1. Antony Law
Matric No: S1125113
Honours Research and Project Methods
(MHG405279)
Module Leader: Brian Shields
Final Honours Project Report
A Comparison Study of Simple to Complex Passwords Implementation in
WLANs Security Framework
Project Supervisor: Dr. Ali Shahrabi
Second Marker: Iain Lambie
Submitted for the Degree of BEng (Hons) Network Systems Engineering
2015-2016
“Except where explicitly stated all work in this document is my own”
Signed: Date:
2. ii
Abstract
The 802.11 standard allows for wireless communication by transmitting data through the air.
This offers great flexibility and ease of installations as compared to wired networks.
However, propagated radio signals are not confined, allowing interception of data to be easily
achieved. This leads to an unsecure data transmission. Thus, Wired Equivalent Privacy
(WEP) protocol was initially developed to achieve data confidentiality, integrity and
authorisation. Later, flaws were discovered, which lead to the creation of Wi-Fi Protected
Access (WPA), and finally, 802.11i protocol, to provide secure wireless communication.
WPA and 802.11i is “password” protected, and is used to authenticate a client. Furthermore
this makes WPA and 802.11i vulnerable against a “brute-force” or a “dictionary” attack, and
the attack is only successful if a client is associated with the AP or router of the target
network.
The aim of this project is to evaluate the impact between “simple” and “complex” passwords
implemented into WPA and 802.11i, to determine which is most resistant to cryptanalyze.
This experimental project will be conducted in a lab environment to ascertain this
information, and either a brute-force or dictionary attack will be launched through the
oclHashcat program against the simple to complex passwords. Password scenarios created
must meet the factors ease of use and memorability to simulate as closely as possible to real-
life scenario, and two dissimilar password strength meters (My1login and The Password
Strength Meter) is also used to validate the password scenarios into simple or complex
category. The metrics of interest are success and failure of the attack, along with the recorded
time of success only, to establish the variance in security level provided by simple and
complex passwords. In addition, “Aircrack-ng” program supplied by Kali Linux OS will be
used to capture the four-way handshake packets to distinguish any differences, if any,
between both protocols (WPA and 802.11i).
In previous studies, it is identified that increasing the password length to be more secure, than
creating meaningless password with a mixture of characters. Increasing password length
achieves memorability and usability without decreasing security. Complex passwords are
more secure than simple passwords, but the success of password cracking is subjective, due
to the hacker’s intelligence and wordlist applied. The outcome of this experiment emphasises
the importance of user awareness in selecting passwords and protocols. Most importantly, I.T
specialists and general users can benefit in creating an educated password to provide a
satisfactory level of security under their control.
3. iii
Acknowledgments
I would like to thank my family and friends for the consistent support throughout the
development of my Honours project report. In addition, I appreciate the time my supervisor
offered me to regularly monitor my work and kept me in the correct direction.
4. iv
Acronym
Wi-Fi – Wireless Fidelity
WEP – Wired Equivalent Protocol
WPA – WiFi Protected Access
OS – Operating System
IEEE – Institute of Electronics and Electrical Engineers
WLAN – Wireless Local Area Network
ICV – Integrity Check Value
IV – Initialisation Vector
RC4 – Rivest Cipher 4
WAP – Wireless Access Point
XOR – Exclusive OR
TKIP – Temporal Key Integrity Protocol
PSK – Pre-Shared Key
MIC – Message Integrity Check
RSN – Robust Secure Network
EAP – Extensible Authentication Protocol
AES – Advanced Encryption Protocol
RADIUS – Remote Authentication Dial-In User
IPv4 – Internet Protocol Version 4
CPU – Central Processing Unit
GPU – Graphics Processing Unit
PMK – Pairwise Master Key
HMAC – Hash Media Access Control
SHA – Secure Hashing Algorithm
LEAP – Lightweight Extensible Authentication Protocol
TTLS –Tunnel Transport Layer Security
PEAP – Protected Extensible Authentication Protocol
FAST – Flexible Authentication Secure
MD5 – Message-Digest 5
OTP – One-time Password
NIST – National Institute of Standards and Technology
5. v
SSID – Service Set Identifier
WNIC – Wireless Network Interface Card
ISO – International Organisation for Standardisation
CD-ROM – Compact Disc Read-Only Memory
CLI – Command Line Interface
GUI – Graphical User Interface
6. vi
Table of Contents
Chapter 1 ..................................................................................................................................1
Introduction..............................................................................................................................1
1.1 Project Background..........................................................................................................1
1.2 Project Outline & Research Question..............................................................................3
1.2.1 Project Method..........................................................................................................4
1.2.2 Research Question.....................................................................................................4
1.2.3 Objectives..................................................................................................................4
1.2.4 Hypotheses................................................................................................................6
1.3 Report Structure ...............................................................................................................7
1.3.1 Literature Review......................................................................................................7
1.3.2 Methodology.............................................................................................................7
1.3.3 Results.......................................................................................................................7
1.3.4 Final Discussion & Conclusions...............................................................................8
Chapter 2 ..................................................................................................................................9
2. Literature Review ................................................................................................................9
2.1 Wireless Local Area Networks (WLANs).......................................................................9
2.2 Wireless Security Human Factors and Technical Factors .............................................10
2.3 WEP Weaknesses...........................................................................................................11
2.4 WPA and WPA2 (802.11i) Encryption Technique........................................................11
2.4.1 802.11i Authentication (EAP) ................................................................................12
2.5 Capturing Four-way Handshake ....................................................................................12
2.5.1 Security Level Rollback Attack ..............................................................................13
3 Passwords.............................................................................................................................14
3.1 User Password Creation.................................................................................................14
3.1.1 Potential Password Combinations (Simple to Complex Passwords) ......................15
3.1.2 Mnemonic Password VS Regular Passwords .........................................................15
3.2. Password Meters ...........................................................................................................16
3.2.1 Measurement of Password Strength........................................................................16
3.3 Alternative Password Cracking Methods.......................................................................17
Chapter 4 ................................................................................................................................19
4. Methodology .......................................................................................................................19
4.1Primary Research Method...............................................................................................19
4.2 Intended Experiment......................................................................................................20
4.2.1 Construction and Configuration of Topology.........................................................20
4.2.2 Implementation .......................................................................................................23
7. vii
4.2.3 Password Scenarios (Test Data)..................................................................................26
4.2.4 Password Cracking Approach.................................................................................28
5. Results .................................................................................................................................33
5.1 Four-Way Handshake (Data) Packets............................................................................33
5.1.1 Comparison between WPA and WPA2 Data Captured............................................34
5.1.2 Simple Password Scenarios VS Complex Password Scenarios Implemented in
WPA and WPA2 ..............................................................................................................35
5.2 Variance of Security Due to Simple and Complex Password Scenarios .......................38
5.2.1 Comparison between Simple and Complex Passwords Implemented in WPA and
WPA2...............................................................................................................................38
5.2.2 Comparison between WPA and WPA2 protocols against Simple to Complex
Passwords.........................................................................................................................40
Chapter 6 ................................................................................................................................42
6. Final Discussion and Conclusions.....................................................................................42
6.1 Summary of Project .......................................................................................................42
6.2 Discussion of Results.....................................................................................................43
6.2.1 Research Question Findings & Hypotheses............................................................43
6.2.2 Limitations and Further Works...............................................................................45
6.2.3 Advantages..............................................................................................................46
6.4 Conclusions Remark ......................................................................................................46
References...............................................................................................................................48
Additional Bibliography........................................................................................................53
8. viii
List of Figures
Figure2.1 Hashing Process…………………………………………………………………...12
Figure 2.2 Deauthentication Attack…………………..............................................................13
Figure 4.1 Experimental Topology..........................................................................................21
Figure 4.3 Launching Dictionary-Based Attack…………………………………...................29
Figure 4.4 Local Telephone Mask and Brute-Force Attack Configurations…………………30
Figure 4.5 Possible Permutation Based on Typical Passphrase “Password”…………..…….31
Figure 4.6 Rule-Based Attack…………..……………………………………………………32
Figure 4.7 Rule-Based Total Time Estimated to be Run………………………………….....32
Figure 5.1 Data Packets Captured in WPA and WPA2 with Simple Password Scenarios
Implemented………………………………………………………………………………….34
Figure 5.2 Data Packets Captured in WPA and WPA2 with Complex Password Scenarios
Implemented………………………………………………………………………………….34
Figure 5.3 Data Packets Captured in WPA-PSK against Simple and Complex Password
Scenarios Implemented………………………………………………………………………35
Figure 5.4 Data Packets Captured in WPA2-PSK against Simple and Complex Password
Scenarios Implemented………………………………………………………………………36
Figure 5.5 Comparison between Tsitroulis, (2014) summarised results with WPA2-PSK
Complex Password Scenarios of Averaged Data Packets Captured…………………………37
Figure 5.6 Success and Failure Rate of Simple and Complex Password Scenarios
Implemented in WPA-PSK + TKIP………………………………………………………….38
Figure 5.7 Success and Failure Rate of Simple and Complex Password Scenarios
Implemented in WPA2-PSK + AES…………………………………………………………39
Figure 5.8 Comparison between WPA and WPA2 with Simple Password Scenarios
Implemented…………………………………………………………………………………40
Figure 5.9 Comparison between WPA and WPA2 with Complex Password Scenarios
Implemented…………………………………………………………………………………41
9. ix
List of Tables
Table 4.1 Assigned IPv4 Addresses………………………………………………………….22
Table 4.2 Test Data: Simple and Complex Passwords……………………………………….27
10. 1
Chapter 1
Introduction
This section will provide an overview of the research area about wireless networks which has
become ubiquitous due to their advantages. However, security aspects were commonly
ignored due to its convenience, which became a drawback. This motivated the development
of wireless encryption protocols to provide wireless security, and how human factors
influence the level of security of a wireless network. Therefore, human factors were a
fundamental aspect to consider.
