CRACKING WPA2-PSK IN THE CLOUDA Cost Effective Solution For Brute Force AttacksBy Fotios Lindiakos and Ed Rowland

WPA2-PSKWi-Fi Protected Access II – Pre-shared Key

Replaced WPA in 2004 as 802.11i standard Added security replacing TKIP with CCMP (AES) Required for devices with Wi-Fi trademark

Two modes Enterprise – requires a Radius Server (802.1x) Personal – 256 bit key created from a string of

64 digits or 8-63 character passphrase Key calculation

Passphrase PBKDF2(f) salted w/SSID 4096 iterations of HMAC-SHA1

WPA2-PSK/802-11i 4 Way Handshake

• Goal - derive Passphrase from PMK• Correct Passphrase “guessed” if tool

can calculate the same Message Integrity Code (MIC)

Hacking Exposed - Stuart McClure, Joel Scambray, George Kurtz

Tools Used

Amazon’s EC2 cloud Multiple types of instances running 64

bit Ubuntu 10.04 LTS Aircrack-ng v1.1 Custom web front end Custom code to parallelize

processing Laptop/mobile device running

aircrack-ng to capture and send capture file to cloud

About The EC2 Cloud One of many proprietary web services

Amazon offers providing PAAS, IAAS & SAAS

Elastic Compute Cloud (EC2) virtualizes compute cycles into EC2 compute units (ECU)

One ECU provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or Xeon processor

Access to an EC2 instance is via SSH leveraging PKI to encrypt a session key

To the cloud!

Cracking Statistics

Micro (~2) Small (1) Large (4) Medium (5) X-Large (20)0

500

1000

1500

2000

2500

3000

3500

$-

$0.10

$0.20

$0.30

$0.40

$0.50

$0.60

$0.70

$0.80

$0.0888 $0.0944 $0.0833$0.0455 $0.0585

Key Rate (k/s) Cost ($/hr) Cost Per Million Keys

Instance Type (Number of ECU's)

But what about cracking…

One Hundred MILLION

keys!

Time to Crack 100,000,000

1 5 10 1000

5

10

15

20

25

30

$0.00

$10.00

$20.00

$30.00

$40.00

$50.00

$60.00

$70.00

$80.00

X-Large Time Medium Time Medium Cost X-Large Cost

Number of Instances

Optimized for “Bang for your buck”

0:50:00 1:50:000

5

10

15

20

25

30

35

$0.00

$1.00

$2.00

$3.00

$4.00

$5.00

$6.00

$7.00

$8.00

X-Large Instances Medium Instances Medium Cost X-Large Cost

Target Cracking Time

About Custom Code

Written in Ruby Front end is a Sinatra web application Back end is a wrapper around aircrack-

ng Library handles communicating with

EC2 Only 234 lines of code

Front End

Accepts PCAP from the user Also gets SSID and how many instances

to run Creates a “message” for each

instance This message is put on a queue waiting

for client to come online It contains all the information the client

needs Starts cracking instances Waits for results and reports them to

the user After a key is found, terminates all

clients

Back End

Pops a message off the queue at boot time

Gets the PCAP and full dictionary file Creates smaller wordlists

First, makes a list based on “chunk” assigned

Breaks that into smaller chunks for reporting purposes

Runs aircrack-ng against each chunk Reports progress or the key after every

iteration

Demo

Future Work

Utilize other EC2 Instance types High End Cluster with GPU

33.5 ECU and 2 x NVIDIA Tesla “Fermi” M2050 GPUs

Optimize cracking client for architecture Fully utilize multiple CPU/core Fully utilize 64 bit capabilities Fully utilize GPU acceleration

Look at other cracking tools coWPAtty, Hydra, custom code

Conclusion

It’s certainly inexpensive and easy to leverage cloud computing to hack WPA2-PSK efficiently As long as you have an adequate dictionary

The attack can be prioritized based on Cost

Use cheaper instances, regardless of time Time

Use most powerful instances, regardless of cost