Sunday, 6 February 2011

The power of simplicity: Brute force Cracking

Simplicity is always the best. No need to be too smart by looking for
the most efficient algorithm. As long as it works, it should do, at
least for the first iteration. So JUST DO IT. Later on, you can learn
to improve. The first brute force trial and error is the real
intelligence. Later on as we learn more, it is called knowledge.

Researcher cracks Wi-Fi passwords with Amazon cloud

* Alert
* Print
* Post comment
* Retweet
* Facebook

Return of the Caveman attack

By Dan Goodin in San Francisco • Get more from this author

Posted in Security, 11th January 2011 20:17 GMT

Free whitepaper – Fraud Alert - Phishing

A security researcher has tapped Amazon's cloud computing service to
crack Wi-Fi passwords in a fraction of the time and for a fraction of
the cost of using his own gear.

Thomas Roth of Cologne, Germany told Reuters he used custom software
running on Amazon's Elastic Compute Cloud service to break into a WPA-
PSK protected network in about 20 minutes. With refinements to his
program, he said he could shave the time to about six minutes. With
EC2 computers available for 28 cents per minute, the cost of the crack
came to just $1.68.

"People tell me there is no possible way to break WPA, or, if it were
possible, it would cost you a ton of money to do so," Roth told the
news service. "But it is easy to brute force them."

Roth is the same researcher who in November used Amazon's cloud to
brute force SHA-1 hashes. Roth said he cracked 14 hashes from a 160-
bit SHA-1 hash with a password of between one and six characters in
about 49 minutes. He told The Register at the time he'd be able to
significantly reduce that time with minor tweaks to his software,
which made use of "Cluster GPU Instances" of the EC2 service.

As the term suggests, brute force cracks are among the least
sophisticated means of gaining unauthorized access to a network.
Rather than exploit weaknesses, they try huge numbers of possible
passwords until the right phrase is entered. Roth has combined this
caveman approach with a highly innovative technique that applies it to
extremely powerful servers that anyone can rent at highly affordable

Roth's latest program uses EC2 to run through 400,000 possible
passwords per second, a massive amount that only a few years ago would
have required the resources of a supercomputer. He is scheduled to
present his findings at next week's Black Hat security conference in
Washington, DC. ®

No comments: