GPUs Used to Successfully Crack Wi-Fi Passwords

Because of the computational power of today's GPUs, GPUs are starting to be harnessed more and more to help out CPUs with some hardcore number crunching. That is the concept behind Nvidia's CUDA, ATI's Stream, and Apple's OpenCL frameworks. There aren't many apps available yet that take advantage of these relatively new technologies, but the ranks are slowly growing. The latest GPU-assisted app to come available is one designed for IT managers to make sure their wireless networks are secure--and inevitably for hackers to try to break into wireless networks.

Russian-based ElcomSoft has just released ElcomSoft Wireless Security Auditor 1.0, which can take advantage of both Nvidia and ATI GPUs. ElcomSoft claims that the software uses a "proprietary GPU acceleration technology," which implies that neither CUDA, Stream, nor OpenCL are being utilized in this instance. At its heart, what ElcomSoft Wireless Security Auditor does is perform brute-force dictionary attacks of WPA and WPA2 passwords. If an access point is set up using a fairly insecure password that is based on dictionary words, there is a higher likelihood that a password can be guessed. Brute force attacks that send random dictionary words to an access point can eventually successfully guess the password, if given enough time--the more computational power behind it, the faster the software can send passwords attempts and possibly guess the password. *

"Advanced dictionary attacks with deep mutations attempt multiple variants and combinations of each dictionary word. The mutations can be fine-tuned to employ all or some of the settings such as different letter cases, number substitutions, changing the order of characters, using abbreviations and vowel mutations; 12 configurable mutation settings altogether."

ElcomSoft positions the software as a way to "audit" wireless network security. However, we're fairly certain that at least some users will use the software for more nefarious means, such as trying to break into someone else's wireless network. If you manage a wireless network, you should use passwords that use a combination of upper and lower-case letters, numbers, and symbols (if it supported), use relatively long passwords, and avoid dictionary words--in fact, this is good advice for nearly any type of password--not just for wiresless access points. ElcomSoft Wireless Security Auditor runs on Windows NT SP4, Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. The software ordinarily sells for $1,199, but is currently selling at half price ($599.5) until March 1, 2009.


* UPDATE: ElcomSoft Wireless Security Auditor does not actually send continuous random passwords to a router in a traditional brute-force attack: "Elcomsoft Wireless Security Auditor works completely in off-line, undetectable by the Wi-Fi network being probed, by analyzing a dump of network communications in order to attempt to retrieve the original WPA/WPA2-PSK passwords in plain text." "Elcomsoft Wireless Security Auditor requires a valid log of wireless communications in standard tcpdumptcpdump. The tcpdumptcpdump format is supported by all commercial Wi-Fi sniffers. In order to audit your wireless network, at least one handshake packet must be present in the tcpdump file."
Via:  Elcomsoft
Super Dave 5 years ago

Sigh.Tongue Tied


bob_on_the_cob 5 years ago

Do people in there right mind really belive they are helping when they make stuff like this?

tanka12345 5 years ago

Looks like a great 'auditor'...Indifferent

Spunjji 5 years ago

To be fair, if they truly intended that it be used to do damage, then why on earth would they bother releasing it officially like that? This sort of development is always a troublesome one, but peeople have seen it coming for a while, and it's better to have such software out in the open than hidden from sight. Their non-existence is simply out of the question as hackers are not stupid, so it's desirable to have the tools before they do wherever possible.

MikeL_HH 5 years ago

You're hitting the issue of "full disclosure" which is a prickly issue in IT security at the moment that isn't likely to be resolved anytime soon. Decent pros and cons on both sides, very much debatable and up to opinion.

Spunjji 5 years ago

*accidental double post*

agr 5 years ago

The simplest solution is to use only random passwords or passphrases of sufficient length. Google "diceware" for a simple, secure (and free) way to create them.

3vi1 5 years ago
masterDeBunker 5 years ago

"Brute force attacks that send random dictionary words to an access point can eventually successfully guess the password, if given enough time--the more computational power behind it, the faster the software can send passwords attempts and possibly guess the password."

Are you serious? First of all, the grammar is horrible but getting past that we can see a very poor understanding of this technology. Plain and simple, the network link is WAAAY slower than the CPU/GPU/Processor and if one were really going to flood the AP with login attempts, no special acceleration would be needed -- the wireless link is just not fast enough to require it. Yes, I see the note added to the end of the article, but that does NOTHING to correct the misinterpretation of this technology.

Now, a brute-force attack is different from a dictionary attack. The former attempts every combination of symbols allowed by certain parameters (like the set of symbols, and the lenght of the string -- 50 symbols (letters+numbers+punctuation) with a string size limited to 10 would be 50^10 = 97656250000000000 different combinations.) A dictionary attack (with or without mutations) simply uses a list of strings (possbily containing similar strings you might call mutations) to attempt decryption. What is a brute-force dictionary attack? Who knows, it was invented by the uninformed author of this article. A dictionary attack might be carried out online against a live AP, but a true brute-force attack would take longer than the life of the universe given todays wireless link speeds. Also note that real world key string length would probably be longer than 10 symbols and so even bigger than my example.

On another note, it's kinda ludicrous to think that these guys at ElcomSoft, smart as they are, would not use CUDA, Stream, or OpenCL. Come on, this is what those frameworks were designed to do! Any program that uses them could still be proprietary. It's just crazy to say that because this is a "proprietary acceleration technology" that it does not rely on those GPU languages.

Please people, do your research. And if you dont have time to do the research, USE COMMON SENSE!

3vi1 5 years ago

mdb: I had the same misgivings, but I'm guessing they're taking data from the WAP and crunching it to compare against their dictionary - not sending every word in the dictionary to the server (which would be easily spottable). Passwords are probably only sent if the analysis showed they might work first.

Super Dave 5 years ago

Users need to enable the wireless MAC Address Filter on their routers to keep the Dirty Rats from stealing their wireless connections. It isn't hard to do, and it allows only the wireless PC's that you assign to connect! To obtain the MAC address of your wireless PC you need to: (1)click on the START button (2)type CMD in the box then hit ENTER (3)type IPCONFIG/ALL then hit ENTER. Now all you need to do is look under Wireless LAN Wireless Network Connection. The MAC address is the Physical Address listed there (example: 00-1D-6A-2A-75-76). Write that number down and, with a wired connection, access your router's web address. In the router's wireless security settings you will be able to turn ON the MAC filtering and enter that number you have written down. Please note that you will need to change the hyphen (-) to a colon(:) when you enter the MAC address into the router (example: 00:1D:6A:2A:75:76). After you are finished you can rest assured that no one will be able to connect to your wireless connection...even if they have the encryption code!Stick out tongue


3vi1 5 years ago

Unless they change their MAC to match yours, which is easily configurable in the driver settings of most WLAN cards. And, if they've cracked by purely sniffing traffic, they've got your MAC.

People clone MACs to jump on pay-for-access wireless all the time.

bahaa 5 years ago


fisher2 5 years ago


fisher2 5 years ago


VDevakumar 3 years ago

Radeons are faster than their Nvidia counterparts when it comes to GPU password cracking . My 5770 GPU does 3.4 billion NTLM passwords per second.

Post a Comment
or Register to comment