1.1 ProjectBackground
In 1997, the Institute of Electronics and Electrical Engineers (IEEE) had devised an 802.11
standard that achieved wireless network communication in a Local Area Network (LAN)
known as a Wireless LAN (WLAN), without the need of wired connections between devices.
Kumar et al., (2012) indicated that WLAN communication operates on an unlicensed
frequency band of 2.4 GHz, 3.6GHz and 5GHz. Similarly, Li and Garuba, (2008) stated the
advantages offered (but not limited to), mobility and ease of installation. Thus, a recent study
had illustrated the exponential growth of WLAN markets for both consumers and enterprises
due to the advanced wireless standard 802.11ac, offering enhanced performance (Worldwide
WLAN Market Shows Continued Growth in Second Quarter of 2014, according to IDC
(International Data Corporation, 2014). Furthermore, this encouraged the increase of unique
Wi-Fi networks that existed from 1st of Feb. 2014 to 3rd of Feb. 2015 by 41.8%
(https://wigle.net/stats, 2010). This implied the demand for WLAN technology is substantial
and a study conducted by Zhang et al., (2012), identified that WLAN technology is necessary
in day-to-day activities of work. On the other hand, Bulbul et al., (2008) emphasised the
security concerns that radio transmission can be intercepted by a hacker. Thus, the WEP
protocol was introduced in order to provide a level of security equivalent to wired networks.
Borisov et al., (2001) suggested this protocol will closely match the security of a wired
network, with the aim to provide confidentiality of data and integrity of data against hackers.
The working of WEP was discussed by Kumkar et al., (2012) to demonstrate how these goals
are met. Firstly, the plaintext required to be transmitted is appended with the Integrity Check
Value (ICV), in order to ensure data is not altered. Secondly, a key stream cipher is required
for data encryption. This key stream is a combination of a 40-bit WEP key and a 24-bit
Initialization Vector (IV) together, that is implemented in the RC4 (Rivest Cipher 4)
algorithm, producing a 64-bit key length. Yin and Cui, (2011) defined the WEP key as a
password that is used to authenticate a user on an Access Point (AP), also with an extended
104-bit key length. This also implied that passphrase length is limited to the key length size.
Lastly, the exclusive OR (XOR) Boolean operator is used to generate the ciphertext along
with an IV.
While WEP’s objective was to ensure secure wireless data transmission, many flaws were
discovered, which resulted in the failure to achieve its objectives (Borisov et al., 2001). The
11. 2
improper use of RC4 algorithm, small sized IVs and inappropriate use of the root key, makes
it easier for a hacker to exploit WEP. Previously mentioned above, the key stream cipher is
generated with the WEP key and IV. Therefore, sufficient amount of IVs captured, will cause
the plaintext to be obtained by a hacker because the same ‘root’ key is also used. The
extended size of IV also did not provide sufficient security, demonstrated by Walker, (2000),
because the RC4 architecture was poorly designed. Fluher et al., (2001) further demonstrated
that the key recovery attack on the RC4 key scheduling algorithm was successful, as the first
3-bytes of the IV is always sent unencrypted, allowing the weak keys to be identified in order
to crack the key. A study by Yin and (Cui, 2011) commented on the RC4 algorithm being
ineffective due to its simple keys. This implied that simple passwords are used, causing the
exploitation for a cryptanalysis easier. Although complex passwords benefit from being more
resistant to cracking, Yin and Cui, (2011) further expanded that it does not provide
satisfactory security for users, due to its flawed architecture, referring above the leaked IV
and same root key being used, allowing the plain text to be recovered.
A recent study, (Mavridis et al., 2011), found that organisational confidence in deploying
wireless networks was influenced by WEP’s insecurity. However, the Wi-Fi Alliance had
introduced an interim solution to address flaws identified in WEP (Everts and Editor, 2003).
This protocol, namely Wi-Fi Protected Access (WPA) was ratified in 2003, with new and
improved mechanisms. Li and Garuba, (2008) demonstrated how the new mechanism TKIP –
Temporal Key Integrity Protocol, is used to improve the encryption of data, which hashes the
Pre-Shared Key (PSK) with an IV, along with a Message Integrity Check Protocol (MIC or
Michael), to avoid tampering of data. Moreover, the 128-bit key and 48-bit IV are used as a
counter to avoid the replay attack that is implemented into the RC4 algorithm, which
produces a sequential key, and together with the transmission of data, will be implemented
into the XOR cipher to generate a ciphertext. Bhagyavati et al., (2004) stated that WPA is
cost-effective and convenient due to its compatibility with existing WEP devices, also only
requiring a firmware update. In contrast, Bhagyavati et al., (2004) also identified a drawback
of WPA due to the use of simple passwords, chosen by users. In addition, Moskowitz, (2003)
further supported that dictionary or brute-force attacks can be launched offline.
Consequently, hackers are able to obtain the password files and decrypt the passwords on
their demand with no limits of attempts and time, as password files are obtained. However, if
it was an “online” attack then hackers may be limited to a number of attempts, if password
“lock-outs” have been implemented as a security measure (Han, Wong & Chao, 2014).
Altunbasak et al., (2004) had introduced the IEEE 802.11i (WPA2) with a discussion of the
mechanisms in place. The 802.11i comprised of upgraded architecture – Robust Secure
Network (RSN) - utilising 802.1x, Extensible Authentication Protocol (EAP), and Advanced
Encryption Standard (AES), as a secure authentication and key management technique,
performing the “four-way handshake” (Yin and Cui, 2011). Shao et al., (2010) and Mavridis
et al., (2011) clarified the need for necessary upgrades of existing old WEP equipment
because the demand on computational resources are intensive.
Kumar et al., (2012) defined the two available modes of WPA and WPA2, which are; PSK
and Enterprise. Firstly, the PSK is suitable for personal use or small organisation (SOHO –
Small Office Home Office), which a user is granted access with the valid key (passphrase),
compared with the Access Point (AP) stored keys. Secondly, Maple et al., (2006) also
described in detail how Enterprise mode is used. EAP is typically utilised by large enterprises
with the requirement of a remote server, typically Remote Authentication Dial-In User
(RADIUS), to store the credentials of each user belonging to that enterprise, and 802.1x
12. 3
protocol will relay user’s credentials between the AP and remote server, for (Client-to-
Server) authentication. If the user’s entries (credentials) match, then access is granted. This
suggested that complex password could lead to a more secure network as it is assumed to be
more difficult to brute-force.
With the security protocols continuously improving, Chen and Chang, (2015) defined that
WPA and WPA2 are considered to provide sufficient levels of security, with regards to
design architecture perspective. Bhagyavati et al., (2004) stated that technical factors are
important as much as human factors. Tsitroulis et al., (2014), also further supported this
statement and commented that both protocols are susceptible to traditional brute-force and
dictionary attacks, as users are likely to choose weak passwords due to convenience,
something that is simple and memorable. A previous study conducted by Shay et al., (2010)
supported that common passwords used are typically made up of dictionary words and
names. In addition, it was further expanded that students felt that using complex passwords
are inconvenient but proved to be more secure, which implied that complex passwords are
usable. This highlighted the importance of using complex passwords, increasing the
resistance of security against a successful brute-force and dictionary attack. Later, Tsitroulis
et al., (2014) emphasised that dictionary or brute-force attacks are only successful if the
password is available in the wordlist.
Krekan et al., (2012) noted that for a broad wordlist to be generated, a high demand of
computational resources will be required. However, recent studies from Florencio and
Herley, (2007) and Duggan et al., (2012) demonstrated, it is inefficient and unrealistic to test
“meaningless” password candidates, taking into account the key length of 8 – 63 characters
and total password combinations from 958 ~ 9563. Moreover, the required memory
consumption to store the generated wordlist is infeasible. Therefore, Krekan et al., (2013) and
Chen and Chang, (2015) introduced a logical and statistical approach that are performed with
the available software, such as “oclHashcat” and hardware resources such as the General
Purpose Graphical Processing Unit (GPGPU), with enhanced performance compared with a
high-end CPU.
From a recent study conducted by (Krekan et al., 2012), it stated that approximately 77% of
I.T administrators do not have a computer security background. This implied that more often
than not, users are not aware of security risks. Therefore, it would be informative to conduct
an experiment, emphasising the influential effect between simple and complex users’
passwords that are implemented in a security protocol, in order to determine which is most
resistant to cryptanalysis.
1.2 ProjectOutline & ResearchQuestion
This section will define the research question to be answered, with justification of the
motivation of this study. This project will include a discussion about the project type and
project aims to be achieved, with the associated hypotheses.
13. 4
1.2.1 Project Method
This project type is experimental.
Initial research within the field of wireless security encryption protocol has identified
extensive studies based on WEP encryption protocol, revealing the existing vulnerabilities
(Sheldon et al., 2012). This had driven the author to further research on the two available
encryption protocols, WPA and WPA2. Both protocols have been proved to be susceptible
against brute-force and dictionary attacks, because of the security gaps caused by users
implementing weak, easy-to-guess passwords (Lashkari et al., 2009). A recent study
conducted by (Chen and Chang, 2015), indicated the uniqueness of their project as empirical
data (encrypted password files) utilised are real-life passwords obtained in a public area of
Taiwan. It is impractical for the author to obtain real-life passwords within GCU campus.
This had encouraged the author to create realistic passwords as test data, which simulate as
closely as possible to reflect on human behaviour taking into account the memorability and
usability factors as (Duggan et al., 2012 and Shay et al., 2010) emphasised both factors
strongly influence a users’ choice of password selection. Therefore, this project will
emphasise for all users of wireless networks, that human factor is a fundamental aspect to
achieve the WPA and WPA2 full security potential. Through the extensive research carried
out, it suggests the author to conduct the study in a physical lab environment as no previous
research papers have performed the experiment in a simulated environment. Simulation
experiments with regards to wireless security encryption protocol was identified to cause
significant problems and misleading results, this implied that undertaking this project through
the use of simulation modelling would be unrealistic and inaccurate (Heidemann et al., 2000).
