As I’ve been on my security kick lately, I’ve been learning lots of things. It turns out a lot of that stuff you see on CSI shows are real!!
Um.. ok, well not everything. 🙂 (and if you are not a programmer, the joke above is that code is not even approximately close to being valid in any way!)
Your Wi-Fi Password:
At your home at least, you likely have a wireless router which lets you get out on the internet. You named the “SSID” something like “Home” and the password to something like “fido” because that is your dogs name.
OK, simple enough – what’s the problem? The issue is that anyone within range of your wireless router can easily gain access. Once they are connected, they have access to anything on your private network. So, this password (a.k.a. pre-shared key) needs to be pretty solid.
An ethical hacker or nefarious person with Linux installed on a laptop or tablet can use this simple program to guess your password. Below is a summary of how it works.
First, the attacker uses their wireless card to monitor for wireless signals. Hopefully you didn’t name your SSID something like TheSmiths – if your name is Smith. Using airodump-ng, you can see all wireless access points (top) and all clients who are connected (bottom):
The ESSID is the SSID that you know, and the BSSID column has the MAC address for that device. The attacker can then use that to run aireplay-ng to broadcast a DeAuth announcement to the network. This will force all Wi-Fi devices to re-authenticate. However, just before that, the attacker ran airodump-ng and started dumping this traffic to a “capture” file.
So – the attacker is capturing all traffic between Wi-Fi devices and the access point, he/she forced everyone to re-authenticate – at which point he/she stops the monitoring. The attacker now has a capture file with encrypted connection information! They can now take it offline to crack it.
Within just a couple of minutes the attacker was able to capture all the details that are needed – including the Wi-Fi handshake, into a capture file. Offline, the attacker can now use aircrack-ng to start attempting passwords.
The Brute Force Attack – most people think this is how most attacks are done. That is, try every letter and number combination. In truth, this is extremely time-consuming and many times computationally unfeasible. More on that in a minute. If the attacker is to do a brute force attack, they can use something like “crunch” and feed it patterns of things to try (upper case, lower case, etc). But again, this is usually only a last resort because it is so time-consuming. Even if you something like the approximate length or even a partial for that password is, that can make a world of difference. You want to do anything but a raw brute force though.
The Dictionary Attack – a far more common attack is a dictionary attack. Most humans use language words in passwords. English speakers will use English phrases like “Fido601” for the name of their dog and their wedding anniversary. So, imagine that a computer can try every combination of English words and numbers in no time at all! Let’s look at some actual numbers on that.
On a very humble dual-core laptop, aircrack-ng could process/attempt about 750 passwords per second.
For password attempts, that is: 750/second… 45,000/minute… 2.7 million/hour… 64.8 million/day.
Remember once they have that capture file, they do this cracking part at their leisure, at their house, in their free time. So even if it takes a couple of days – that’s still very reasonable.
Now, there are about a million words in the English language. So, if you used just a single word and maybe a few numbers after – you could attempt every single combination within an hour.
More about cracking…
To figure out a solution, let’s use the computation time to our advantage. Here are some interesting numbers to consider – again, using my humble dual-core as a baseline:
- Password using Number and Lowercase Letter Password (e.g. 12ed87be9aaa) vs. Time To Crack
- 2 characters = 1.7 seconds
- 3 characters = 1.0 minute
- 4 characters = 37.2 minutes
- 5 characters = 22.3 hours
- 6 characters = 33.5 days
- 7 characters = 3.3 years
- 8 characters = 118.8 years
- 9 characters = 4,276 years
- 12 characters (like: 12ed87be9aaa) = 199.5 million years
- Using Dictionary Password (e.g. Aardvark12) vs Time To Crack
- 1 word = 22.7 minutes
- 2 words = 44.3 years
- 3 words = 45.3 million years
But wait – this is a trick! The times above are if the process needed to go through every combination. So these numbers are the absolutely worst-case scenario. If you found the answer half-way through your search, they you can expect a half of that time!
For example, if you had a letters/number password of 000000000001 – then despite it’s length, it would take <1 second to crack – not 199.5 million years!
Likewise, if you used 2 English words that were found early, that too could be cracked in minutes. It would only take the 44.3 years if the two words where the very last 2-word combination attempted.
Also – in the case of aircrack-ng, one could split this work up amongst many computers, having each computer trying out a unique pattern. Again, this is this is an offline crack – it can be done at a different location using all sorts of computing equipment.
So what is the solution then? Do you really need to be worried about this? If you live in an apartment or condo, yes. If you live in a house where you can’t see your neighbors Wi-Fi, then probably not.
If it helps, here is a summary of what you are guarding against:
- Literally anyone with a laptop can run a program and glean all sorts of information about your Wi-Fi network names.
- The attacker turns on logging.
- The attacker forces all Wi-Fi users to re-authenticate (thereby capturing their connection information)
- The attacker takes his log offline and spends the next couple hours breaking the Wi-Fi password – unless it’s a strong password.
- The ONLY defense against this is having a complex, difficult-to-guess password.
The answer to is simple and it’s such cheap insurance! The answer is to name your Wi-Fi network something innocuous and something that does not identify you. Next, set the password to a string of letters and numbers – make it at least 12 characters, but ideally 16 or even 20+ characters. Don’t use dictionary words.
If you did that, coupled with using WPA2 for security, you should be pretty well protected against this particular kind of attack. So what are you waiting for, go change your Wi-Fi password!
PLEASE NOTE: This blog post is for informational purposes – for ethical and lawful readers. Attempting to use these sorts of tools on a network you don’t own is almost definitely against the law, no matter where you live. If you are in the U.S., this would constitute committing one or more felonies. I strongly recommend you only use the tools above for education, lawful, and ethical purposes.