WPA PSK Crackers: Loose Lips Sink Ships

By Lisa Phifer

March 23, 2007

Think Wi-Fi Protected Access makes your home or small business network impenetrable? Think again -- and learn how to protect yourself.

Wi-Fi Protected Access (WPA) protects wireless data by applying encryption, integrity checks, and sequencing. The first version of WPA patched around mistakes in the old, broken Wired Equivalent Privacy (WEP), while WPA2 started from a clean slate to deliver more robust, efficient security.

Either version of WPA can stop wireless eavesdropping -- with one big caveat. The encryption keys upon which they depend must never be disclosed to outsiders. That's where PSK crackers come in.

Can You Keep a Secret?

WPA and WPA2 are best when used with 802.1X Port Access Control for per-user authentication and per-session key delivery. Known as WPA-Enterprise or WPA2-Enterprise, this approach was designed for business networks with the staff and resources required to support RADIUS-based authentication. Every new session gets its own fresh random key, used for a relatively short time. While that doesn't make key cracking completely impossible, it substantially reduces that risk.

Since home networks don't generally have RADIUS servers, a simpler option also exists: Pre-Shared Keys (PSKs). Known as WPA-PSK, WPA-Personal or WPA2 Personal, this approach authenticates everyone using the WLAN with the same secret passphrase, configured into the Access Point (AP). But, unlike those old WEP keys, PSKs are not encryption keys -- they are the starting point for deriving per-station (client) encryption keys. (For how to set up WPA at home, see WPA-PSK: Step-by-Step.)

Unfortunately, the way in which WPA/WPA2 encryption keys are generated and delivered makes it easy for an attacker to try to guess your WLAN's PSK. Once an outsider has the PSK, he can steal service or decrypt data sent by legitimate users on your network.

Let's Shake on It

A PSK is a 256-bit value, known to every device in the WLAN. That PSK is usually generated by combining the WLAN's name (Service Set Identifier, SSID) with a passphrase (an ASCII string, 8-63 characters.) If you have ever used Windows XP to connect to a WPA-Personal WLAN, you have been prompted to enter a WPA passphrase.

When using WPA or WPA2, every station is permitted to associate with the AP. The AP or station has the option to start 802.1X authentication, exchanging Extensible Authentication Protocol (EAP) messages to verify user/server identities. After authentication (if any), the AP kicks off a four-way handshake (see figure below) to derive the keys for this session. The handshake must be completed before any encrypted data can actually be exchanged between this station and AP.

Four-way key handshake

What is actually happening during this handshake?

  • The AP and each station need an individual Pairwise Transient Key (PTK) to protect unicast communication between them. To derive a different PTK for each AP/station combo, a Pairwise Master Key (PMK) is fed into an algorithm, along with MAC address and two values, ANonce and SNonce. Messages #1 and #2  in the figure above show how the AP and station manage to derive the same PTK without ever sending it over the air.
  • The AP also generates a Group Transient Key (GTK) to protect all broadcast and multicast communication. Because every station on the WLAN needs that same GTK to decrypt broadcast/multicast frames, the AP sends the current GTK in message #3 of the handshake. To prevent eavesdropping, the GTK is encrypted with the PTK.
  • To stop these handshake messages from being forged, messages #2 through #4 carry a Message Integrity Code (MIC). Each MIC is generated by hashing a specified part of the message, then encrypting that hash with the PTK.

This four-way handshake occurs whenever you connect to a WLAN using WPA or WPA2. It also occurs periodically thereafter, whenever the AP decides to refresh transient keys. End users may not be aware of this handshake -- and administrators may not really care about all of these gory details.

But WPA PSK crackers do.

What if Someone Hears You?

In WLANs that use WPA-Enterprise or WPA2-Enterprise, every session starts from a different PMK, delivered during 802.1X authentication. However, in WLANs using WPA-Personal or WPA2-Personal, there's no 802.1X, so the station and AP must use a value they both already know. What value do they both know? The PSK, of course.

WPA-PSK crackers like aircrack, KisMAC, and coWPAtty try to guess the PSK by capturing and analyzing the four-way handshake messages spelled out above. For example, the following output was generated by coWPAtty:

$ cowpatty -r capturefile -s soho-psk -f dictionaryfile
cowpatty 2.0 - WPA-PSK dictionary attack. 
Collected all necessary data to mount crack against passphrase.
Starting dictionary attack.  Please be patient.
key no. 1000: apportion
key no. 2000: cantabile
key no. 3000: contract
key no. 4000: divisive
The PSK is "secretsecret".
4089 passphrases tested in 112.55 seconds:  36.33 passphrases/second

Here, coWPAtty uses a supplied dictionary file to analyze a packet capture file containing (at least) the four-way handshake exchanged during someone else's successful connection to the "soho-psk" WLAN. Recording handshake messages from an active WLAN is easily accomplished with a wireless capture program like Wireshark or Kismet. Those who get impatient can use a frame injector like Airjack to force legitimate users to reconnect.

CoWPAtty searches the capture file and extracts a four-way handshake for the named WLAN. It then extracts all of the values of interest from that handshake: AP and station MAC addresses, those SNonce and ANonce values, and message #4's payload and MIC.

Pages: 1 2
Originally published on .

Comment and Contribute
(Maximum characters: 1200). You have
characters left.