1.2.2 ResearchQuestion
“How does the level of resistance vary according to simple and complex passwords utilised
against a brute-force or dictionary attack on a system, when implemented into the wireless
security protocols WPA and WPA2 (802.11i)?”
1.2.3 Objectives
The aim of this project is to determine the level of resistance between a ‘simple’ and a
‘complex’ password implemented in a wireless access point (WAP) with two wireless
security encryption protocols enabled in turn, WPA-PSK and WPA2-PSK. The metrics which
will be captured are the success and failure of the attack, along with the total time of success
only, as a result for analysis to conclude the strength of the security provided, along with
highlighting their effectiveness and emphasising the effort required for an adversary to
recover each password. In addition, the results will be used for comparative analysis to find
out the effects (if any) between the two wireless encryption protocols, WPA-PSK and WPA2-
PSK. In order to conduct this project, a list of primary and secondary objectives have been
identified and investigated.
The Objectives to be answered through an extensive literature review;
14. 5
Investigate how human factors are considered as a security gap in protecting their
wireless network.
This will involve extensive research based on the human factors which cause security
gaps in the network, and to identify the main issues fuelling these insecurities caused
by the user, and how this project will attempt to improve the human behaviour
commensurate to the security level.
Identify the appropriate simple to complex passwords as test data for realistic results.
Research based on users’ password creation will help the author identify the most
suitable password-composition policies to simulate a real-life user password creation,
and help distinguish passwords into the appropriate category from either “simple” or
“complex.”
Investigate the logical approach of using a brute-force or dictionary attack through
previous literature and identify the most efficient and suitable method for this project.
Previous studies contained within the literature review (Tsitroulis et al., 2014), stated
that “intruders are only successful in password cracking if the given password is
available within the wordlist”. From these previous studies, it is clear to see that the
researchers have adopted their own logical approach to password cracking
experimentation. This should also be applicable for this project, and from the
understanding and knowledge gained from the literature review, devising a logical
method for this project should become attainable.
It is essential to outline the list of objectives that will be performed in order to complete the
project successfully.
Lists of primary objectives are identified below;
Construction and Configuration of the topology to mimic the real-life scenario of a
valid client connecting to a wireless access point.
o This will include assigning IPv4 (Internet Protocol Version 4) addresses to
WAP and the PCs, prior to connecting the PCs to the WAP.
o Installation of penetration tool, Kali Linux on the bare-metal of another
dedicated physical machine.
Implementation of the required test data.
o Test data includes simple and complex passwords.
o Perform brute-force or dictionary attack against the test data, by using a PC
with a “high-speed” GPU processor installed. In this case GEForce GTX 660ti
(GPU) was purchased.
15. 6
Evaluate the metrics from the launched attack.
o Record all the required metrics.
Total time of success.
Success or failure of the attack.
o Determine the level of resistance provided by simple and complex passwords.
1.2.4 Hypotheses
H1: Complex passwords will be more resistant against a brute-force or a dictionary-based
attack, than compared with a simple password implemented in WPA and WPA2 encryption
protocol.
Through the literature review the author is able to distinguish between a simple and complex
password in Section 3.2. Komanduri et al., (2011) indicated that complex passwords are to be
more resistant against password cracking than with simple passwords, such as increasing the
length of characters as the number of combinations raises exponentially. Therefore, simple
and complex passwords will be tested against brute-force or dictionary attack and the metrics
total success time and success or failure of the attack can disprove or prove the hypothesis
H1.
H2: Complex passwords are assumed to be more resistant against password cracking, than
compared with simple passwords. Therefore, more four-way handshake (data) packets are
expected to be gathered from a complex password scenario than compared with a simple
password scenario.
The experiment undertaken by Yin and Cui, (2011) demonstrated that while capturing the IVs
to crack WEP encryption protocol, the results discovered that complex passwords gathered a
higher amount of IVs than compared with simple passwords used for WEP. Furthermore,
Tsitroulis, (2014) undertook an experiment attacking WPA2 protocol also recording the
amount of data packets captured for all password scenarios. However, the most complex
password did not require the most packets to be captured, thus, assumed unpredictable. For
example, password “Icecream” captured ‘22794’ packets and another password scenario
“Sky$kr@p3r!newy0rkc1ty%” captured ‘14761’ packets, which could not be declared that
complex passwords require more data packets to be captured. Therefore, it would be of
interest to prove or disprove this statement when utilising both protocols, WPA and WPA2,
and the metric recorded was “data packets captured” for validation.
H3: WPA+TKIP and WPA2+AES will be cracked utilising the same method. Thus, it will
have no or negligible difference between both protocols, when cracking the password
scenarios, simple to complex.
WPA and WPA2 encryption protocols consist of two different encryption standards, which
are TKIP and AES respectively. AES encryption demands for an intensive processing power
than compared with TKIP encryption technique, consequently we are lead to believe that
16. 7
deciphering the hashed password file would be more difficult against AES than TKIP.
However, it was proven by Yin and Cui, (2011) that encryption bit size does not impact the
deciphering process of WEP. Therefore, it can be predicted that AES and TKIP will have no
effect when deciphering the captured four-way handshake because encryption bit size did not
influence the cracking of WEP. The metrics recorded to validate this statement will be the
success rate (%) and the total success time required to crack only. The total time taken for a
failed attempt will not be recorded as this will have no significant value to justify hypothesis
H2, further discussed later within the report (Section 4).
1.3 Report Structure
1.3.1 Literature Review
In Section 2 & 3 of the report it will focus on the Literature Review, which will be used to
provide a better level of understanding and knowledge of the project topic area. The
Literature Review will then be used to “drive” the project forward and subsequently put the
author in a position to perform the project experiment, from which an answer to the research
question should be provided.
1.3.2 Methodology
Section 4 will provide insight as to how the project experiment will be conducted in order to
fulfil the primary objectives listed in Section 1.2.3, which will include the following details:
Experiment topology.
Device information and configurations.
Software used within the experiment, (such as penetration tool).
Simple and complex password scenarios (test data).
Commands used and the attack launched.
The methodological approach chosen will also be justified why it is most appropriate for this
experiment.
1.3.3 Results
In order to interpret the results clearly for the reader, all findings from the conducted
experiment were presented in Section 5. The metrics were further justified with the
appropriate literature to outline the significance, in relation to the project. All results were
then summarised and displayed appropriately with detailed commentary, to discuss the
definition of each result, with regards to the research question stated in Section 1.2.2. In
addition, to also test the hypotheses mentioned in Section 1.2.4.
17. 8
1.3.4 FinalDiscussion& Conclusions
Further discussions based on the results, and status of the hypotheses is included in Section 6.
The final conclusions of our work were consistently contrasted with the relevant work of
others to highlight any notable differences. Dissimilar findings were also identified with the
appropriate justification. Therefore, limitations of our work were detailed along with the
further work available to improve on the results obtained and drive the project experiment
further. Finally, a conclusion of the overall project will be concluded reporting the value of
the study.
18. 9
Chapter 2
2. Literature Review
The literature is considered as an essential element with regards to the overall project, as this
provides the author a basis of knowledge about the chosen project area. The author will
undertake in-depth research of the project area to gain a deeper understanding of the related
field of work and the methodologies utilised by previous researchers. This allows the author
to conclude upon the most appropriate methodologies to utilise for their project and how the
project will be delivered, and in turn, be of unique value within the research area.
2.1 Wireless LocalArea Networks (WLANs)
The first “wireless fidelity” (Wi-Fi) standard was released in 1999, by IEEE Working Group
(WG), this standard was 802.11a with the capability of transferring data up to 2Mb/s
(Megabits per second. In addition, Choi et al., (2014) conducted a study of the Wi-Fi
standards, which continually evolved with greater enhancements of 3 factors; “Throughput”,
“wide-range coverage”, and “ease of use”. The standards that are available are 802.11a, b, g,
and n, which all operate on an unlicensed frequency band of 2GHz, 3.4GHz and 5GHz. The
standard 802.11n was outstanding as this met a satisfactory speed of data rates of up to
600Mb/s, which was comparable with the wired networks, such as Ethernet (cable) Choi et
al., (2014). A study conducted by (Verma and Lee., (2011)) stated that demand for
increasing wireless speeds and usage are critical as the bandwidth consumed by large file
transfer and the streaming of HD (High Definition) quality videos are increasing rapidly. This
implied that the 802.11n is inefficient to handle the high demand of data throughput and later,
the IEEE 802.11ac standard was developed, exceeding data rates of 1Gb/s (Gigabits per
second), also operating on a frequency band of 5GHz avoiding the interference from the
2.4GHz band as a substantial amount of devices sharing the same frequency band.
With the advantages offered such as, ease of installation, devices can be connected where
wire installation is not feasible, therefore making wireless cost-effective, attractive and
flexible as users are not restricted in one location. Users are able to roam within the wireless
coverage. From the advantages of wireless network (Yin and Cui, 2011) have stated that
companies are convinced by the convenience offered.
On the other hand, (Bulbul et al., 2008) defined that experts predicted security to be a major
drawback and this was because wireless networks travel via radio signals through the air
which, penetrates through walls and is not confined to one area. Li and Garuba, (2008) had
emphasised the vulnerability of wireless networks as signals can be intercepted by a hacker
with a malicious intent. In contrast, a wired LAN can only be intercepted if the wired media
was “tapped”, which requires a hacker to be located within the infrastructure. Moreover, it is
essential to illustrate the threats faced of utilising wireless networks, as “non-specialists” IT
users are unaware of the severe consequences.
