Posts Tagged ‘Elcomsoft Wireless Security Auditor’

Modern wireless networks are securely protected with WPA/WPA2. The most frequently used method of securing access to a wireless network is pre-shared passphrase, or, simply put, a text password. The WPA standard enforces the minimum length of 8 characters for all Wi-Fi passwords. Considering the relatively low performance of WPA/WPA2 password attacks, brute force attacks are rarely effective even when performed with a network of GPU-accelerated computers. In this article, I will show how to attack wireless passwords for the purpose of security audit.


First and foremost, you’ll need a WPA/WPA2 handshake dump. This dump is essentially a file you’ll be using in the password recovery app when attacking Wi-Fi passwords. In order to capture the WPA/WPA2 handshake, use the built-in Wi-Fi sniffer in Elcomsoft Wireless Security Auditor.

The traditional approach to capturing a WPA/WPA2 handshake was using a dedicated AirPCap wireless adapter and specialized software. Elcomsoft Wireless Security Auditor takes AirPCap out of the equation, delivering a software-based Wi-Fi sniffing solution that works on regular Wi-Fi adapters. The custom NDIS driver for 32-bit and 64-bit Windows systems is digitally signed by Microsoft, and can be installed on all compatible versions of Windows including the latest builds of Windows 10. With this tool, you can automatically intercept Wi-Fi traffic and launch an attack on selected Wi-Fi networks.

Note: you must install a WinPCap driver to enable Wi-Fi sniffing. A compatible WinPCap driver is provided with Elcomsoft Wireless Security Auditor.

Please refer to Elcomsoft Wireless Security Auditor manual for information on installing WinPCap and NDIS drivers and capturing a WPA/WPA2 handshake.

You can attack passwords within Elcomsoft Wireless Security Auditor for GPU-accelerated recovery, or Elcomsoft Distributed Password Recovery, which can use multiple computers and multiple GPU units to accelerate attacks.

The Attacks

The WPA/WPA2 always consists of at least 8 characters. Even if the password is exactly 8 characters long, can you break it using a brute-force attack? Let’s calculate!

An 8-character password that contains characters from the extended character set (small and capital letters, number and special characters) has 6,634,204,312,890,625 possible combinations. A single NVIDIA Tesla V100 can try as many as about 650,000 WPA/WPA2 passwords per second.

As a result, you’ll need an estimated 323 years to break that password using a single Tesla V100 board. Granted, you can cut this number by utilizing a thousand computers, each with eight V100 boards, and get a much more reasonable estimate, but why would anyone spend that much effort breaking a Wi-Fi network protected with just an 8-character password?

A smarter attack won’t cost you anything, but may result in significantly higher success rate in significantly less time.

Try Phone Numbers First

If you are not auditing a Pentagon network, a good starting point will be the list of local phone numbers. While passwords like these are relatively uncommon, we’ve still seen them in 1 to 3% of the cases. Considering the very short duration of this attack, the list of local phone numbers is totally worth checking.

All-Digit Passwords

A good number of Wi-Fi access points are protected with passwords consisting of exactly 8 digits. While this attack takes longer than trying the list of local phone numbers, it may be worth running depending on your computational resources. A single video card will crunch through these all-digit passwords in under three minutes, making it worth a try.

Targeting the Human Factor

Wi-Fi passwords are meant to be shared and used by a number of people. More often than not, these passwords are made to be easy to memorize and easy to type, especially on mobile devices. As a result, many passwords are based on combinations of one to three dictionary words, some numbers, and very few special characters. In other words, we recommend using automatically adjusted dictionary attacks when auditing Wi-Fi passwords. If a wireless network can withstand a GPU-assisted dictionary attack with mutations during a given timeframe, one can consider the network to be secure.

Leaked passwords

Every year, millions of user accounts are compromised, and millions of passwords are leaked. We strongly recommend obtaining the list of the most commonly used passwords such as the Top 10,000 passwords or Top 10 million passwords, and run a simple, straightforward attack through the dictionary of leaked passwords.

The dictionaries of the most common passwords can be obtained from GitHub.


Wi-Fi passwords frequently contain one or more words in natural language. You can often recover such passwords by running a dictionary attack. A dictionary attack against a Wi-Fi password requires one or several dictionaries; a dictionary of English words is a good starting point, but dictionaries of local languages should not be forgotten.


Users frequently attempt to “secure” a password using a well-known word and applying some modifications. Sometimes, the among of modifications is just enough to pass the enforced security policy. For example: JohnSmith1, J0hnSm1th, Eva-1980, Peter1$ and so on.

To help attacks target passwords selected by average users, we developed an automated mutations engine. The mutations engine automatically alters dictionary words to mimic common patterns. You can easily apply mutations to dictionary words. More time is required when more mutations or higher mutation level are selected.

Elcomsoft Wireless Security Auditor offers a dozen different mutations. Enabling all of these mutations at the same time enormously expands the number of passwords to try, making it difficult or impossible to reach the end of the list in reasonable time. For this reason, we strongly recommend using a reasonable number of mutations and choosing only those mutations that are likely to be used in a given case.

