WPA Attacks – CompTIA Security+ SY0-401: 3.4

An encryption technology doesn’t have to suffer from a cryptographic flaw to be susceptible to attack. In this video, you’ll learn how an encryption protocol as strong as WPA can be successfully hacked.

<< Previous Video: Wireless Replay and WEP AttacksNext: WPS Attacks >>


When the cryptographic problems were found with the WEP encryption protocol it was a big issue. Something that needed to be resolved. And of course, we went back to the drawing board and came up with a new type of encryption called WPA.

WPA itself was one that was a little bit more secure. We didn’t have that same problem with the initialization vectors and the replay attacks that we had with the WEP encryption protocol. There were eventually some various minor vulnerabilities found with the WPA protocol surrounding the TKIP, but these were very specific cases.

The devices had to be in a particular place for this to work properly. There was a man in the middle. It was not completely obvious. But nonetheless, it was still a vulnerability and something that people had to be concerned about.

When we released WPA2, it was a protocol that worked differently. TKIP was replaced with CCMP and AES, which were very strong protocols to be able to encrypt information. And there are even to this day no known cryptographic vulnerabilities in WPA when you’re using that CCMP technology.

Without any known cryptographic vulnerabilities then we have to use other methods to be able to crack or hack into a WPA2 network. If you’re running WPA2 on your home network then you’re probably using WPA-Personal. You might also see this referred to as WPA-PSK.

That stands for pre-shared key. That means everybody on the network has the same key, and we all use the same key on every system to gain access to the wireless network. That means the only way you can really get in is to find out what that key is. And you could perform a brute force or a dictionary attack to try to determine what that key happens to be.

There’s no other way to reverse engineer that key out using a cryptographic vulnerability because currently we don’t have one within WPA2. That means on your wireless network, you would do best to create a relatively complex key. It needs to have a lot of different letters and numbers. It needs to be as long as possible. And if you can, avoid any obvious words that somebody may be able to run across with a dictionary attack.

If you’re in a larger environment, you’re probably using WPA-Enterprise. You may see this also referred to as WPA-802.1X. That is the network access control mechanism that would be used to authenticate people onto a network.

So everybody uses a different authentication method to gain access. You don’t just hand out a shared key to every one, which is not something usable in an enterprise that way if somebody leaves the organization you don’t have to change all of your keys. You would simply login with your username and your password and that’s what gains you access to the wireless network, usually with some type of authentication mechanism on the back end, like RADIUS.

And again, there’s no practical attacks against that either. You would simply need to determine someone’s username and password. Inf fact, this would be harder to brute force because now you only have access to brute force in individual user’s username and password and not simply a global key that everyone is using. So if you’re planning to get into a WPA2 network you need to understand that it’s going to be extremely difficult because it’s effectively a brute force or a dictionary attack to gain that access.