19. 10
2.2 Wireless SecurityHuman Factors and TechnicalFactors
From the paper “Wi-Fi Networks Security and Accessing Control” it was stated that current
researchers are looking for authentication and encryption algorithms to ensure that defensive
capabilities are in place to provide a complete security solution. This is related to an assertion
made by Bhagyavati et al., (2004) that technical factors are to be as important as human
factors. This implied that wireless security encryption can only be used in its full potential if
users implement them appropriately. In addition, as researches are continuously seeking for
advancement in technical aspect of security, Choi et al., (2014) emphasised that usability
should be taken into account, and training or education must be provisioned when necessary.
To ensure human factors commensurate with technical factors and best security practices are
adhered to.
A study conducted by Li and Garbua, (2008) identified that home users utilising WLAN do
not configure wireless encryption protocols, thus, implied that users may not have the
technical knowledge to implement these security measures or have awareness of malicious
threats. This is unacceptable as the increased use of e-commerce and e-services continually
rise, users must be made aware of the potential risks of their sensitive data. Moreover, Bishop
and Klein, (1995) further supported, that those users who consider their system free from
sensitive information does not require security. However, the advancement of wireless
technologies has improved on their usability to encourage users in applying appropriate
security measures when necessary, therefore should be exploited to prevent successful attacks
and most importantly hacker’s capabilities should not be underestimated.
Li and Garuba, (2008) have stated that new enhanced wireless encryption protocols are being
made available to the public, a survey conducted at San Francisco had exposed that 421
clients cards and 2287 access points utilised in business networks, 35% of networks found to
be insecure and APs values remain at default (AirDefence, 2008). Furthermore, the research
revealed wireless networks in the city of New York are significantly weak, 40% of business
networks were found to be unprotected and 31% had displayed defaults values (Li and
Garuba, 2008). Moreover, Lorente et al., (2015) had found that Dutch users considered their
default passwords configured within routers to be secure. The study also outlined that WPA2
passwords generated from weak algorithms were to be insecure and this allowed an intruder
to use the same algorithm known to compute the default WPA2 passwords. Also, results
showed that vendors which supply the same router have minor modifications of their
password. Therefore, routers worldwide are considered to be vulnerable to password recovery
attacks. This suggests that notifications of the security vulnerabilities will be beneficial for all
wireless network users.
It can be declared that wireless technology continuously evolving will encourage the public
in deploying wireless technology and also become part of their daily activities. On the other
hand, as wireless threats are also advancing it should be made aware to the general IT users
and security experts the importance of wireless security and should not be ignored.
Furthermore, users are also deemed to be the biggest security gap, and it is evident through
the discussion above that security training or education should be delivered to ensure uses are
capable of implementing their adequate security measures.
20. 11
2.3 WEP Weaknesses
A study conducted by Arora, et al., (2012) illustrated that the WEP encryption protocol can
be easily and quickly exploited by an inexperienced user. For example, an AP which sends a
packet of size 1500 bytes and with data throughput (bandwidth) of 5Mb/s, the limited IVs
available will be quickly reused, allowing a hacker to obtain the secret key without effort.
Furthermore, with the latest version of 802.11ac available and achieving data rates over
1Gb/s this will allow the reuse of IVs instantly. This implied that WEP is essentially insecure
and should not be used as it provides in adequate level of security. Yin and Cui, (2011) had
also supported that WEP is proven to be obsolete and insecure, but still commonly used.
From the discussion above, it can be assumed that WEP can be quickly exploited due to its
flawed architecture, and inability to provide desirable security in conjunction with the latest
wireless version available. Kumkar et al., (2012) demonstrated a technique utilised to
accelerate the capturing of valuable IVs called “injection”. The researchers (Yin and Cui,
2011) had described the process of injection technique which was, defined as the “ARP
Request Replay Attack”. Firstly, the intruder must capture the valid ARP Request Packet sent
from a valid client when attempting to authenticate. Secondly, intruder re-sends the captured
request packets to the AP. Lastly, the AP which received the request packets will reply to the
client, generating valuable IVs. In addition, the researchers have utilised the tool “Aircrack”
which is provided within Backtrack4-rc OS. This further supported the statement made by
Walker, (2000) that extending IVs bit size does not provide a satisfactory level of security, as
it is demonstrated that within a period of time the key can be obtained.
Throughout this discussion it can be gathered that WEP is indeed insecure and should be
made aware to the general public of IT users, in order to encourage them to implement the
most efficient up-to-date encryption protocol (WPA2) available and enforcing a security
policy suitable to ensure feasible security practices are followed.
2.4 WPA and WPA2 (802.11i)Encryption Technique
Spector and Ginzberg, (1994) defined that encryption is a one-way function. Hence,
encryption known to the intruder must encrypt correct password candidate (Pairwise Master
Key –PMK) to generate the matching hash value. This implied the advantage of the new
encryption scheme used compared with WEP.
Figure 2.1: Hashing Process (Krekan et al., 2012, pp11).
21. 12
Findings from Tsitroulis et al., (2014) and Arora, et al., (2012) had confirmed WPA and
WPA2 to be the most secure protocols, at present. However it was also illustrated as being
vulnerable to a brute-force or dictionary attack. A further study conducted by Krekan et al.,
(2012), defined two techniques that will either delay or prevent the success of a brute-force or
dictionary attack. Firstly, taking advantage of the maximum length of characters allowed for
a password, this will result in a high demand of resource utilisation, which may be incapable
for an average CPU or GPU processor to process. Secondly, the hashing process (4096
iteration of HMAC-SHA1) of the PSK increases the workload for the processor. Chen and
Chang, (2015) also indicated the inefficiency in password cracking utilizing the traditional
brute-force method as the encryption mechanism of WPA and WPA2 is highly secure and the
requirement of computational power can be intensive.
2.4.1 802.11iAuthentication (EAP)
WPA and 802.11i are available in two modes, PSK and Enterprise. Enterprise mode requires
an external authentication server which is responsible for managing the organisation’s user
credentials (Maple et al., 2006). The 802.1x standard is used in conjunction with the EAP
protocol to perform the authentication procedure. Furthermore, there are various EAP
authentication types available, MD5 (Message-Digest 5), LEAP (Lightweight Extensible
Authentication Protocol), TLS (Transport Layer Security), PEAP (Protected Extensible
Authentication Protocol), TTLS (Tunnel Transport Layer Security), and FAST (Flexible
Authentication via Secure). Although EAP is outside the scope of this study, it should be
notable that MD5 and LEAP are most vulnerable and susceptible to dictionary or brute-force
attacks (Sobh, 2013).
2.5 Capturing Four-wayHandshake
Lorente et al., (2015) stated, WPA and WPA2 performs the “four-way handshake” as an
authentication method and known to be the only vulnerable aspect of both protocols, but
client must be connected or attack cannot be achieved, because if no clients are connected the
four-way handshake cannot be captured. WPA and WPA2 protocol also allows a third-party
(Adversary) to launch a “deauthentication” request packet to the associated client to be
disconnected deliberately. This leads to a security drawback for both protocols, and if weak
passwords are implemented it can be considered weaker than WEP protocol. In order for
intruders to exploit this weakness, the intruder can impersonate the Network MAC (Media
Access Control) address (optional) of the client-connected device (router or access point) and
then will send a “deauthentication” packet to the valid client, causing device to be
disconnected.
Disconnected client will automatically attempt to re-connect with the legitimate router or
access point performing the four-way handshake, allowing an intruder to capture the
encrypted password file and recovered offline without the client knowing as it will not be
performed online (Han, Wong & Chao, 2014). Figure 2.2 overleaf will present a simplified
version of an adversary performing the attack.
22. 13
Figure 2.2: Deauthentication Attack, (Lorente et al., 2015).
2.5.1 SecurityLevel Rollback Attack
It was made aware that WPA was indeed compatible with the existing WEP devices
(Bhagyavati et al., 2004), this was also confirmed by He and Mitchell, (2005) who
highlighted that WPA architecture consists of WEP mechanism and further demonstrated by
Moen et al., (2004). During the authentication process WPA is assigned a “temporal key”
(TKIP) intergrity protocol from the EAP server, and then hashed with the 48-bit transmitter
address and a 48-bit IV producing a 128-bit WEP key and a clear text IV as a sequence
counter, allowing the intruder to capture the leaked IVs to recover the secret key. This attack
is known as the “security level rollback”, which takes advantage of the inappropriate
configurations of a user, in conjunction with WEP existing mechanisms.
23. 14
Chapter 3
3 Passwords
Kuo et al., (2006) had outlined that many researchers have also developed various
authentication mechanisms such as, biometric, one-time passwords (OTP), and graphical
passwords. However, (Zviran and Haga., 1999) claimed that text-based passwords remain
one of the most common authentication control mechanism in place as it is inexpensive and
available on demand without additional hardware resources to function (Spector and
Ginzberg, (1994). As Wi-Fi networks continued to grow, this leads to increased business
productivity in terms of e-commerce and e-service that required individual users to create
unique credentials to identify them as a user. In addition, users often reuse passwords for
multiple accounts, suggesting that if a user’s password is known to a third party they may
have the privilege to gain access to other accounts, using the same credentials. Organisations
often enforce password composition policies which are considered to be resistant to password
cracking attacks, however the policies known to hackers can help adversary create educated
guesses, and if many user passwords are exploited a pattern may be also identified for future
referencing. As a result, the study of creating resistant passwords can be valuable not only to
protect wireless networks but personal accounts.
3.1 User PasswordCreation
When users are creating passwords it is important to ensure passwords are memorable and
usable. Strict policies can be difficult for users to create an acceptable password causing
frustration and ignorance of password policy (Ur et al., 2012; Yan et al., (2000). Complex
passwords are likely to contain more character length and mixture of uppercase, lowercase
and symbols therefore, it is difficult for users to memorise such password and more time is
required during the authentication stage as users may mistype their password or forget,
Komanduri et al., (2011) demonstrated that “basic 16” passwords may take longer to create
however, it is more usable than passwords containing a mixture of uppercase, lowercase
letters, and multiple symbols (comprehensive). Users will then record their password on
paper or electronically, for future reference to prevent inaccessibility of a resource. It can be
concluded that passwords complexity does not necessarily entail mixture of symbols,
uppercase, and lowercase characters. With the support of this conclusion made we can
neglect the use of “meaningless” special symbol characters within our test data to be
classified as a complex password. However, a permutation technique discussed below
involved the use of special symbol characters to aid in memorability and increase complexity.
