What Is a Wireless Network? 359
Cracking WPA
To crack WPA you must use a different approach than you would with WEP. Fortunately
one of the best tools available for thwarting WPA is freely available in Kali Linux in
the form of Reaver. Reaver exploits holes in wireless routers in an attempt to retrieve
information about the WPA preshared key that is used to access the network.
Reaver is preinstalled in all versions of Kali Linux as well as BackTrack 5 R3;
however, it must be installed on all other distros.What Is WPA2?
The upgrade or successor to WPA is WPA2, which was introduced to address some of the
weaknesses present in the original. The protocol offers dramatically improved security over
its predecessor and maintains full compatibility with 802.11i standards for security.
Like WPA, WPA2 can function in two modes:
■ WPA2-Personal, much like the preshared key mode of other systems, relies on the input
of a key into each station.■ WPA2-Enterprise uses a server to perform key management and authentication for
wireless clients. Common components include RADIUS and Diameter servers for
centralized management.Attacking, Cracking, and Compromising WPA and WPA/2
As with WEP, WPA and WPA/2 both suffer from vulnerabilities that can be exploited to
an attacking party’s advantage. Each offers a way to penetrate the security of an otherwise
strong protocol.
Offline Attack
The idea behind an offline attack is to be in close enough proximity to an access point to
observe the handshake between the client and the access point. This handshake represents
the authentication of the client and the access point. If you set up the attack properly, you
can capture the handshake and recover the keys by recording and cracking them offline.
The main reason why this attack works is that the handshake occurs completely in the
clear, making it possible to get enough information to break the key.
Deauthentication Attack
The deauthentication attack approaches the problem of observing the handshake between the
client and the access point by forcing a reconnect. An attacker induces a client that is already
connected to an access point to disconnect, which should lead the client and access point to
reestablish the connection. Authentication will occur, allowing the information to be captured
and cracked.