WPA or WPA2 security protocol can be used to prevent hackers and other unauthorised people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords.
WPA and WPA2 use an extremely robust password-storage regimen that significantly slows the speed of automated cracking programs. By using the PBKDF2 key derivation function along with 4,096 iterations of SHA1 cryptographic hashing algorithm, attacks that took minutes to run against the recent LinkedIn and eHarmony password dumps would require days or even weeks or months to complete against the Wi-Fi encryption scheme.
In addition, WPA and WPA2 passwords require a minimum of eight characters, and it also use a network’s SSID as salt, ensuring that hackers can’t effectively use pre-computed table to crack the code.
What about wireless password cracking?
Dan Goodin, IT Security Editor at Ars Technica, found a way to crack weak password used in WPA or WPA2 security protocol.
What did he do?
On his test setup, firstly, he forced a four-way handshake between the access point (AP) and client by transmitting a deauth frame, which is a series of deauthorisation packets an AP sends to client devices prior to it rebooting or shutting down, using Aircrack-NG. The four-way handshake, which is the cryptographic process a computer uses to validate itself to a wireless access point and vice versa. Although the handshake takes place behind a cryptographic veil that can’t be pierced, there’s nothing stopping a hacker from capturing the packets that are transmitted during the process and then seeing if a given password will complete the transaction. He then captured the handshake establishment between the AP and client, using Immunity’s Silica.
With the possession of the handshakes in a PCAP file, he uploaded it to CloudCracker, a SaaS website to check a WiFi password against about 604 million possible words. Within seconds, the weak password chosen to protect the wireless network (i.e. “secretpassword” and “tobeornottobe”) were cracked.
Instead of just trying out his methodology on a test setup, he got the permission of one of his office neighbours to crack his Wi-Fi password. It took him just 89 minutes to crack the 10 character, all-numeric password.
Trying it again on another neighbour, neither CloudCracker nor 12 hours of heavy-duty crunching by Hashcat were able to crack a password with no discernible pattern to it (i.e. a lower-case letter, followed by two numbers, followed by five more lower-case letters).
Source: How I cracked my neighbor’s WiFi password without breaking a sweat, Ars Technica