Keszthelyi, (2013) further supported that length is more important than the use of character
set as the “exponential function” (ax) will increase significantly than compared with the
“power functions” (xa), where ‘a’ is the length and ‘x’ is the character set available.
Rockyou is a common wordlist discussed throughout many password cracking related
studies. However, the structure of the passwords had not been researched, thus Keszthelyi,
(2013) had investigated the common pattern followed based on the Rockyou wordlist
available, containing 14,344,391 unique passwords after it being cleaned up. It was found
24. 15
that users are likely to append digits at the end of their password. While it was concluded a
common pattern, it is viable for the author to conduct an attack targeting this pattern.
Avoiding typical patterns will increase the security and it was recommended by Keszthelyi,
(2013) to create unique patterns which are meaningful for the user for aid in memorability.
With the evaluation of user password creation, the author is able to create a realistic empirical
data for testing and also a potential approach for the author when conducting the password
cracking experiment stage.
3.1.1 PotentialPasswordCombinations (Simple to Complex Passwords)
It is common for users to believe that applying conditions to passwords will improve the
resistance of password cracking. The typical conditions are to contain symbols, uppercase,
lowercase and not a dictionary word (Yan et al., 2000). An experiment conducted by Yan et
al., (2000) outlined that users are likely to ignore the recommended conditions, and choose
weak password due to convenience and memorability. However, Proctor et al., (2002)
emphasised that applying the recommended restrictions do not result in significant
improvement, but increasing the minimum length of password requirement will provide a
more resistant password. The experiment was based on the minimum characters 5 and 8,
using the popular cracking tool John the Ripper, 33% of passwords were successfully cracked
and increasing the minimum length decreased the rate of success to 17%.This implied that
password without additional conditions applied can be resistant with a longer length
password because the computational power required is directly proportional to the increased
length (958 ~ 9563, possible password candidates (Chen and Chang., 2015)). This achieved
increased security and memorability as researchers Simon, (1974) and Miller (1956)
demonstrated that users are likely to memorise large parts of information, hence, password
with increased length also increases the usability and memorability.
A comparison of password-composition polices was studied by Komanduri et al., (2011), the
two policies tested were “comprehensive8” and “basic16”. Prior to the experiment, according
to NIST password guideline (Burr et al., 2004), comprehensive8 and basic16 were both
considered to provide same entropy. However, the results from Komanduri et al., (2011)
proved that basic16 has more entropy and usable, contradicting the NIST statement.
Komanduri et al., (2011), also expanded that this measurement of entropy does not provide
accurate indication of the resistance against a password crack and mentioned that John the
Ripper is not an optimal solution for testing as it is used for short passwords. Therefore, it
would be valuable to undertake an experiment involving both password-composition policies,
against other password cracking techniques to define if the higher entropy will correspond to
a more resistant password crack.
3.1.2 Mnemonic PasswordVS RegularPasswords
In 2000, an experiment conducted by Yan et al., (2000) demonstrated mnemonic passwords
to be secure. Later, in 2006, a further study based on mnemonic password strength was
conducted by Kuo et al., (2006) and concluded that mnemonic may not be as secure due to
25. 16
the common phrases users have chosen, this allowed hackers to generate a possible
mnemonic wordlists.
From the above, Tsitroulis et al., (2014) stated that WPA and WPA2 are vulnerable against
brute-force and dictionary attack. However, Kuo et al., (2006) claimed that mnemonic
passwords are not detected by dictionary attacks. Hence, it can be assumed that mnemonic
passwords may be more resistant than regular passwords. A study was conducted by Kuo et
al., (2006) compared the strength of mnemonic passwords and regular passwords. Three
password cracking techniques was used against the regular passwords, which are basic
dictionary attack, dictionary attack with permutations and brute-force attack and, the tool
used was John the Ripper. In order to crack mnemonic type passwords the three techniques
used for cracking the regular password was not appropriate. Therefore, Kuo et al., (2006) had
made the assumption that users will use common phrases extracted from song lyrics,
literature, movies, etc., to create passwords. This allowed the researchers to produce an
appropriate “mnemonic-dictionary” which consisted of 400,000 words. The results had
illustrated mnemonic passwords to be more resistant as the cracking rate was lower.
However, the size of dictionary compared to John the Ripper was three times smaller, which
implied that if mnemonic wordlist was effectively the same size, results would be more
accurate and valid. Kuo et al., (2006) expanded that mnemonic passwords could be of
potential if passwords are not derived from common phrases that can be easily found on the
internet, and also benefits as free from dictionary attacks. This provided the author of a
potential password rule that could be implemented for testing, to simulate real-life scenario
passwords.
3.2. PasswordMeters
Ur et al., (2012) and Schecter et al., (2010) had identified the inconsistency of password
strength meters deployed in various websites. For example, yahoo.com and yahoo.co.jp
would display a different score for the same password. This misleading result can lead to the
question to be asked, “How reliable are password strength meters available?” Therefore,
passwords implemented in password meters can be recorded, and then tested against a
traditional brute-force or dictionary attack. This can provide an approximate answer to
determine the accuracy of a password meter. Using the password can be of benefit to the
author to provide an indicator of a simple or complex password (values to distinguish
between a simple and complex password are discussed below in Chapter 4.
3.2.1 Measurementof PasswordStrength
Ur et al., (2012) defined the term “guessability” as being resistant to a password-cracking
attack to determine the strength of a password. In order to determine the strength and a guess-
calculator was used to identify the amount of guesses required to crack the password. It was
claimed that guessability provided an accurate measurement of password strength than the
common metric entropy (Weir et al., 2010). From this the author can distinguish what
passwords are considered as simple or complex, then implemented into the testing
environment to determine the effects, if any, between the passwords tested. However, it is
26. 17
infeasible to use this metric as a measurement because it will be carried out during our
experiment. Thus, “My1Login” and “The Password Strength Meter” discussed in Section 4
are used to provide us with approximated values of the estimated time to crack and the
strength of password measured in percentage. Although, password strength meters were
found to be inconsistent, two dissimilar meters are used to validate their strength.
It is assumed difficult to distinguish between a simple and a complex password, as previously
discussed, that increasing the length of the password could provide enhanced resistant
password against brute-force or dictionary attacks, however, words that are contained within
the dictionary of 8 characters will still be cracked effortlessly. In addition, it was previously
mentioned by Tsitroulis et al., (2014) that attacks are only successful if it is contained within
the wordlist utilised by an attacker. According to this statement, password policies enforced
can only provide guidance to create a unique password that is presumed less likely to be
predicted by a hacker. A password can be cracked in a matter of time, dependent on the
intelligence of the hacker’s pre-computed wordlist. For example, Schechter et al., (2010)
illustrated proactive password measures implemented in websites are inconsistent and
passwords which are tested against organisation’s wordlist can only prove to be secure “in-
house” but cannot be proven secure against outside hackers.
3.3 Alternative PasswordCracking Methods
Several studies discussed above revealed that a user’s wireless device security configuration
tends to remain at default. Therefore, Mavardiris et al., (2011) demonstrated a successful
attack on a router with a default SSID displayed password was also assumed to remain
default. Consequently, the router’s password format was known to eliminate the impossible
password candidates. A program called “crunch” was utilised to generate the appropriate
wordlist to be tested. This demonstration confirmed the statement made by (Lorente et al.,
2015), that passwords are typically left at default, when their default SSID is displayed. The
knowledge gained from this technique is valuable for user’s awareness that default passwords
are known to others, their network can be easily “broken”. Moreover, this should be
emphasised further to prevent networks at risk for all wireless network users, at home or large
and small enterprises. Although, the technique may not be ideal for the purpose of this
project, but the knowledge gained from building an effective (meaningful) wordlist can be of
great value.
A traditional password cracking attack is dictionary-based, which hashes words within a
dictionary and previously cracked passwords (wordlist) and compares the encrypted hash file
until a match is found, or if wordlists does not contain password then, program such as
oclHashcat used for our experiment will be exhausted. However, Krekan et al., (2012)
demonstrated it was ineffective against a password, with two words concatenated. Therefore,
the brute-force attack would be utilised with a new statistical approach developed. The new
statistical approach utilises the Markov modelling technique to compute “meaningful”
combination of characters and offers additional options to speed up the cracking process
(Narayanan and Shmatikov, 2005; Krekan et al. (2012)). It was also previously identified
from a study undertaken by, (Yin and Cui, 2011) the password “MyPassword” did indeed
consumed more time to run the wordlist and dictionary-based attack was unsuccessful as
concatenation may be unpredictable for a hacker and excluded from the wordlist used. It is
important to notice that the time metric does not indicate the strength of the password if a
27. 18
dictionary-attack is launched as this is just the time required to run through the wordlist
comparing the hashed password file with the hashed wordlist candidates. Also the time will
vary depending on the dictionary file size and the speed of the processor. From the
experiment conducted by Krekan et al., (2012) which utilised the ATI HD 6850 GPU
providing a speed of 40,000 passwords per second, it was informative for the author to seek
for an adequate GPU meeting the same performance. The author had purchased the GEForce
GTX 660ti, which provided similar performance statistics, further discussed below.
Later, Krekan et al., (2013) conducted another investigation utilising the same statistical
approach as above, targeting Slovakia language probable passwords and findings illustrated
that this method was 15 times quicker in cracking 8 character passwords, than compared with
common brute-force and dictionary attacks.