In real life, we’ve witnessed the following three mutations being the most popular:

Case mutation: different variations of uppercase and lowercase characters.

Digit mutation: one or more digits added to the beginning or at the end of the password.

Year mutation: a four-digit year appended to the end of the password.

You can read more about mutations in the Attack Settings and Dictionary Mutations sections of the manual.


Some organizations have strict password security policies requiring the use of a certain number of small characters, capital letters, numbers and special characters. If you know the rules, the mask attack helps you use such policies to your advantage by only checking for passwords that match the known structure.

Note: while the Mutations attack expands the number of passwords to try, Masks do the opposite by skipping checks on passwords that don’t match the set mask.

You can read more about the masks in the Attack Settings.

Combination and Hybrid attacks

In real life, encountering passwords made of a single dictionary word is rare. More often than not, passwords consist of two or three words combined with some numbers and special characters. The Combination and Hybrid attacks target this kind of passwords by allowing you to try passwords made of two words, each of them taken from the dictionary. You can use the same or different dictionaries for the first and second words. We recommend enabling the check for upper-case and lower-case combination, word delimiters and extra mutations.

With the first option, the program will try to capitalize the first letter of each word, i.e. testing all four combinations. The second option (Use word delimiters) allows to set the different characters (like dash and underline, though you can set any other ones as well) to be used between words. Finally, you can apply extra mutations to all resulting passwords (Dictionary mutations options will be used). The program tries to estimate the total number of passwords instantly, but mutations will not be counted.

Hybrid attacks are even more complex, allowing to specify scriptable rules desribing the passwords. Combination and Hybrid attacks are documented in the Attack Settings section of the manual.

Suggested Wi-Fi Password Auditing Workflow

Our suggested workflow for auditing Wi-Fi passwords consists of the following steps.

  1. Prepare the list of local phone numbers and save it as a text-based dictionary file. Run a plain, straightforward, zero-mutation attack through that dictionary.
  2. Try all-digit passwords. Depending on the available computational resources, you may be able to try passwords containing 8 to 10 digits in a matter of minutes. From the technical standpoint, this is considered a brute-force attack configured as follows: minimal password length = 8; maximum password length = 10; character set: 0123456789
  3. Run an attack through the Top 10,000 and Top 10 million password lists. Again, no mutations, just straightforward dictionary attacks.
  4. Run a dictionary attack with mutations (single dictionary).
  5. Optional: run a dictionary attack with masks.
  6. Run a hybrid attack with two dictionaries and mutations (note: the two dictionaries may be the same or different to help you try combinations of two words).

We released a major update to Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security. Major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter). The built-in Wi-Fi sniffer is a component allowing the tool to automatically intercept wireless traffic, save Wi-Fi handshake packet and perform an accelerated attack on the original WPA/WPA2-PSK password.


I know most computer gurus and pros never read through program manuals or help files and prefer to learn everything using proverbial method of trial and error. Does this sound like you? Of course. Exceptions are very seldom. So, here’s something nice that will save your time and help your experience with Elcomsoft Wireless Security Auditor (EWSA).

In order to provide a quick but sufficient understanding how to effectively work with EWSA, our friend Sethios has prepared a nice 20-minute video tutorial that includes all steps of work with the program starting with acquiring handshakes and moving on through all following steps.

This video is packed with useful information, so go ahead and watch it now:

Was it helpful for your work? You are the judge. But we are always happy to hear from you. Your feedback is the reason we work harder on our software!

Attacking Wi-Fi passwords is near hopeless if a wireless hotspot is properly secured. Today’s wireless security algorithms such as WPA are using cryptographically sound encryption with long passwords. The standard enforces the use of passwords that are at least 8 characters long. Encryption used to protect wireless communications is tough and very slow to break. Brute-forcing WPA/WPA2 PSK passwords remains a hopeless enterprise even if a horde of GPU’s is employed. Which is, in general, good for security – but may as well inspire a false sense of security if a weak, easy to guess password is selected.

Elcomsoft Wireless Security Auditor is one tool to test how strong the company’s Wi-Fi passwords are. After checking the obvious vulnerabilities such as open wireless access points and the use of obsolete WEP encryption, system administrators  will use Wireless Security Auditor that tries to ‘guess’ passwords protecting the company’s wireless traffic. In previous versions, the guessing was limited to certain dictionary attacks with permutations. The new version gets smarter, employing most of the same guessing techniques that are likely to be used by an intruder.

Humans are the weakest link in wireless security. Selecting a weak, easy to guess password easily overcomes all the benefits provided by extensive security measures implemented in WPA/WPA2 protection. In many companies, employees are likely to choose simple, easy to remember passwords, thus compromising their entire corporate network.

The New Attacks
The new attacks help Elcomsoft Wireless Security Auditor recover weak passwords, revealing existing weaknesses and vulnerabilities in companies’ wireless network infrastructure.

