Posts Tagged ‘Elcomsoft Wireless Security Auditor’

Elcomsoft Wireless Security Auditor Gets Wi-Fi Sniffer

Thursday, December 1st, 2016

We released a major update to Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security. Major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter). The built-in Wi-Fi sniffer is a component allowing the tool to automatically intercept wireless traffic, save Wi-Fi handshake packet and perform an accelerated attack on the original WPA/WPA2-PSK password.

So what exactly has changed in the new release? Let’s have a look at the following block diagram:


As you can see, previous versions of Elcomsoft Wireless Security Auditor (EWSA) required the use of a dedicated AirPCap adapter, a dedicated device that costs around $300.



While using dedicated hardware built specifically for sniffing Wi-Fi traffic is “the right thing to do” (if you’re serious about auditing multiple networks, we still recommend buying one), many of our customers found the whole setup overly complicated. The need to purchase an additional piece of hardware, install and configure drivers was enough of a roadblock for many.

We worked hard to remove this complication. That’s why the new version of Elcomsoft Wireless Security Auditor now includes a brand new Wi-Fi sniffer. While we are keeping AirPCap support, we built a new sniffing module that works with just about any Wi-Fi adapter thanks to the use of our own custom NDIS and AirPCap drivers.


As you can see, we added a custom AirPCap driver stack as well as a custom NDIS driver. We built those for all 32-bit and 64-bit Windows systems from Windows 7 to Windows 10 (sorry folks, no XP support. Use on your own risk on Vista PCs).

With this new Wi-Fi sniffer, Elcomsoft Wireless Security Auditor becomes a true all-in-one tool for probing security of wireless networks that requires no extra hardware. Just set it up on a laptop (preferably, one equipped with NVIDIA graphics), bring it to a proximity of a Wi-Fi network and run the tool.


The Network Driver Interface Specification (NDIS) is an open-source API for network interface cards. The NDIS driver abstracts the network hardware from network drivers, acting as the interface between the MAC sublayer and the network layer.

Your network adapter already comes with a NDIS driver. Standard NDIS drivers do not support intercepting Wi-Fi packets, and, in general, do not allow for W-Fi sniffing. For this reason, we built a custom NDIS driver conforming to NDIS 6.0 specification to implement the ability to intercept individual Wi-Fi packets.


Our driver can intercept wireless traffic from all Wi-Fi networks operating on a certain Wi-Fi channel. Once you select a certain Wi-Fi network, EWSA will start monitoring its traffic waiting for a new device to connect. Once a new device connects to that wireless network, the device sends a handshake packet to the access point. The handshake packet contains hashed password. We intercept the handshake packet, extract the password hash, and run an attack on that hash in order to recover the original password.



If adding a custom NDIS driver and writing a custom AirPCap library does the trick, why is not everyone doing it? Why the extra hassle and expense of buying a ‘proper’ AirPCap adapter? The thing is AirPCap devices are designed to do one thing: Wi-Fi sniffing. On the other hand, your existing Wi-Fi adapter may or may not work depending on many things such as the make, model and age of the adapter and its driver version. In other words, not every Wi-Fi adapter will work as a sniffer, while every AirPCap adapter most certainly will. Having said that, we tested Elcomsoft Wireless Security Auditor 7.0 with a wide range of modern and reasonably recent Wi-Fi adapters and were delighted to find that the majority of recently made adapters work with no issues. After all, our goal is not full-time Wi-Fi sniffing; all we need is a handshake.

NVIDIA Pascal Support

We have also updated Elcomsoft Wireless Security Auditor with new GPU acceleration libraries supporting NVIDIA’s newest architecture, the NVIDIA Pascal. Cards based on this architecture (GTX 1070, GTS 1080 and other 1000-series boards) can break Wi-Fi passwords at least twice as fast as 900-series boards of previous generation.

