Elcomsoft Wireless Security Auditor Gets Wi-Fi Sniffer

December 1st, 2016 by Oleg Afonin
Category: «Elcomsoft News», «Hardware», «Software», «Tips & Tricks»

We released a major update to Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security. Major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter). The built-in Wi-Fi sniffer is a component allowing the tool to automatically intercept wireless traffic, save Wi-Fi handshake packet and perform an accelerated attack on the original WPA/WPA2-PSK password.

So what exactly has changed in the new release? Let’s have a look at the following block diagram:

image1

As you can see, previous versions of Elcomsoft Wireless Security Auditor (EWSA) required the use of a dedicated AirPCap adapter, a dedicated device that costs around $300.

Source: http://www.riverbed.com/products/steelcentral/steelcentral-riverbed-airpcap.html

While using dedicated hardware built specifically for sniffing Wi-Fi traffic is “the right thing to do” (if you’re serious about auditing multiple networks, we still recommend buying one), many of our customers found the whole setup overly complicated. The need to purchase an additional piece of hardware, install and configure drivers was enough of a roadblock for many.

We worked hard to remove this complication. That’s why the new version of Elcomsoft Wireless Security Auditor now includes a brand new Wi-Fi sniffer. While we are keeping AirPCap support, we built a new sniffing module that works with just about any Wi-Fi adapter thanks to the use of our own custom NDIS and AirPCap drivers.

image3

As you can see, we added a custom AirPCap driver stack as well as a custom NDIS driver. We built those for all 32-bit and 64-bit Windows systems from Windows 7 to Windows 10 (sorry folks, no XP support. Use on your own risk on Vista PCs).

With this new Wi-Fi sniffer, Elcomsoft Wireless Security Auditor becomes a true all-in-one tool for probing security of wireless networks that requires no extra hardware. Just set it up on a laptop (preferably, one equipped with NVIDIA graphics), bring it to a proximity of a Wi-Fi network and run the tool.

Why NDIS?

The Network Driver Interface Specification (NDIS) is an open-source API for network interface cards. The NDIS driver abstracts the network hardware from network drivers, acting as the interface between the MAC sublayer and the network layer.

Your network adapter already comes with a NDIS driver. Standard NDIS drivers do not support intercepting Wi-Fi packets, and, in general, do not allow for W-Fi sniffing. For this reason, we built a custom NDIS driver conforming to NDIS 6.0 specification to implement the ability to intercept individual Wi-Fi packets.

ewsa_networks

Our driver can intercept wireless traffic from all Wi-Fi networks operating on a certain Wi-Fi channel. Once you select a certain Wi-Fi network, EWSA will start monitoring its traffic waiting for a new device to connect. Once a new device connects to that wireless network, the device sends a handshake packet to the access point. The handshake packet contains hashed password. We intercept the handshake packet, extract the password hash, and run an attack on that hash in order to recover the original password.

2

Compatibility

If adding a custom NDIS driver and writing a custom AirPCap library does the trick, why is not everyone doing it? Why the extra hassle and expense of buying a ‘proper’ AirPCap adapter? The thing is AirPCap devices are designed to do one thing: Wi-Fi sniffing. On the other hand, your existing Wi-Fi adapter may or may not work depending on many things such as the make, model and age of the adapter and its driver version. In other words, not every Wi-Fi adapter will work as a sniffer, while every AirPCap adapter most certainly will. Having said that, we tested Elcomsoft Wireless Security Auditor 7.0 with a wide range of modern and reasonably recent Wi-Fi adapters and were delighted to find that the majority of recently made adapters work with no issues. After all, our goal is not full-time Wi-Fi sniffing; all we need is a handshake.

NVIDIA Pascal Support

We have also updated Elcomsoft Wireless Security Auditor with new GPU acceleration libraries supporting NVIDIA’s newest architecture, the NVIDIA Pascal. Cards based on this architecture (GTX 1070, GTS 1080 and other 1000-series boards) can break Wi-Fi passwords at least twice as fast as 900-series boards of previous generation.

Special thanks to Open Solutions, our valuable partner that developed the core of the NDIS driver for Elcomsoft Wireless Security Auditor.


REFERENCES:

Elcomsoft Wireless Security Auditor

Audit security of your wireless networks and recover WPA/WPA2 passwords with Elcomsoft Wireless Security Auditor. In addition to the CPU-only mode, the new wireless password recovery tool features a patented GPU acceleration technology to speed up password recovery. Elcomsoft Wireless Security Auditor targets the human factor with smart attacks, combining dictionary attacks with an advanced variation facility. The tool accepts standard tcpdump logs supported by any Wi-Fi sniffer.

Elcomsoft Wireless Security Auditor official web page & downloads »