Password cracking, WPA and rainbow tables

I have seen a lot of searches about rainbow tables and WPA so I'll spend a few moments to talk about this and other password related stuff. (Please note that I am in no way an expert in the cracking area)

First of all, what is a rainbow table? It is a pre-computed table of hashes that is generated with a set keyspace and lenght. When you have a hash (lm, md5, sha1, etc) and a rainbow table for that particular hash, you just need to do a search in the table to see if you have a match. This is much faster than computing a new hash based on brute force or dictionary list and comparing it to the hash you have. Of course creating the rainbow table takes a long time and space depending on the keyspace and lenght you want it to be. To create your own rainbow table you can use rainbowcrack, and if needed, add new hashing algorithm to it.

Now about WPA cracking with bruteforce/dictionary. When you are going to crack a WPA passphrase you need to capture the initial handshake. You can get the handshake with a de-auth attack and continue offline with cracking the key. However, with current computing power it is possible to attempt just a couple hundred keys per second so it is slow. Of course you could utilize something like NVIDIAs GPU to speed up the cracking by 10 to 15 times if you know how to do it.

Ok, so using a rainbow table for the task sounds more feasible, right? The Internet has rainbow tables for WPA ready-made so you can just download it and crack the key fast instead of weeks or months, right? The problem here is that the rainbow table is created using the SSID and if the rainbow table you find isn't created for your target (default SSIDs mostly), you're out of luck. If you know the SSID, you can generate a pre-computed table and then use it when you need to. Considering the slow speed, you might have to resort to using a dictionary file with certain lenght words unless you have lots of time to spend.

To efficiently protect your WPA key against cracking would be to use over 20 character passphrase and to also render rainbow tables ineffective in other cases, you should use a long salt when generating the hash (apply it to the password before hashing).

Now, about password cracking in general and jumping a bit back in the topic. Cracking is generally about guessing passwords, unless there is a clear cryptographic flaw that can be exploited (e.g. WEP encryption). There are two methods of doing this, bruteforce attack or dictionary attack.

When doing a dictionary attack you have a file with lots of different words, which the cracking tool will use to try to figure out the password. Some tools may offer a permutation possibility, where characters are added (dash, 123 etc) or common letters are transferred to their special counterparts (s is $, i is 1, uppercase/lowercase etc), to ensure covering common ways of writing "difficult" but easy to remember passwords. Consider such a word that fullfills the usual [a-z][A-Z][0-9] + special character requirement which is 8 characters long or more, for example "Pa$$w0rd-".

When doing a bruteforce attack you instruct the cracking tool to go over all the possible combinations based on your parameters, like minimum and maximum lenght, the keyspace to use, for example [a-z][A-Z][0-9][$‰&-!]. If you set a password which is lenght 2 and is only the lowercase alphabets, it would go something like this: aa, ab, ac. When it reaches az, it will then start going like this: ba, bb, bc and so on.

When cracking something, you have gained access to a password hash with some kind of method or try to directly gain access to a resource. A hash is obtained from a system, database or network traffic. A resource could be a router, printer, SSH server, web-application, SNMP, you name it. To devices you can find default password lists, which will work if people have been lazy.

Usually when cracking the hash you usually do not need anything else, but when attacking a live resource you usually also need a valid username on the system and a tool capable of talking the protocol. Attacking a resource directly has also the caveat that it is noticeable and there may be account lockout measures in place which thwarts off your attack. Also the speed of the network plays a big role.

Here is a list of TOP-10 cracking tools, which are written for different purposes. Out of this list there exists tools that are written just to crack a specific hash and do it good. If you look hard enough, you might find one that it written just for the purpose, or you could manage to write your own. I once wrote a small shell script which attempted to crack different kind of logins (like Hydra). Sure, it worked and it was fun to write it, but it was dead slow.

A lot of other means exist to gain access to passwords. One could use sniffers, man-in-the-middle attacks, social engineering (ask, give chocolate, run a look-a-like phishing site etc), look under the keyboard, get the user to connect to your system instead of the real system, study the target and use related birthdays/pet names/car names/children names and whatever.

To thwart off most password gaining attempts is to use passphrases instead of passwords (which are long enough to make guessing them computationally infeasible), do not use cleartext protocols, pay attention to encryption warnings, don't fall for phishing emails and so on. Build the security of your systems in such a way that unauthorized access to your password hashes is hard to gain.

Phew, this was a mammoth post and honestly I started to get bored writing it :)