

Slide Contents & Summary
1. Cracking WPA2-PSK in the cloud A Cost Effective Solution For Brute Force Attacks By Fotios Lindiakos and Ed Rowland

2. WPA2-PSKWi-Fi Protected Access II – Pre-shared Key Replaced WPA in 2004 as 802.11i standard Added security replacing TKIP with CCMP (AES) Required for devices with Wi-Fi trademark Two modes Enterprise – requires a Radius Server (802.1x) Personal – 256 bit key created from a string of 64 digits or 8-63 character passphrase Key calculation Passphrase à PBKDF2 (f) salted w/SSID à 4096 iterations of HMAC-SHA1

3. WPA2-PSK/802-11i4 Way Handshake Goal - derive Passphrase from PMKCorrect Passphrase “guessed” if tool can calculate the same Message Integrity Code (MIC) Hacking Exposed - Stuart McClure, Joel Scambray, George Kurtz

4. Tools Used Amazon’s EC2 cloud Multiple types of instances running 64 bit Ubuntu 10.04 LTSAircrack-ng v1.1Custom web front end Custom code to parallelize processing Laptop/mobile device running aircrack-ng to capture and send capture file to cloud

5. About The EC2 Cloud One of many proprietary web services Amazon offers providing PAAS, IAAS & SAASElastic Compute Cloud (EC2) virtualizes compute cycles into EC2 compute units (ECU) One ECU provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or Xeon processor Access to an EC2 instance is via SSH leveraging PKI to encrypt a session key

6. To the cloud!

7. Cracking Statistics

8. But what about cracking…One Hundred MILLION keys!

9. Time to Crack 100,000,000

10. Optimized for “Bang for your buck”

11. About Custom Code Written in Ruby Front end is a Sinatra web application Back end is a wrapper around aircrack-ngLibrary handles communicating with EC2Only 234 lines of code

12. Front End Accepts PCAP from the user Also gets SSID and how many instances to run Creates a “message” for each instance This message is put on a queue waiting for client to come online It contains all the information the client needs Starts cracking instances Waits for results and reports them to the use rafter a key is found, terminates all clients

13. Back End Pops a message off the queue at boot time Gets the PCAP and full dictionary file Creates smaller wordlists First, makes a list based on “chunk” assigned Breaks that into smaller chunks for reporting purposes Runs aircrack-ng against each chunk Reports progress or the key after every iteration

14. Tested Instance Types and Cost

15. Demo

16. Results – Single Instances

17. Results – Parallel Instances

18. Future Work Utilize other EC2 Instance types High End Cluster with GPU33.5 ECU and 2 x NVIDIA Tesla “Fermi” M2050 GPUsOptimize cracking client for architecture Fully utilize multiple CPU/core Fully utilize 64 bit capabilities Fully utilize GPU acceleration Look at other cracking tools coWPAtty, Hydra, custom code

19. Conclusion It’s certainly inexpensive and easy to leverage cloud computing to hack WPA2-PSK efficiently As long as you have an adequate dictionary The attack can be prioritized based oncost Use cheaper instances, regardless of timeTimeUse most powerful instances, regardless of cost