| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by drinkyouroj 4178 days ago
	Your method sounds to me like a pretty standard PSK crack: deauth client, collect auth handshake, repeat until you have enough packets to crack the passphrase. But collecting enough packets to crack the PSK becomes more difficult as the number of clients disconnecting/reconnecting goes down and the complexity of the PSK goes up. If you're trying to connect to a home AP with a halfway-decent passphrase, it can take days (or weeks) to collect enough auth packets. Man-in-the-middle, on the other hand, takes almost no time at all - just a gullible user with the passphrase. This method seems like it would be especially effective against most home APs, which is the same case that is less-than-ideal for the other method.

1 comments

gipsies 4178 days ago

A bruteforce attack against the PSK handshake requires only a single handshake to be captured. There are no known techniques to speed up the attack if more handshakes are captured.

Man-in-the-middle attacks against WPA are not trivial at all. The client and access point perform mutual authentication. If you don't know the password, you can't put up an identical rogue access point. The passphrase is never explicitly included in the handshake, only in "protected" forms (in challenge/response messages).

drinkyouroj 4178 days ago

Ah, you're right about only needing a single handshake. I don't make a habit of "security testing" wifi networks, but with WEP I seem to remember something about increasing the odds of your cracked key being correct based on the number of packets at your disposal. Anyway, I looked a little deeper and that's certainly not the case with WPA.

I didn't mean to imply that MitM is trivial, just that it's quicker than brute-force in many cases. And, I assumed the rogue AP was not doing true WPA encryption like the real AP, just enough to make it appear correct to get clients to connect so you can serve the fake control panel. If you need the passphrase to stand up the rogue AP, what is the point of this attack? You're not phishing for anything but the WPA key.

EDIT: just read your comment about how this actually works (that is, the "rogue" AP is just another unencrypted network.) That's actually really lame, and I withdraw my previous praise for this crack. ;)