Testing wireless networks - do people really use bad computer passwords?

You regularly read about how people use silly passwords that are easy to guess. I thought I would see how true this is in the wild, based on the wireless networks near my house. For the record this was not done to steal wireless internet or access files, more an an exercise to see if people are actually using these passwords for more than just their eBay or Ashley Madison account.

Getting Started

So first of all one good thing noticed out of the gate is that all the local wireless networks are using network encryption. It's great to see network equipment manufacturers taking the secure by design approach.

Testing began by collecting WPA authentication transactions from multiple networks (7 in total) and putting my video card (or GPU) to work using common passwords from the RockYou dictionary (RockYou dictionary explanation here). Only custom SSID's were chosen to test since its likely if the user was capable of changing the WIFI name then they are also likely to be able to customise the password.

So can anyone do this you may ask? Short answer would be yes, though how long it will take comes down to the speed of your PC. Take mine for example, I wouldn't say its cutting edge but not too bad in this day and age. Specifications of PC used listed below, check your own using dxdiag (windows).

Time to generate some heat

In the past only CPUs were available for this type crunching. Along came OpenCL / CUDA which allowed the use of GPU's to do the heavy lifting though it was not exactly straight forward, there was minimal tools available and hardly any documentation. These days it is easy, painless and super quick. Take hashcat/oclhashcat for instance. Portable executables, multi platform and architecture, rich in features and for use with CPU and GPU right out of the box.

After a couple of clicks, downloads, verification, cap to hcap conversions and a quick benchmark (oclHashcat64.exe -b) we were ready to start. Turns out this run of the mill desktop PC can churn out the 64482 WPA hashes per second using the GPU (benchmarks here) and 4000 hashes per second using the CPU (benchmarks here). Notice the difference between CPU and GPU performance!

So lets start with the standard set of RockYou passwords across the 7 different wireless networks using the following string from the CLI (switch syntax available here).

oclHashcat64.exe -m 2500 -gpu-temp-retain=60 -o cracked.txt 6346_1441356908.hccap dict-rockyou.txt

So the time taken to run through this list (14,344,392 passwords) on each of the wireless networks was about 4 minutes each (14,344,392 divide 64482). Results show that none of the 7 wireless networks were susceptible to the list of RockYou passwords.




For good measure rules and permutations were applied to each of the passwords across the networks using hashcat rules (can be found here). This added an additional ~ 127 mins per network to check:

• First letter upper-case
• All letters upper-case
• Adding 1 and 2 digits to the end of the string.
• Substituting o's for 0's
• Substituting i's for 1's
• Substituting e's for 3's
• Substituting s's for 5's
• Substituting a's for @'s

oclHashcat64.exe -m 2500 -r rules/custom.rule -gpu-temp-retain=60 -o cracked.txt 6346_1441356908.hccap dict-rockyou.txt

After less than 24 hours or leaving the computer run over night, of the 7 networks 0 was susceptible.

Crack me if you can

So most routers use a random decimal or hexadecimal string by default. These strings are mostly between  8 - 16 characters long (usually a maximum of 64 characters). To extrapolate how easy or hard it is to break this we can simulate some scenarios.

If the WPA password was 8 decimal characters long, using normal PC hardware it would only take a mere ~27mins to break.

oclHashcat64.exe -m 2500 -gpu-temp-retain=60 --attack-mode 3 -o cracked.txt 6346_1441356908.hccap ?d?d?d?d?d?d?d?d

10 decimal characters = ~ 2 days 3 hours cracking time.

oclHashcat64.exe -m 2500 -gpu-temp-retain=60 --attack-mode 3 -o cracked.txt 6346_1441356908.hccap ?d?d?d?d?d?d?d?d?d?d

And finally 16 decimal characters would take over 10 years!

oclHashcat64.exe -m 2500 -gpu-temp-retain=60 --attack-mode 3 -o cracked.txt 6346_1441356908.hccap ?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d

Same tests but including HEX times are:

oclHashcat64.exe -m 2500 -gpu-temp-retain=60 --attack-mode 3 -1 ?dabcdef -o cracked.txt 6346_1441356908.hccap ?1?1?1?1?1?1?1?1

8char = ~ 21 hours
10char = ~224 days
15+char = > 10 years

Obviously there are techniques to reduce this time but to put it into perspective, it doesn't take any complex or much computing hardware to decrypt simple passwords within reasonable time frames.

Also its probably worth a mention that hashcat supports many commonly used password protected or encrypted formats.