According to (Florencio and Herley, 2007) and (Duggan et al., 2012) it is unrealistic to test
“meaningless” password candidates, as the resource utilisation will be too intensive to
perform the password-cracking program (Krekan et al., 2012). This implied the inefficiency
of utilising large dictionary files with meaningless passwords, as memory consumption is
very high. Chen and Chang, (2015) introduced a “rule-based” method which improved the
cracking efficiency with aid of a GPU processor, achieving a 68% success rate. The unique
aspect differs from previous studies as empirical data utilised are real encrypted passwords.
Findings concluded by Chen and Chang, (2015) demonstrated the vulnerability of realistic
Wi-Fi protected passwords utilised are insufficient, therefore, it would be worthwhile to
conduct an experiment to emphasis the level of security between a simple and complex
password against an brute-force and dictionary attack, and used as an awareness for the
public and I.T professionals in selecting secure unique passwords. Networks broken into can
lead to major consequences if not protected with care.
From the discussion of various password cracking techniques available, it will be of value for
the author, as a meaningful and logical approach can be formulated prior to performing the
experiment. Although, rule-based approach was considered to be most effective password
cracking technique, rules can be created to meet our specific requirements and purposes.
However, programming knowledge of the author was limited to create a satisfactory rule, to
meet our requirement. Moreover, pre-written “rules” were available within the program
utilised and tested to be most-effective was also used against our testing scenarios.
28. 19
Chapter 4
4. Methodology
The purpose of this section is to present further detail of the primary research used in this
experiment. It will address why the primary method for this project was the most appropriate,
specific details on how it will be carried out and the future stages involved in the completion
of the report.
4.1PrimaryResearchMethod
In order to contrast between the two wireless security encryption protocols WPA and WPA2,
both protocols will be implemented with the same test data, (simple and complex password
scenarios). The time taken to recover the password, and success or failure of a password
crack will be recorded for comparison. However, the main focus of this study is to test the
resistance between a simple and complex password against a brute-force or a dictionary-
based attack.
Various password composition policies are followed to create a simple password and a
complex password to compare the resistance by recording the total time taken and success or
failure of each attack. Based on the Chapter 3, Section 3.1.1; 3.1.2; 3.2; 3.2.1 the information
gained, will allow the author to create realistic password scenarios to reflect the issue of the
reality. All passwords created and used as test data must meet two main factors, which are
usability and memorability to simulate as closely as possible to a real-life scenario.
In Section 2.5.1 which discussed the exploitation of WPA, as this architecture is compatible
with WEP existing devices and the mechanism consists of utilisation of IVs. Therefore, it can
be assumed WPA is definitely more vulnerable than WPA2 and the key will certainly be
recovered, as gathering adequate IVs can be achieved based on Section 2.3 within the
literature review (Chapter 2) discussion. Therefore, recording the data packets communicated
and the total time required capturing the four-way handshake for both WPA and WPA2
encryption protocol are necessary to determine if both protocols influence the level of
security provided, as WPA uses TKIP and WPA2 uses AES. Thus, it can be assumed that
WPA2 will require more time and data packets to be captured in order to successfully attain
the four-way handshake, because AES is more secure and through the discussion in section
2.5.1 it is assumed WPA is easier and quicker to crack consisting of WEP mechanisms, also
previous researchers emphasised that WEP could be cracked under 60 seconds (Walker,
2000).
A recent study undertaken by (Chen and Chang, 2015) had demonstrated the uniqueness of
their study as the empirical data collected are real user passwords, which differs from
previous studies that generate a set of random passwords for testing. However, this study
motivated researchers to also collect real encrypted password files from other countries. But
this is unfortunately impracticable for an Honours project for the author to conduct. To reflect
as closely as possible to the real-life scenario, the study of user’s attitude in password
creation, memorability and usability was fundamental aspect to be taking into account when
29. 20
creating passwords used as test data because passwords must not only meet either a simple or
complex requirement but must be easy to use and remember to ensure results are reliable and
valid.
Therefore, user’s behaviour when creating passwords was researched in Section 3.1 to
simulate a real-life password composition policy users are likely to adhere to. Various
password composition policies were followed and no particular pattern was followed to allow
us to record a more widespread set of results for analysis also, to make aware for the audience
that variety of memorable and usable password composition polices are available with no
particular pattern reducing the success of a password cracking attempt.
4.2 Intended Experiment
Within this section an appropriate diagram will be constructed to illustrate the topology used
for this experiment along with the necessary configurations and test data (simple and
complex passwords) that will be tested.
4.2.1 Constructionand Configuration of Topology
In order to conduct this experiment a topology must be configured within a suitable
environment, with the appropriate equipment supplied. The necessary equipment required is:
2 x PC (Personal Computer) with Wireless Network Interface Card (WNIC).
Valid connecting client PC A will be represented by a laptop device (Lenovo ideapad
U430 touch) with the ready built-in WNIC, Intel® Wireless-N 7260 used to connect
with the valid AP wirelessly. Adversary PC B will be represented by another
dedicated machine operating the Kali Linux OS (on the bare-metal of the machine
without virtualisation) with the requirement of an external WNIC adapter. TL-
WN722N is the model number of the external WNIC, although the chipset “AR9271”
is the fundamental aspect of the card which supports the promiscuous (monitor) mode
discussed below, which allows us to conduct the experiment.
1 x WAP (Wireless Access Point) WPA and WPA2 encryption protocol must be
available.
The Belkin enhanced wireless router was chosen, with the WPA and WPA2
encryption protocol available, also can be configured to act as a WAP. In this case,
the WAP functioning as an AP will not allow a client to connect to it without an IP
address within the same subnet, thus, client devices are required to be configured with
the IP address within the same subnet to meet this requirement.
1 x PC with a GPU processor compatible with oclHashcat program.
30. 21
GEForce GTX 660ti is the GPU processor selected, manufactured by NVidia and the
machine will operate on the Windows 7 OS, with the essential ‘ForceWare’ 346.59
driver installed to instruct the oclHashcat program to use the GPU installed.
The equipment listed will be constructed as shown in Figure 3. Computer A will act as a valid
user connecting wirelessly with the Access Point (AP). Computer B will be acting as an
Adversary which is within the lab-based environment, which can detect and intercept the
wireless communication channel between the valid user and AP –this is achieved via the
external WNIC and using the program pre-installed within Kali Linux, including the
‘ath9k_htc’ driver compatible with the AR9271 chipset to monitor efficiently of the wireless
communication and performing the necessary attacks. Therefore, further research out with the
Literature Review researchers Mohamed and Kaplan, (2015) stated that the WNIC
implemented must support monitor mode to conduct this experiment and continued research
on the Aircrack-ng suite allowed the author to conclude the correct WNIC to purchase. WPA
and WPA2 can only be exploited if 4-way handshake is captured indicated within Section
2.5. In addition, PCs provided within the lab environment have Windows OS pre-installed.
However, the current OS does not provide the author the fundamental tools required to
conduct this experiment.
It was concluded from the Literature Review Section 2.3 the OS utilised was Backtack4-rc.
From the study conducted by Vishnoi and Shrivastava, (2014) Backtrack distribution has
been replaced with Kali Linux (Version - 2016.1- at the time of writing).
Vishnoi and Shrivastava, (2014) further expanded that a user utilising Kali Linux must have
root privileges in order to utilise the tools effectively, and it is recommended to be installed
under the hypervisor named VirtualBox (Version – 5.0.14 – at time of writing) to ensure
execution of tasks will not affect the host machine, (in terms of performance and security).
Although, it was suggested that Kali Linux was to be installed as a guest-operating system
under the Windows 8.1 pro host OS, this was not followed due to the technical issues
occurred during the process of this experiment. Firstly, the ath9k_htc driver was not found
within the Kali Linux repository which prevented the wireless chipset adapter to function.
Secondly, the command “airmon-ng” displayed the correct driver available, therefore, it was
assume to operate, and the command “airmon-ng start wlan0” was used to set the WNIC into
Client PC A
(Lenovo laptop)
Wireless Access
Point
Adversary PC B (Kali
Linux machine)
Figure 4.1: Experiment Topology.
31. 22
monitor mode which then did not operate efficiently, preventing the author to proceed
further, due to the inconsistency and slow performance – wireless networks detected was
inconsistent, which could occasionally be detected (within range). This problem was
researched extensively and various approaches were followed to tackle this issue, though it
did not solve the issue. It was concluded through experience that the virtualisation software
was unable communicate (pass-through the instruction) the host USB adapter to operate the
AR9271 chipset correctly – From the use of simulation software it was proved that issues
occurred would result in inaccurate results, which was be avoided for reliable and valid
results to answer the research question. An alternative approach was required, which was to
“burn” the Kali Linux ISO file onto a CD-ROM then installed on the machine as “bare-
metal” instead of a hypervisor. This not only resulted better performance but the
compatibility issues of the AR9271 chipset and the ath9k_htc driver was solved. Throughout
the experimentation set-up phase of installing Kali Linux OS as a hypervisor using a
virtulisation software virtualbox, it can be concluded that the statement stated by Heidemann
et al., 2000 can be confirmed, that virtualisation software utilised could lead to unrealistic and
inaccurate results.
Based on the Section 3.3 it is beneficial to utilise the GPU processing power as the WPA and
WPA2 encryption mechanism consist of intensive computational power especially, WPA2
with Advanced Encryption System (AES) mechanism used to hash the password utilised, the
encryption technique was previously discussed in Section 2.4 and Figure 2.1 illustrated the
amount of hashing involved. The two GPUs available within GCU Laboratories are GTForce
745 GTX and Quadro K600 which are both compatible with the oclHashcat program,
operating in Windows OS. On the other hand, password cracking is known to consume large
amount of time in practicing and running the experiment. It was viable to purchase a GPU in
advance and installed on a machine at home to gain more time to practice on demand. The
GPU purchased was GEForce GTX 660ti which reaches the equivalent performance standard
utilised in (Krekan et al., 2012) study which they had conducted, thus it is assumed to be
sufficient for this project.
