Threat Level: green Handler on Duty: John Bambenek

SANS ISC: Exposing WPA2 Paper - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Exposing WPA2 Paper

A new paper(1) discussing vulnerabilities on WPA2-PSK was released recently and many people have been interested in it, but have not gained access. By using a library, yes they still exist and are still useful, I was able to get access to the paper.

WPA2-PSK has a key length between 8 to 63 ASCII characters. They collected WPA2 handshakes using Aireplay deauthentication attack. Their method uses pre generated dictionary of 666,696 entries and Aircrack to bruteforce the password in their test.  They wrote a program that would generate a dictionary of all possible 95 ASCII characters for the entire PSK key space. They also discuss ways to prevent this type of attack.  

While the methodology is sound and I applaud anyone that publishes papers, but didn‚??t uncover a new flaw. WPA2 Rainbow tables(2) have been around for a while and you gain a huge speed advantages in this case. Pure brute forcing the entire ASCII passwords can be done without a pre generated dictionary and they didn‚??t discuss any speed trade-off by doing this.  I would love to see a follow-up with comparisons.

Check with your library and see if they have it, or if they can do a interlibrary loan. What do you think of the paper?


1. Tsitroulis, Achilleas, Dimitris Lampoudis, and Emmanuel Tsekleves. "Exposing WPA2 security protocol vulnerabilities." International Journal of Information and Computer Security 6.1 (2014): 93-107.

2. "The Renderlab: Church of Wifi WPA-PSK Lookup Tables." 2006. 2 May. 2014 <hxxp://>



Tom Webb


28 Posts
ISC Handler
yet another inane argument that passwords are broken

Let's see, you generate a random 63
character string to use for the
WPA2 share secret. That's 95^63
possible combinations or 10^124
possibilities. Would take the
NSA a few centuries to crack.

So what?

If you pick a stupid password you
get hacked. So what? You deserve

34 Posts Posts
We all know that almost every encryption can be bruteforced. That is not the problem here afaik:
"Although the time taken to break into a system rises with longer and longer passwords. However, it is the de-authentication step in the wireless setup that represents a much more accessible entry point for an intruder with the appropriate hacking tools. As part of their purported security protocols routers using WPA2 must reconnect and re-authenticate devices periodically and share a new key each time. The team points out that the de-authentication step essentially leaves a backdoor unlocked albeit temporarily. Temporarily is long enough for a fast-wireless scanner and a determined intruder."


Sign Up for Free or Log In to start participating in the conversation!