Elcomsoft Wireless Security Auditor Video Tutorial

Thursday, April 30th, 2015

I know most computer gurus and pros never read through program manuals or help files and prefer to learn everything using proverbial method of trial and error. Does this sound like you? Of course. Exceptions are very seldom. So, here’s something nice that will save your time and help your experience with Elcomsoft Wireless Security Auditor (EWSA).

In order to provide a quick but sufficient understanding how to effectively work with EWSA, our friend Sethios has prepared a nice 20-minute video tutorial that includes all steps of work with the program starting with acquiring handshakes and moving on through all following steps.

This video is packed with useful information, so go ahead and watch it now:

Was it helpful for your work? You are the judge. But we are always happy to hear from you. Your feedback is the reason we work harder on our software!

Breaking Wi-Fi Passwords: Exploiting the Human Factor

Thursday, March 8th, 2012

Attacking Wi-Fi passwords is near hopeless if a wireless hotspot is properly secured. Today’s wireless security algorithms such as WPA are using cryptographically sound encryption with long passwords. The standard enforces the use of passwords that are at least 8 characters long. Encryption used to protect wireless communications is tough and very slow to break. Brute-forcing WPA/WPA2 PSK passwords remains a hopeless enterprise even if a horde of GPU’s is employed. Which is, in general, good for security – but may as well inspire a false sense of security if a weak, easy to guess password is selected.

Elcomsoft Wireless Security Auditor is one tool to test how strong the company’s Wi-Fi passwords are. After checking the obvious vulnerabilities such as open wireless access points and the use of obsolete WEP encryption, system administrators  will use Wireless Security Auditor that tries to ‘guess’ passwords protecting the company’s wireless traffic. In previous versions, the guessing was limited to certain dictionary attacks with permutations. The new version gets smarter, employing most of the same guessing techniques that are likely to be used by an intruder.

Humans are the weakest link in wireless security. Selecting a weak, easy to guess password easily overcomes all the benefits provided by extensive security measures implemented in WPA/WPA2 protection. In many companies, employees are likely to choose simple, easy to remember passwords, thus compromising their entire corporate network.

The New Attacks
The new attacks help Elcomsoft Wireless Security Auditor recover weak passwords, revealing existing weaknesses and vulnerabilities in companies’ wireless network infrastructure.

Word Attack
If it’s known that a password consists of a certain word, the Word attack will attempt to recover that password by trying heavily modified versions of that word. This attack only has two options: you can set the source word and you can disable all permutations except changing the letter case. In addition, we can apply permutations to the source word first, forming a small dictionary; then perform a full dictionary attack, applying various permutations to all words from the newly formed list.

Mask Attack
Certain passwords or password ranges may be known. The mask attack allows creating a flexible mask, brute-forcing the resulting limited combination of passwords very quickly. The masks can be very flexible. One can specify placeholders for static characters, letter case, as well as full or limited range of special characters, digits or letters. Think of the Mask attack as an easy (and very flexible) way to check all obvious passwords from Password000 to Password999.

Combination Attack
You have two dictionaries. We combine each word from one dictionary with every word from another. By default, the words are combined as is, but you can increase the number of possible combinations by allowing delimiters (such as space, underscore and other signs), checking upper/lower case combinations or using extra mutations.

Hybrid Attack
This is one of the more interesting attacks out there. In a sense, Hybrid attacks come very close to how real human intruders think. The Hybrid attacks integrates ElcomSoft’s experience in dealing with password recovery. We’ve seen many (think thousands) weak passwords, and were able to generalize ways people are making them. Dates, names, dictionary words, phrases and simple character substitutions are the most common things folks do to make their passwords ‘hard to guess’. The new Hybrid attack will handle the ‘hard’ part.