As mentioned above it is necessary to configure IPv4 (Internet Protocol Version 4) addresses
for the constructed topology (as shown in Figure 4.1). This will allow for association between
client devices and the AP, also easier identification of each device and ensure that devices are
not connected to any external networks such as the internet, as this experiment is solely for
experimental purposes and does not involve human participants. Thus, does not require
ethical considerations or approval. Table 4.1 will outline the IP address used.
Table 4.1. Assigned IPv4 Addresses.
Devices IPv4 Address Mac Address
Client PC A 192.168.2.64 84:B1:53:CA:35:92
Adversary PC B 192.168.2.128 48:51:B7:C9:49:81
Wireless Access
Point
192.168.2.254 00:22:75:C5:95:5C
32. 23
4.2.2 Implementation
To contrast the effects (if any) between the two wireless security encryption protocols WPA
and WPA2, the password scenarios (simple to complex) will be tested respectively and also
different password composition policies will be implemented to determine the resistance of
each password scenario (simple to complex) against a brute-force or a dictionary-based
attack.
WAP selected will have two available modes for the purpose of this experiment, which are
WPA-PSK + TKIP and WPA2-PSK + AES. These two modes will be enabled in turn with
each password scenario implemented and also configured on the valid clients to ensure client
and WAP are associated (Arbaugh, W., 2002).
Various password-composition policies available are discussed in Section 3.1.1; 3.1.2 which
will be applied when creating different password scenarios. The common password-
composition policies are basic8, comprehensive8 and basic16, which will give the author
guidance in creating potential passwords as test data for our experiment – we are not limited
to the 3 password composition policies. Moreover, the passwords created will need to be
distinguished between simple and complex. Hence, the discussion in Section 3.2; 3.2.1 had
demonstrated an evaluation technique to verify the password strength using a password
strength meter. On the other hand, it was concluded that password meters may result in
inconsistencies, thereby providing inaccurate feedback. To overcome this issue we will
validate each created password against two dissimilar password strength meters for a more
reliable result, named “The Password Meter” and “My1login” to classify a suitable category
for the passwords created. The Password Meter scores passwords from 1% to 100%, while
My1login rates them by estimated time period in cracking the password, (in units of time –
seconds, minutes…days, weeks, months and years etc). Passwords which score between 0
and 50 (%), or take less than 1 month to crack will be defined as simple, whilst passwords
which score between 50 and 100 (%), or take longer than 6 months to crack will be deemed
as complex. Values chosen to indicate the strength of each password scenario are displayed
by the password strength meters, which will, therefore be validated after this experiment to
determine the trustworthiness and accuracy it provides, answering the question of which
password strength meter is more accurate, as a question out with the research question. The
score of each password will be recorded for later analysis to determine if password meters
provide a viable evaluation of password strength shown in Appendix A.4.
Each password scenario will be tested in sequential order from the most simple to complex
passwords, implemented in WPA-PSK (+TKIP) and WPA2-PSK (+AES) respectively. All
password scenarios will be hashed by the encryption mode enabled and an encrypted hashed
password file will be generated. This encrypted (password) file will be captured by the author
to launch a brute-force or dictionary attack to crack the password, using their oclHashcat
program. Based on the literature review, Section 2.5, a simplified diagram (Figure 2.2) was
shown to illustrate the process of capturing a four-way handshake. This four-way handshake
will contain the encrypted password file required. As Krekan et al., (2012) stated the
encryption technique to be one-way, meaning it cannot be decrypted (computed) to the
original password, the only method to crack the “hashed” password file is to encrypt the
possible password candidates with the WPA and WPA2 encryption method then compare the
hashed candidate files until a “match” is found. If password cannot be cracked the program
will be exhausted
33. 24
The following procedure will be conducted using the Adversary’s PC B to capture the four-
way handshake packets containing the encrypted password file. The tools utilised will be
supplied within the Kali Linux OS distribution known as ‘Aircrack-ng suite’ (Kumar et al.,
2012). The commands used in the CLI are;
airmon-ng – this will set the adversary WNIC to monitor mode with the
identification of which driver was appropriate, in this case ath9k_C.
airodump-ng – wireless networks will be detected by the adversary’s WNIC and the
targeted network (Belkin_c5955c) is the broadcasted default SSID displayed
(Appendix A.2, Figure 2.6). When the targeted network has been found it will display
the necessary metrics such as Beacons, data, channel number and MAC address. The
channel number was manually configured to ‘12’ to reduce the chances of
interference with other wireless networks affecting our results.
aireplay-ng – In order to reduce the time taken to capture the (WPA) four-way
handshake aireplay-ng command was used to intentionally send deathuentication
packets to the valid client, which disconnects the associated client to force them to re-
authenticate entering their password (PSK). Hence, this attack is only successful if a
valid client is connected to the wireless network, because the four-way handshake
must be captured to precede the password cracking attack procedure.
At first the four-way handshake, also known as WPA handshake captured during the user
authentication stage entering the PSK. This file will be captured as a ‘.cap’ format created by
Aircrack-ng suite, therefore, it is necessary to convert the file format to ‘hccap’ for the
oclHashcat program to understand the captured file, as this will be utilised in order to crack
the “shadow” (encrypted) password file. Two methods can be used to achieve the packet
conversion.
Firstly, the oclHashcat official webpage offers the facility to convert the captured handshake
file. However, the file size must not exceed over 5MB (Megabytes), which a second
alternative method was used, supplied within the Aircrack-ng suite ensuring the files remain
consistent and “clean”.
Secondly, the file must be cleaned (removing any unwanted excess data also reducing the file
size) using the command:
wpaclean <out.cap> <in.cap>
Lastly, the file can be converted using the command within Aircrack-ng to ensure file
remains consistent and error free. The command used at this stage is:
aircrack -J <ConvertedFileName.hccap> <Location of the .cap File>
34. 25
The converted hccap password files will be saved onto a USB memory stick (Adata-16GB)
that will allow the author to conduct the password cracking process offline, utilising the
machine with the GEForce GTX 660ti GPU installed.
Due to the limitations of the PCs within the GCU lab environment the password cracking
process will be undertaken “in-house” dedicated machine operating a Windows 7 OS with the
required GPU processor (GEForce GTX 660ti) implemented on the physical machine
available to increase the speed of the cracking process. The PC will require the correct GPU
driver (ForceWare 346.59 or later – at the time of writing) to instruct the oclhashcat program
to exploit the graphics card capabilities. To perform the password cracking procedure, the
commands will be executed on the Windows OS and the user must run the CLI as
‘administrator’ to avoid permission interruptions.
This experiment is considered to be purely practical and therefore, the author will conduct
further research (if necessary) on blog posts and other relevant materials available on the
internet to gain more experience utilising the CLI with the associated commands. While
learning and investigating the commands and attacks available within the official hashcat
website a GUI (Graphical User Interface) of the oclhashcat program was found, written by an
outsourced team named BlandyUK, which was recommended by various members of the
hashcat forum. The hashcat GUI 1downloaded was the version 0.45b1 (at the time of writing).
Prior using the GUI oclhashcat, the driver (ForceWare 346.59 or later – at the time of
writing) downloaded will consist of two applications 64 bit or 32 bit to operate the GUI. This
must be located within the “binary” field of the program to be operational, also the 32 bit
application was chosen due to the compatibility issues with the Windows CLI permissions.
On Figure 3 the application file can be identified at bottom of the GUI application. This was
assumed to be limited with the capabilities offered compared with the CLI, therefore it was
used alongside with the CLI as the GUI was able to provide the commands of the attack
which was modified to suit the user’s needs.
Each encrypted password file will be compared against a suitable ‘wordlist’ which contains
English dictionary words and a set of previously cracked passwords, discussed in Section 3.3.
This list allows a user to edit or create appropriate wordlists to increase the chance of
cracking each password scenario. In addition, the hashcat GUI brute-force attack offers the
user (Author), to mask specific rules to eliminate the unrealistic passwords, utilising resource
efficiently. Wordlists, such as ‘real-human_phil2’ and ‘Rockyou3’, can be found on the
internet via a simple Google search.
Once the oclHashcat program has run, a list of metrics will be displayed on the CLI window.
Metrics of concern in this project will be the total run time of success and the success or
failure of the attack. Also the speed at each hashed password candidate is being compared
with per second (however, the speed of the GPU will only be noted to determine the speed of
operation as this value does not impact the research question to be answered). Although the
total run time will be recorded, this will only be recorded if the attack is successful. The
reason is because the total run time will dependent on the size of the dictionary wordlist used
until it is exhausted and total run time to test the number of possible password combinations
user has set. This implied that recording the time metric will not indicate how strong a
password can be as this can vary depending on the hacker’s intelligence and resources they
1 https://hashkiller.co.uk/hashcat-gui.aspx
2 https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm
3 https://wiki.skullsecurity.org/Passwords
35. 26
implement. Throughout the experiment it can be concluded that the conclusion made above in
Section 3 that passwords can vary depending on the hacker’s intelligence, thus, the results
concluded will not guarantee to be resistant against all hackers. On the other hand, it is
worthwhile to demonstrate for general and professional I.T users the possible password
patterns available to increase the complexity without decreasing the factors memorability and
usability, providing a more secure network.
To evaluate the comparison between WPA and WPA2 protocol, the metric of concern will be
the number of “data packets captured.” Within Section 2.3, it was concluded that the valuable
data to be captured to crack WEP was the IVs gathered. Furthermore, it was stated at Section
2.6 that security roll back was achievable against WPA as it utilises WEP mechanisms. As a
result, it can be argued that recording the data packets required to capture the four-way
handshake will distinguish the differences, if any between the both protocols of concern
WPA and WPA2. Moreover, packet injection attack can be launched to increase the amount
of required IVs to crack WEP. Although this attack cannot be used against protocol WPA2,
an alternative command was used, which was the aireplay-ng command to purposely send
deauthentication packets to the valid client to capture the four-way handshake. This implied
that the total time metric can be varied due to the attack (deauthentication) being launched by
the attacker and also any client connecting to the AP is unpredictable. The time variable was
not included within results as it does not provide valuable data for the research question to be
answered, but included within the appendix for additional information.
