Cracking Wi-Fi Passwords with Sethioz

February 18th, 2015 by Olga Koksharova
Category: «Did you know that...?», «General», «GPU acceleration», «Hardware», «Tips & Tricks»

If you care about password cracking, hardware acceleration or Wi-Fi protection this interview with our friend Sethioz is certainly for you. Being currently a freelance security tester Sethioz kindly shared his experience in cracking passwords using video cards, which in its turn derived from his gaming interest in cards. His personal experience may be very helpful to those whose concern about password cracking is not trivial.

How did it all start or what was the reason to try to find a Wi-Fi password?

There is no short answer to this, if there would be, I guess it would be “curiosity”. I think I got my first computer somewhere in 2002-2003 (my own PC) and ever since I’ve been interested in everything that is not “normal”, such as reverse engineering, debugging, hacking games, cracking password etc. Wi-Fi was not very popular at those times and not many used it, so when I first saw open networks and then networks with passwords, I thought “isn’t it possible to crack the network and use it” I did lot of googling and learned how to crack WEP secured networks using aircrack-ng (airodump, aireplay etc) on Linux, which was very easy (every WEP network can be cracked in less than few hours and success rate is 100%). After that I started doing research on how to crack WPA / WPA2 networks. And to be honest, at some point I cracked a WEP network only because I needed it, it was in some hotel that had only paid Wi-Fi and I did not want to pay for 1 week of Wi-Fi, because I only stayed there for 2-3 days.

I’ve also done it just to prove my point or to “showoff”. My friend said “it’s impossible to crack WPA2 because even FBI uses it”, so I just wanted to make my point and cracked his Wi-Fi and handed him the password. He was using default ISP settings, where password was 8 character long lower_alpha, i got lucky and password cracked around 4%, so it only took me few days on old computer.

And few times some companies have paid me to test their Wi-Fi security. I managed to crack password every time, because they did not realize the concept of “wordlist mutation” options. For example they did not understand how I was able to “guess” the password “password900” or like “pa55word”. With mutation option i would only need word “password” to be able to crack something like “password900” or “pa55word”.

Also movies have motivated me to check into such things, even though in movies they have no idea how real hacking or cracking works, it just gives motivation to try that in real life.

Inspired by movies Sethioz has assembled a nice hacking workstation:

Why did you choose EWSA for this job?

I think I first heard about EWSA about 3-4 years ago. Before that i tried tools such as hashcat, pyrit and others found on google. I have searched a lot and I think EWSA is best tool for WPA/WPA2 handshake cracking. It’s easy to use and does exactly what needed, while hashcat and other similar tools are complex and messy. I’ve tried lot of them, but EWSA is easiest. it does not require much knowledge at all. Anyone who knows how to capture a WPA2 handshake, would know how to use EWSA. I’m a professional and I know lot about computers, but even i find tools like hashcat, pyrit ..etc hard to use. Also EWSA uses CUDA (allowing you to use GPU to do the calculations / cracking, which is a lot faster than CPU).

Why did you decide to choose the card Galax GTX 980 “Hall of Fame” Edition?

I chose this card because I’m also a youtuber and I needed a good card to run all the latest games on maximum graphics without any problems. I did lot of research before I decided, GTX 980 is currently newest in NVIDIA’s arsenal and I heard lot of good about it. I also checked out Asus, EVGA, Gigabyte and few others, but Galax is known to break world records and have highest clock speeds. This specific “Galax GTX 980 Hall of Fame” card has highest clock speeds by default, I think it is fastest single-gpu graphics card in the world. I don’t stay up to date with AMD / Radeon anymore, but I don’t think they have anything better. I was very impressed when I benchmarked this card on EWSA, I expected it to have about 60000-70000p/s, but it did 215000p/s.

Most important about this specific card are the default clock speeds, which are insane high compared to NVIDIA’s default 980.

NVIDIA GeForce GTX 980 default clocks are:

  • base clock: 1126mhz
  • boost clock: 1216mhz (to those who do not know, boost clock is automatically enabled if card stays cool enough to handle the speeds)

Galax GTX 980 HoF clocks are:

  • base clock: 1304mhz
  • boost clock: 1418mhz (mine is 1455mhz, slightly overclocked)

Yes I have tried other cards before. I have tried some old cards, such as NVIDIA GT 240 and 9600GT (I think) and they do only about 5000-9000p/s. Then I tried EVGA GTX 550Ti which did around 12000-14000p/s. Also tried out Gainward GTX 680 Phantom which managed to get around 34000p/s and Asus GTX 680 DirectCUII which did about 36000p/s. My friends have given me feedback regarding some Radeon cards, such as HD7970 which did around 55000p/s (if I remember right). But I really did not expect 980 HoF to get 215000p/s, it’s impressive.

Advantages are that this card is heavily overclocked by Galax / KFA2 company and they have even placed a physical button on back of the card that turns all 3 fans on maximum speed, this can be used if you want to heavily overclock the card. I have not done any overclocking, because this card is a BEAST as it is already. In gaming, this card is equal or even bit better than my previous GTX 680 SLI. Also, another important thing about Galax 980 is that company says that they have completely re-designed the PCB board for maximum performance, PCB is also white colored, while usually PCB boards are all green.

