cracking wpa2 psk in the cloud
TRANSCRIPT
CRACKING WPA2-PSK IN THE CLOUDA Cost Effective Solution For Brute Force AttacksBy Fotios Lindiakos and Ed Rowland
WPA2-PSKWi-Fi Protected Access II – Pre-shared Key
Replaced WPA in 2004 as 802.11i standard Added security replacing TKIP with CCMP (AES) Required for devices with Wi-Fi trademark
Two modes Enterprise – requires a Radius Server (802.1x) Personal – 256 bit key created from a string of
64 digits or 8-63 character passphrase Key calculation
Passphrase PBKDF2(f) salted w/SSID 4096 iterations of HMAC-SHA1
WPA2-PSK/802-11i 4 Way Handshake
• Goal - derive Passphrase from PMK• Correct Passphrase “guessed” if tool
can calculate the same Message Integrity Code (MIC)
Hacking Exposed - Stuart McClure, Joel Scambray, George Kurtz
Tools Used
Amazon’s EC2 cloud Multiple types of instances running 64
bit Ubuntu 10.04 LTS Aircrack-ng v1.1 Custom web front end Custom code to parallelize
processing Laptop/mobile device running
aircrack-ng to capture and send capture file to cloud
About The EC2 Cloud One of many proprietary web services
Amazon offers providing PAAS, IAAS & SAAS
Elastic Compute Cloud (EC2) virtualizes compute cycles into EC2 compute units (ECU)
One ECU provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or Xeon processor
Access to an EC2 instance is via SSH leveraging PKI to encrypt a session key
To the cloud!
Cracking Statistics
Micro (~2) Small (1) Large (4) Medium (5) X-Large (20)0
500
1000
1500
2000
2500
3000
3500
$-
$0.10
$0.20
$0.30
$0.40
$0.50
$0.60
$0.70
$0.80
$0.0888 $0.0944 $0.0833$0.0455 $0.0585
Key Rate (k/s) Cost ($/hr) Cost Per Million Keys
Instance Type (Number of ECU's)
But what about cracking…
One Hundred MILLION
keys!
Time to Crack 100,000,000
1 5 10 1000
5
10
15
20
25
30
$0.00
$10.00
$20.00
$30.00
$40.00
$50.00
$60.00
$70.00
$80.00
X-Large Time Medium Time Medium Cost X-Large Cost
Number of Instances
Optimized for “Bang for your buck”
0:50:00 1:50:000
5
10
15
20
25
30
35
$0.00
$1.00
$2.00
$3.00
$4.00
$5.00
$6.00
$7.00
$8.00
X-Large Instances Medium Instances Medium Cost X-Large Cost
Target Cracking Time
About Custom Code
Written in Ruby Front end is a Sinatra web application Back end is a wrapper around aircrack-
ng Library handles communicating with
EC2 Only 234 lines of code
Front End
Accepts PCAP from the user Also gets SSID and how many instances
to run Creates a “message” for each
instance This message is put on a queue waiting
for client to come online It contains all the information the client
needs Starts cracking instances Waits for results and reports them to
the user After a key is found, terminates all
clients
Back End
Pops a message off the queue at boot time
Gets the PCAP and full dictionary file Creates smaller wordlists
First, makes a list based on “chunk” assigned
Breaks that into smaller chunks for reporting purposes
Runs aircrack-ng against each chunk Reports progress or the key after every
iteration
Demo
Future Work
Utilize other EC2 Instance types High End Cluster with GPU
33.5 ECU and 2 x NVIDIA Tesla “Fermi” M2050 GPUs
Optimize cracking client for architecture Fully utilize multiple CPU/core Fully utilize 64 bit capabilities Fully utilize GPU acceleration
Look at other cracking tools coWPAtty, Hydra, custom code
Conclusion
It’s certainly inexpensive and easy to leverage cloud computing to hack WPA2-PSK efficiently As long as you have an adequate dictionary
The attack can be prioritized based on Cost
Use cheaper instances, regardless of time Time
Use most powerful instances, regardless of cost