All metrics will be concluded in a table format with the results generated and including the
password strength rating (Appendix A.4) from the password meters. All results will then be
ready for final evaluation.
4.2.3 Password Scenarios (Test Data)
Table 4.2 illustrates the password scenarios (test data) derived from the Section 3 and further
reading, with regards to user behaviour in creating, storing, usability and memorability of
various password types. All passwords chosen are assumed to be memorable and usable,
indicated by Keszthelyi, (2013). During the password creation phase, the common password
rule such as, “do not contain a dictionary word” was not followed because previous literature
Ur et al., 2012 & Yan et al., (2000) emphasised that passwords with increased length to be
more secure than passwords with conditions of, must not be a dictionary word, must be
minimum of length 8 (this was a requirement as WPA encryption requires minimum 8
character length), must contain lowercase, uppercase, digit and symbols. Therefore, this
suggested that as long as password produced met an adequate length (i.e from 10-12
characters) it was considered as secure. However, to ensure memorability and usability
dictionary words are definitely easier to remember than a mixture of characters. In addition,
the results concluded by Chen and Chang, (2015) outlined the typical password pattern used
which was valuable when creating passwords to achieve memorability, simulating to a real-
life case study.
There are a variety of existing wordlists available consisting of dictionary words (referring to
English dictionary words for the purpose of this project), previously cracked passwords from
diverse websites such as UNIX, Myspace and Facebook. This implied using any dictionary-
based words as passwords to be highly insecure. Therefore, for the purpose of this experiment
36. 27
it is likely for a user to choose dictionary words with additional characters also meeting the
“simple” password requirement and preventing straight-forward dictionary attacks.
Furthermore, no particular pattern was followed in password scenario creation, although
various techniques was used such as “permutation” (substituting ‘s’ for ‘$’ or ‘5’) and words
such as ‘I’ and ‘hate’ written in slang and text-messaging style ‘aye’ and ‘h8’ respectively. It
can be concluded from Table 1 that passwords are likely to be in lowercase and include
digits, less likely to include symbols. The password ‘My_Password’ (Number 4, Simple) was
similar with scenarios 2,3,8,9, and 10, but including capital letters at typical position stated
by Zviran and Haga, (1999) also a underscore (‘_’) symbol was included to decrease the
possibility of being cracked. In order, to produce results to reflect the real-life issue of weak
passwords vulnerability, password scenarios was not just created to satisfy the simple
requirement but considered to be of realistic choice. To satisfy the realistic choice the typical
passwords such as ‘qwerty’, ‘abcdef’, ‘987654321’ were all avoided as it was previously
cracked and also meaningless.
Table 4.2. Test Data: Simple and Complex Passwords.
Simple password candidates Complex password candidates
1) pa$5word 1) Shakespeare1was5born6in4Avon
2) crack16me 2) Luv2Laff
3) life2short 3) LaCPaS1KMS
4) My_Password 4) SWMEteMy$$
5) hell0w0rld 5) 20Caledonian16
6) police999 6) S1125113GCU
7) 01413313000 7) aye<3pb&j
8) ice-cream 8) Ipmdt@18yo
9) ayeh8school 9) P@5$W012d
10) love&hate 10) protekMYwhyfi
From the comparison between the simple and complex password scenarios shown on Table
4.2, it can be concluded that complex passwords do consist of more complexity such as
increased length, symbols and uppercase characters, also positioning of the characters are
considered unique to assist in memorability. Furthermore, Komanduri et al., (2011) results
concluded that password composition policy comprehensive8 was more difficult to create,
but when created it remained usable as the confirmation of password rate was lower than
basic16. On the other hand, passwords which met the comprehensive8 conditions was used in
conjunction with other methods such as permutation, mnemonic and “phonetic” replacements
to help memorability and Shay et al., (2010) conducted a study which emphasised that users
found complex passwords usability to be inconvenient, but was still used as it provided them
increased security, ensuring usable factor was met. Password scenario 1 within the complex
category was considered most resistant as the number of characters contained was high,
although this was highly memorable and usable as the pattern used was memorable and did
not consist of complex symbols and meaningless data as, Shakespeare was born in Avon
during 1564 with each digit represented the space. Therefore, without foreknowledge of the
passwords it was impractical to brute-force due to resource limitation. Password scenario 7
and 8 utilised the mnemonic and unique symbol ‘<3’ representing love within the sentence, “I
love peanut butter and jelly” with I being replaced with the slang written form ‘aye’ as
37. 28
discussed above, and first letter of the sentence used. Scenario slightly varied as this did not
contain unique use of symbols but did contain an uppercase letter ‘I’ within a typical position.
Overall, this is assumed to be resistant as identified by Kuo et al., (2006) within Section 3
suggesting that mnemonic passwords to be secure as phrases are not extracted from famous
or common literature, poem and movies etc. The most vulnerable passwords created within
complex scenarios are 5 and 6 because it does not involve unique variations and symbols,
therefore, it is more likely to be brute-forced, and also in scenario 6 it also contains a
dictionary word, suggesting it is more vulnerable. Password scenarios 2 and 10 can be
considered similar as the password created was a phonetic replacement to avoid being
vulnerable against dictionary attacks and the location of digit used for scenario 2 uncommon,
this was used again to avoid the chances for adversary to predict the located characters.
Moreover, the capitalised word ‘my’ within the scenario 10 was chosen, again to avoid being
predicted by an adversary, as previous literature reading defined that passwords used
typically include capital letters at the beginning or end Keszthelyi, (2013).
4.2.4 PasswordCracking Approach
It was discussed by researchers Chen and Chang, (2015) that it was impractical to use
dictionary attack as wordlists file can be large, consuming terabytes of space, and also
standard processor are incapable of processing the wordlist of large size. This statement was
taking into account during the password cracking experimenting stage, therefore only
appropriate wordlists was searched for ensuing the file size was practical i.e. below 1GB
(Gigabyte) and contained a high cracking rate of previously cracked passwords. Later, a
wordlist named “realhuman_phill” was downloaded (legally for experimental purposes only)
from cracking-station webpage. This was considered as an appropriate wordlist because
members of hashcat had recommended this to be an effective wordlist file, which contains
common human passwords, from the success of this attack it could also be used to validate
that the password scenarios used are realistic, reflecting a real-life case study. In order to
ensure the wordlist file was efficient as possible the wordlist was simply edited using
Microsoft word 2007 utility to remove the unwanted password candidates, reducing the file
size to 683MB (Megabytes) with 63768655 password candidates contained within the
wordlist.
Once the wordlist file was prepared it was simply added into the wordlist library of the
hashcat GUI. On the application there are several tabs available the “Wordlists & Markov”
tab was selected, and then the “Add Wordlists..” button will be clicked to locate the wordlist
file to be added, in this case the realhuman_phill.txt will be added into the library. Appendix
A.3 will demonstrate how to add a wordlist into the library.
When the wordlist was added the dictionary based attack can be launched using the “straight”
mode provided by the GUI. Figure 4.3 illustrates how the dictionary attack was launched for
all the password scenarios tested, and the success or failure of the attack will be displayed
and discussed later, in Section 5. Figure 4.3 defines the “Hash File” field, this required the
converted four-way handshake file in format “.hccap” for this application to understand the
hashed password file.
38. 29
Figure 4.3: Launching Dictionary-Based Attack.
It can be easily identified that the “Hash Type” field chosen was “WPA/WPA2” to ensure the
correct password candidate will result with a matched hashed value the same as the captured
four-way handshake.
Simple password scenario number 7 was undertaken with the knowledge gained from Section
3.3 that common passwords are likely to be home telephone or mobile telephone numbers.
The brute-force attack mode was selected with the option to mask the specific rules to
eliminate the unrealistic combinations, as brute-force attack attempts to try every possible
combination, and this would be impractical. Therefore, local telephone numbers beginning
with ‘0141’ indicating the area and number ‘331’ specified the location of the area. While
this masks eliminated the 7 possible characters of a password the remaining four digits can be
brute-forced, until all possible digit combinations are tested.
Figure 4.4 outlined the appropriate configurations configured to launch the brute-force and
mask attack combined together.
Click this icon to
locate the hashed
password scenarios
in “.hccap” format.
The attack mode
selected.
32 bit application to
allow the GUI to be
operational.
39. 30
Figure 4.4: Local Telephone Mask and Brute-Force Attack Configurations.
The success or failure of the attack will be displayed later within Section 5.
The method of combining masks and brute-force attack was modified for different occasions.
As a Caledonian student, the student matriculation number was assumed to be unique
therefore, it would be logically used with additional characters which are meaningful to help
memorise the password and ensuring it was usable. The mask set was ‘S11’ with 5 remaining
digits which was restricted between 1 to 5 to eliminate and decrease the amount of
combinations created, also the three letters GCU was prefixed then appended in turn for each
test. The three uppercase letters were decided as this is highly logical and memorable for a
user to help memorability and the pattern of the three letters were concluded from study
conducted by Kesztheyi, (2013), that users are likely to prefix or append digits and uppercase
characters within a password.
Throughout the research conducted it was seen regularly that the word “password” was often
modified as a password to increase the complexity, therefore, possible permutations
discussed by Kesztheyi, (2013) and Zviran et al., (1999) was used in order to eliminate the
impossible permutations. Again, this technique was considered as Chen and Chang, (2015)
rule-based approach. The remaining letters such as p,w, and d which was not considered to be
permutated. Consequently, the remaining letters was varied from lowercase to uppercase
through each test ran, and the successful configurations are shown Figure 4.5.
The mask used.
