State of the Art in WPA/WPA2 Passphrase Cracking – Part 4

In the last post, we discussed the use of graphics processors to perform a brute force attack, and that a single machine could hold multiple video cards. So what about multiple machines working together to make the attacks even more powerful?

The software for conducting an attack across a distributed environment has been available for some time, but it requires either humans or the application to understand how to parcel out and reconcile the workload. Humans do this fairly poorly, and while an application might be much better at it, divvying up work across multiple systems is not a core function, and may not do it very well.

There have been challenges over the years to push the limits on building systems that can do this work effectively. In December 2012, one team used virtualization for passphrase attacks. Instead of trying to get the application to parcel out across multiple computers, this project took advantage of virtualization to make multiple graphics cards in multiple systems appear to coexist in a single system. The application sees a single machine, and lets virtualization handle the rest.

In an interesting turn, attacking passphrases is not something that even requires deep understanding for building a system, because enterprising security professionals are now providing their services and expertise via the cloud. Access to high performing password cracking systems is now available on a per job basis, providing a way to examine the strength of a given passphrase without having to build a system, word list or sets of rules. With the cloud, one could simply submit the handshake from a target network and make an attempt on passphrase recovery on a low price per job basis.

In recent weeks, I've written extensively about how unauthorized parties gain access to the wireless networks that your users are operating at home. In the next part of this series, I’ll talk about what an attacker can do once they’re sharing the same wireless network as a potential victim.