You can also see my review of GTX 980 HoF here:

How did you prepare the card to accelerate it to its maximum? Did you encounter any problems when you started using it and how did you fix it?

Since Galax has been out there since about 1994 and they focus on breaking the overclock records on cards, they have done really good job on cooling the card. I was able to add small boost to clocks (from 1418mhz to 1455mhz) without any issues. Card stays cool even under max load (under 60C).

At this point I’d like to mention, that when cracking passwords with EWSA, the card never reaches as high temps as it does in gaming, I guess that’s because EWSA works in “chunks”, I can see the GPU usage peak for 3-5 seconds and then drop for 1 second or less, I guess this gives the GPU enough time to cool down. I have left some old computers to crack a password for months and they run stable (I did not use EWSA, I used EDPR in that case). GPU temp on that old PC stayed below what it goes in gaming, so this case applies to all GPUs I guess.

I guess, what’s also important is that all of my PC cases have front air intake, which significantly decreases all component temps. My main PC case is Antec DF-85 with 3 front fans, so hardware stays a lot cooler than in cases that don’t have front fans.

The old PC that I used for cracking does not have front fan by default, but I modified the case and added a front fan, keeping the GPU cool. That old PC had EVGA GTX 550Ti and card was around 55-65C.

What attacks did you start from and why? Did you have to adjust the settings or switch to another attack?

Well this is something where in general you need experience and common sense. For example a station that has a default name (default given by ISP, which is written on back of your router box) is most likely to have default password too. So, all I need is to take a look at default settings, which I can ask from a friend and then I know what password to look for.

Here in UK, I know of 4 ISPs who use very simple passwords, even though for everyday person it is nearly impossible to crack, for someone like me it is kids play to crack a password within 1-2 week. For example, 1 ISP uses UPPER-CASE alpha password that is about 208 billion combinations running it on GTX 980 HoF using EWSA, this will take only 11 days max. Another ISP I know uses 12 digits (numbers) and this kind of password takes less than a day to crack, it’s possible even on weaker computers.

However, one ISP here uses 64 character passwords, containing upper and lower alpha and numbers, this kind of password is impossible to crack on any home PC. I think only FBI and above will have enough resources to try and crack something like that, but I think they would fail too, because there are too many possibilities, it would take over 100 years with current technology.

One of my friends named his Wi-Fi station to “Titanic” and asked if I can test it. First thing that I thought is that he must like Titanic, so what I did, is downloaded subtitles for Titanic from various websites and using different tools (such as old tool called Raptor 3) I made a wordlist out of movie subtitles. I don’t remember if that was the wordlist that helped me crack the password or was it one of my own collections, but I managed to get the password. He had it in a style like “PasswordPassword932” (2 words with capitals and a number at end).

Best way to crack a password is to have background information about the router (who is owner, does Wi-Fi has default name? is person computer specialist or not, does owner use computers a lot, does owner use lot of other devices etc). For example, if owner uses lot of devices, then most likely he has weak password, because it is real pain to re-enter your password on every device if it’s long and hard to remember. Also in companies, where lots of people need to access Wi-Fi, it is most likely to have a weak password.

From my experience, people always use passwords they are familiar with, such as their names, birthdays, company names etc, something related to them. I’m also a part-time graphics and web developer and I have had access to many, many different websites and servers and 99% of them use very simple passwords, I always mention it that they should not do this, but they don’t seem to care.

However, I’d like to mention that even IT and computer specialists use simple password. Including myself, I don’t use it on anything as public as Wi-Fi, but having over 100 accounts, I often use simple passwords. I use them on simple things only, such as some game accounts that I don’t really care about.

Did you succeed in cracking passwords? 

I have cracked total of about 50 Wi-Fi passwords and failed to crack maybe about 2-3. However, those include WEP networks, maybe about 10-15 of them have been WPA2 and all the failed ones were WPA/WPA2, because all WEP networks are 100% crackable.

Most common is that passwords have not been changed from the default ISP provided password, so they are just random combination of like “kdopeqls” or “KSPENMAQ”. My friend used something like “HisnameNetwork042” as password, I don’t remember the exact passwords from head, but I know he used his alias / online nickname as part of password. Another one uses his business name + number, such as “MyBusiness2000”, which is rather easily crackable with wordlist + mutation.

What was the most important factor(s) that helped you to reach the goal/find the password?

Without a doubt, it would be knowing what you are against. So always do your research. This would be illegal already, but if I would work for police or FBI or any authority who would give me permission to do so, I would not even start from cracking the Wi-Fi, I would “spy” on the network owner to learn more and predict what the password might be. As mentioned earlier, if person is simple minded and can’t bother with computer things, then most likely he/she have not changed it and uses default password, so most important would be to get a hold of same ISP’s router (same router, same version) and just take a peek at default Wi-Fi password. From there, i know to use either lower alpha or UPPER alpha combinations in bruteforce. If station is custom named, it’s very important to know more about the router’s user/owner and predict which wordlist would be best. For example if person is from another country and English is not his/her native language, then I would first try his native language wordlists first.

