WPA Key Recovery Help Documentation

TamoSoft: Network Analysis Tools & Security Software

Return to the main product page

About WPA Key Recovery

Installation & Requirements

Usage

Configuration

Splitting the Job Between Multiple Computers

Password Permutations

Frequently Asked Questions

How to Purchase WPA Key Recovery

Contacting Us

Other Products

Usage

Once WPAKR has been installed, you can launch it by clicking Tools => WPA Key Recovery in the CommView for WiFi menu, as shown below:

Note that this menu item becomes available only after you've installed WPAKR. When WPAKR is launched, CommView for WiFi establishes a TCP/IP connection with WPAKR so CommView for WiFi can send captured packets to WPAKR for analysis.

To be able to recover a WPA-PSK key, WPAKR needs to receive packets with Association or Re-association Request followed by EAPOL key exchange packets. These are the packets used in WPA for negotiating session keys. It's important that all of the EAPOL key exchange packets and at least one Association or Re-association Request packet be successfully captured. A damaged or missing EAPOL packet will make it impossible for WPAKR to start a key recovery process, and capturing the next EAPOL conversation between the AP and station may be required. This is an important distinction in the way WEP and WPA traffic is decrypted.

That said, WPAKR would display a new key recovery session only after CommView for WiFi has successfully captured a Association/Re-association Request packet followed by an EAPOL key exchange. This means that you should start capturing traffic from a WLAN in CommView for WiFi and wait for the next EAPOL exchange. EAPOL exchanges take place during the station association that may be triggered by connecting or reconnecting to the WLAN by the client, or restarting the AP, or by using the Node Reassociation tool in CommView for WiFi.

Alternatively, you can use WPAKR as a stand-alone application and import Association/Re-association Request and EAPOL packets previously captured by CommView for WiFi:

Once the necessary packets have been captured or loaded from a capture file, a new key recovery session will show up in WPAKR:

The SSID column lists the SSID of the access point. The BSSID column lists the hardware addresses of the access point. The Password column displays the recovered WPA password, if any. The Status column displays the current application status. Once the password has been recovered, a dialog box will display the password:

The obtained WPA key can be seen by clicking Tools => WPA Passwords in the application menu. WPAKR memorizes recovered keys between launches and tries them first, before attempting to recover them.

Note that the evaluation version displays only the first two characters of the recovered password. The rest of the characters are replaced by asterisks. The licensed version displays all characters.

The Action menu can be used for manually controlling the key recovery process.

Recovery Speed, Dictionaries, and Password Permutations

Because WPA uses robust encryption without known weaknesses, the only way to recover a password is by trying words from a dictionary file one by one. This process is very slow because each password must be hashed multiple times. A Pentium 4 2.8 GHz computer can try approximately 160 passwords per second. Because of such a low speed, a brute-force attack (i.e. trying all possible character combinations) doesn't make sense, as the minimum allowed WPA password length is eight characters. Trying all combinations even for a 5-character password will require 90^5 = ~6 billion attempts, or 1,000 days.

Given the 160 passwords per second benchmark, you can estimate the time it will take WPAKR to test all words from your dictionary file. For example, a dictionary file that contains one million passwords will be tested within two hours. It's important to understand that the WPA password will be recovered ONLY if this password can be found in your dictionary file. If a rare, hard-to-guess WPA password is selected; the chances that it will be found in the dictionary are slim. You can increase the recovery speed by splitting the job between multiple computers.

To increase the chances of recovering the password, you should use a good and large dictionary file and, optionally, password permutations. Permutation is altering the passwords using the user-defined rules. For example, if the dictionary file contains the word "passWORD" the use may define mangling rules that will also test the word "password" and "PASSWORD." More information can be found in the Password Permutations chapter.