Word Attack
If it’s known that a password consists of a certain word, the Word attack will attempt to recover that password by trying heavily modified versions of that word. This attack only has two options: you can set the source word and you can disable all permutations except changing the letter case. In addition, we can apply permutations to the source word first, forming a small dictionary; then perform a full dictionary attack, applying various permutations to all words from the newly formed list.

Mask Attack
Certain passwords or password ranges may be known. The mask attack allows creating a flexible mask, brute-forcing the resulting limited combination of passwords very quickly. The masks can be very flexible. One can specify placeholders for static characters, letter case, as well as full or limited range of special characters, digits or letters. Think of the Mask attack as an easy (and very flexible) way to check all obvious passwords from Password000 to Password999.

Combination Attack
You have two dictionaries. We combine each word from one dictionary with every word from another. By default, the words are combined as is, but you can increase the number of possible combinations by allowing delimiters (such as space, underscore and other signs), checking upper/lower case combinations or using extra mutations.

Hybrid Attack
This is one of the more interesting attacks out there. In a sense, Hybrid attacks come very close to how real human intruders think. The Hybrid attacks integrates ElcomSoft’s experience in dealing with password recovery. We’ve seen many (think thousands) weak passwords, and were able to generalize ways people are making them. Dates, names, dictionary words, phrases and simple character substitutions are the most common things folks do to make their passwords ‘hard to guess’. The new Hybrid attack will handle the ‘hard’ part.

Technically, the Hybrid attack uses one or more dictionaries with common words, and one or more .rul files specifying mutation rules. We’re supplying a few files with the most commonly used mutation rules:

Common.rul – integrates the most commonly used mutations. In a word, we’ve seen those types of passwords a lot, so we were able to generalize and derive these rules.
Dates.rul – pretty much what it says. Combines dictionary words with dates in various formats. This is a pretty common way to construct weak passwords.
L33t.rul – the “leet” lingo. Uses various combinations of ASCII characters to replace Latin letters. C001 hackers make super-strong passwords with these… It takes minutes to try them all.
Numbers.rul – mixes dictionary words with various number combinations.

Although this new book is on sale from January this year, we are happy to officially say our words of gratitude to Kevin Beaver and advise it to you.

In his book Kevin insists that the best way to really understand how to protect your systems and assess their security is to think from a hacker’s viewpoint, get involved, learn how systems can be attacked, find and eliminate their vulnerabilities.  It all practically amounts to being inquisitive and focusing on real problems as in contrast to blindly following common security requirements without understanding what it’s all about.

Kevin extensively writes on the questions of cracking passwords and weak encryption implementations in widely used operating systems, applications and networks. He also suggests Elcomsoft software, in particular Advanced Archive Password Recovery, Elcomsoft Distributed Password Recovery, Elcomsoft System Recovery, Proactive Password Auditor, and Elcomsoft Wireless Security Auditor, as effective tools to regularly audit system security and close detected holes.

In this guide Kevin communicates the gravity of ethical hacking in very plain and clear words and gives step –by- step instructions to follow. He easily combines theory and praxis providing valuable tips and recommendations to assess and then improve security weaknesses in your systems.

We want to thank Kevin for testing and including our software in his very “digestible” beginner guide to hacking and recommend our readers this book as a helpful tool to get all facts in order.

 As the second summer month is coming to an end, it’s time to sum up our news and updates that you might have missed because of vacation in some tropical heaven. Last two weeks brought us really hot days, not only because of the temperature in Moscow City but also due to hard work on program updates. Here is the news:

  • We released the new version of Distributed Password Recovery. It features support for TheBat! and TheBat! Voyager mail clients master passwords (masterkey.dat) and passwords to TheBat! backup files (*.tbk). The GPU acceleration has been extended and now works for Domain Cached Credentials (DCC), as well as Office 2007, Adobe PDF 9, Windows logon passwords (LM and NTLM), WPA/WPA2, and MD5 hashes.
  • A new version of Elcomsoft Wireless Security Auditor was released. EWSA 1.03 is able to extract WPA-PSK password hashes from local systems when Wireless Zero Configuration is used.
  • Our website is now available in Spanish, Italian, and Polish. We promise to add more languages soon to bring our customers information in their native tongues.
  • Follow us on Twitter to be the first to receive our news or become a fan on our brand-new Facebook page. You can also subscribe to our newsletter.

ATI Stream Developer Showcase enrolled our Elcomsoft Wireless Security Auditor in its security section, among other “notable applications” that use ATI Stream technology:

Yet another pleasant morning news 🙂


All modern AMD and Intel processors are 64-bit and corresponding Windows versions are also on the market. It is highly recommended to use 64-bit systems (though 32-bit systems perfectly work on 64-bit processors) because in this case more than 3 Gb RAM can be employed, and today we have lots and lots of 64-bit systems, so it’s getting more and more critical. (more…)

A number of D-link routers are now equipped with captcha feature. Sounds interesting. 

Chief technology officer in D-link says: "We are excited to be the first in the market to implement captcha into our routers, providing yet another layer of security to our customers".

No doubt, captcha is a wonderful spam filter for mails and a reliable obstacle to unauthorized access in the web, but is it as good for routers as for the web? (more…)