Technically, the Hybrid attack uses one or more dictionaries with common words, and one or more .rul files specifying mutation rules. We’re supplying a few files with the most commonly used mutation rules:

Common.rul – integrates the most commonly used mutations. In a word, we’ve seen those types of passwords a lot, so we were able to generalize and derive these rules.
Dates.rul – pretty much what it says. Combines dictionary words with dates in various formats. This is a pretty common way to construct weak passwords.
L33t.rul – the “leet” lingo. Uses various combinations of ASCII characters to replace Latin letters. C001 hackers make super-strong passwords with these… It takes minutes to try them all.
Numbers.rul – mixes dictionary words with various number combinations.

Hacking For Dummies, 3rd Edition by Kevin Beaver

Tuesday, November 2nd, 2010

Although this new book is on sale from January this year, we are happy to officially say our words of gratitude to Kevin Beaver and advise it to you.

In his book Kevin insists that the best way to really understand how to protect your systems and assess their security is to think from a hacker’s viewpoint, get involved, learn how systems can be attacked, find and eliminate their vulnerabilities.  It all practically amounts to being inquisitive and focusing on real problems as in contrast to blindly following common security requirements without understanding what it’s all about.

Kevin extensively writes on the questions of cracking passwords and weak encryption implementations in widely used operating systems, applications and networks. He also suggests Elcomsoft software, in particular Advanced Archive Password Recovery, Elcomsoft Distributed Password Recovery, Elcomsoft System Recovery, Proactive Password Auditor, and Elcomsoft Wireless Security Auditor, as effective tools to regularly audit system security and close detected holes.

In this guide Kevin communicates the gravity of ethical hacking in very plain and clear words and gives step –by- step instructions to follow. He easily combines theory and praxis providing valuable tips and recommendations to assess and then improve security weaknesses in your systems.

We want to thank Kevin for testing and including our software in his very “digestible” beginner guide to hacking and recommend our readers this book as a helpful tool to get all facts in order. :)

ElcomSoft News

Wednesday, July 22nd, 2009

 As the second summer month is coming to an end, it’s time to sum up our news and updates that you might have missed because of vacation in some tropical heaven. Last two weeks brought us really hot days, not only because of the temperature in Moscow City but also due to hard work on program updates. Here is the news:

  • We released the new version of Distributed Password Recovery. It features support for TheBat! and TheBat! Voyager mail clients master passwords (masterkey.dat) and passwords to TheBat! backup files (*.tbk). The GPU acceleration has been extended and now works for Domain Cached Credentials (DCC), as well as Office 2007, Adobe PDF 9, Windows logon passwords (LM and NTLM), WPA/WPA2, and MD5 hashes.
  • A new version of Elcomsoft Wireless Security Auditor was released. EWSA 1.03 is able to extract WPA-PSK password hashes from local systems when Wireless Zero Configuration is used.
  • Our website is now available in Spanish, Italian, and Polish. We promise to add more languages soon to bring our customers information in their native tongues.
  • Follow us on Twitter to be the first to receive our news or become a fan on our brand-new Facebook page. You can also subscribe to our newsletter.

ATI’s Hall of Fame

Thursday, June 18th, 2009

ATI Stream Developer Showcase enrolled our Elcomsoft Wireless Security Auditor in its security section, among other “notable applications” that use ATI Stream technology:

Yet another pleasant morning news 🙂


Living to the 64-bit rhythms

Tuesday, May 26th, 2009

All modern AMD and Intel processors are 64-bit and corresponding Windows versions are also on the market. It is highly recommended to use 64-bit systems (though 32-bit systems perfectly work on 64-bit processors) because in this case more than 3 Gb RAM can be employed, and today we have lots and lots of 64-bit systems, so it’s getting more and more critical. (more…)

Too much security won’t spoil the router, will it make it better?

Monday, May 18th, 2009

A number of D-link routers are now equipped with captcha feature. Sounds interesting. 

Chief technology officer in D-link says: "We are excited to be the first in the market to implement captcha into our routers, providing yet another layer of security to our customers".

No doubt, captcha is a wonderful spam filter for mails and a reliable obstacle to unauthorized access in the web, but is it as good for routers as for the web? (more…)