This document discusses using Amazon's EC2 cloud computing services to crack WPA2-PSK WiFi passwords through brute force attacks in a cost effective manner. Custom code was written to parallelize the cracking process across multiple EC2 instance types. Testing showed that 100 million passwords could be cracked in around 2 months for $240 using this approach. The cloud provides elastic, on-demand computing resources that can be leveraged for password cracking at low cost compared to building your own hardware.

1. Cracking WPA2-PSK in the cloud A Cost Effective Solution For Brute Force Attacks By Fotios Lindiakos and Ed Rowland

2. WPA2-PSKWi-Fi Protected Access II – Pre-shared Key Replaced WPA in 2004 as 802.11i standard Added security replacing TKIP with CCMP (AES) Required for devices with Wi-Fi trademark Two modes Enterprise – requires a Radius Server (802.1x) Personal – 256 bit key created from a string of 64 digits or 8-63 character passphrase Key calculation Passphrase  PBKDF2(f) salted w/SSID  4096 iterations of HMAC-SHA1

4. Correct Passphrase “guessed” if tool can calculate the same Message Integrity Code (MIC)Hacking Exposed - Stuart McClure, Joel Scambray, George Kurtz

5. Tools Used Amazon’s EC2 cloud Multiple types of instances running 64 bit Ubuntu 10.04 LTS Aircrack-ng v1.1 Custom web front end Custom code to parallelize processing Laptop/mobile device running aircrack-ng to capture and send capture file to cloud

6. About The EC2 Cloud One of many proprietary web services Amazon offers providing PAAS, IAAS & SAAS Elastic Compute Cloud (EC2) virtualizes compute cycles into EC2 compute units (ECU) One ECU provides the equivalent CPU capacity of a 1.0-1.2 GHz 2007 Opteron or Xeon processor Access to an EC2 instance is via SSH leveraging PKI to encrypt a session key

7. To the cloud!

8. Cracking Statistics

9. But what about cracking… One Hundred MILLION keys!

10. Time to Crack 100,000,000

11. Optimized for “Bang for your buck”

12. About Custom Code Written in Ruby Front end is a Sinatra web application Back end is a wrapper around aircrack-ng Library handles communicating with EC2 Only 234 lines of code

13. Front End Accepts PCAP from the user Also gets SSID and how many instances to run Creates a “message” for each instance This message is put on a queue waiting for client to come online It contains all the information the client needs Starts cracking instances Waits for results and reports them to the user After a key is found, terminates all clients

14. Back End Pops a message off the queue at boot time Gets the PCAP and full dictionary file Creates smaller wordlists First, makes a list based on “chunk” assigned Breaks that into smaller chunks for reporting purposes Runs aircrack-ng against each chunk Reports progress or the key after every iteration

15. Tested Instance Types and Cost

16. Demo

17. Results – Single Instance

18. Results – Parallel Instances

19. Future Work Utilize other EC2 Instance types High End Cluster with GPU 33.5 ECU and 2 x NVIDIA Tesla “Fermi” M2050 GPUs Optimize cracking client for architecture Fully utilize multiple CPU/core Fully utilize 64 bit capabilities Fully utilize GPU acceleration Look at other cracking tools coWPAtty, Hydra, custom code

20. Conclusion It’s certainly inexpensive and easy to leverage cloud computing to hack WPA2-PSK efficiently As long as you have an adequate dictionary The attack can be prioritized based on Cost Use cheaper instances, regardless of time Time Use most powerful instances, regardless of cost