I think if someone would make a challenge for crackers, have 10 routers, but all of their names and passwords have been mixed. You know that 2 of them have very simple password, 2 of them will have extremely hard and rest are between, but names are mixed up, so that you can’t do any ISP background research or person background research, then it would be extremely hard to crack any of them. In such case it would be best to find the easiest passwords first and go from there.

So in general, most important is pattern / knowing what you looking for, without that, you can spend months trying to crack a password with a combination without including a SPACE in it, but password might use a space.

What would be your recommendations to other testers in terms of GPUs, attacks and settings or any other important nuances about Wi-Fi passwords one should keep in mind?

I think if one wants to buy a graphics card only for Wi-Fi cracking and don’t have much budget, then AMD / Radeon cards are the ones to look at, because only NVIDIA’s 900 series has Maxwell GPUs which are really effective in cracking. Previous NVIDIA cards are very bad in cracking. However, AMD / Radeon takes a lot more power. Radeon can take up to like 300w of power (maybe even 350w), while my GTX 980 HoF takes about 220w of power (this is under max load).

Still, we’d insist on Maxwell cards for three reasons: first,  they are preferred for password per watt, second, their bugs are more efficiently fixed, and third, they don’t overheat that much and thus do not require sophisticated cooling (old AMD cards could simply burn, while newer models include heat protection when the card drops the speed as it reaches 90C). Besides, Maxwell cards include not only GTX9XX series, there are also GTX 750Ti, 750, 8XoM –  you can find some more in the table http://en.wikipedia.org/wiki/CUDA  

nVidia said that they have dropped support for entire 700 series because Kepler architecture is now history and Maxwell is far more superior and therefore there is no point continueing 700 series anymore, so from this statement I assumed that entire 700 series is Kepler, but it seems like 750 and 750Ti are made after 760, 770 and 780, which doesn’t make much sense, but this is the reason why I said that only 900 series is Maxwell. I got confused by nVidia’s statement. 800 series is only for laptops and I do not stay up to date with laptops, I have never used laptop for gaming or cpu/gpu based cracking, because they’re very weak compared to custom built PCs and laptops always have cooling issues, so constant load will cause them to fail quick.

To those who have higher budget (such as governments or some small projects between people), I think they should look up PICO Accelerators, they are designed specifically for such jobs, they use very little power and give insane results. Here is a graph of PICO accelerator performance and power usage and that was in 2013: http://sethioz.com/forum/download/file.php?id=1391

The bottom one seen on that picture would cost about 2300usd (in 2013), they do not list prices in public, but I contacted them and this was a rough estimate on such system. So it can do about 2 million WPA/WPA2 passwords per second and using 1500w. If you would want to do this with GTX 980 HoF, you would need 9-10 of them, each using 220w of power and costing about 1000 dollars, clearly PICO is way to go on mass scale. Same concept as with bitcoin mining, a tiny USB powered bitcoin miner can give better results than Galax GTX 980 HoF, it’s all about architecture.

I have not had a chance to test out Radeon HD5970, but i think it should give best performance for best price, it’s a dual-gpu card and should be able to do 100000 – 200000p/s of WPA2, I’m not entirely sure in this. HD7970 should do about 60000p/s and I think 5970 should be about twice the power of HD7970, however I have also heard that HD7970 does about 100000p/s, I do not own Radeon cards, so hard for me to say. I would have to see results myself to be able to do more than speculate based on what I read and heard.

We tested WPA/WPA2 passwords on AMD Radeon HD7970 and reached 112000p/s, however, as Sethioz has already mentioned above, the card gets pretty hot and you have to keep an eye on its temperature and be ready to help it with fans and coolers.

And finishing this interview, I’d like to thank Sethioz very much for his insightful thoughts on password cracking and important nuances to pay attention to when you are choosing a proper card to take full advantage from current hardware acceleration technologies. Readers are also welcome to share their experience and recommendation in comments below, because password cracking is also art in a sense that it requires not only computer knowledge but also a bit of reasonable creativity in attacks, especially for those algorithms when simple brute-forcing is hopeless. You are also welcome to discuss all these and other questions about graphics cards’ speeds and performance in Sethoz’s owns forum at http://sethioz.com/forum/viewforum.php?f=72


REFERENCES:

Elcomsoft Distributed Password Recovery

Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.

Elcomsoft Distributed Password Recovery official web page & downloads »


Elcomsoft Wireless Security Auditor

Audit security of your wireless networks and recover WPA/WPA2 passwords with Elcomsoft Wireless Security Auditor. In addition to the CPU-only mode, the new wireless password recovery tool features a patented GPU acceleration technology to speed up password recovery. Elcomsoft Wireless Security Auditor targets the human factor with smart attacks, combining dictionary attacks with an advanced variation facility. The tool accepts standard tcpdump logs supported by any Wi-Fi sniffer.

Elcomsoft Wireless Security Auditor official web page & downloads »