You can't secure what you don't acknowledge.SM

Monday, May 3, 2010

Commercial WEP and WPA key recovery tools

Ever find yourself needing a wireless network analyzer that's easy to use and doesn't cost an arm and a leg? Well, CommView for WiFi is a great option...It's a product I've talked about for years in both Hacking For Dummies and Hacking Wireless Networks For Dummies. A neat thing about CommView for WiFi are its relatively new WEP and WPA key recovery add-ons. Referred to as WEPKR and WPAKR, they're a great commercial GUI-based alternative to the oldie but goodie aircrack-ng.

If you're performing ongoing vulnerability assessments or penetration tests and/or need to show management that WEP or your current implementation of WPA-PSK is putting your business at risk, WEPKR and WPAKR are the perfect tools to do so. Another neat thing about using these tools is that CommView for WiFi supports the latest Wi-Fi adapters including the Atheros and Intel-based 802.11a/b/g/n cards built into a lot of laptops these days. So, no worrying about being limited to 802.11b or having to dig out those old D-Link DWL-650 or Orinoco cards from a decade ago.

The following is a screenshot of a WEP key the program recovered from a lightly-used wireless network in just a couple of hours. With WEP recovery, the more packets the better.

Sidenote: WEPKR and WPAKR are intended for qualified security/networking professionals as well as law enforcement, intelligence, and government organizations which shouldn't be a problem to prove if the work you're doing is legit.

I originally had some stability issues with WEPKR but Michael Berg and his team at TamoSoft were very responsive and we were able to quickly work out the kinks. Chock up another one for the "little guy" for TamoSoft's willingness to go the extra mile. All in all, a neat program worth checking out. You can get a demo of CommView for WiFi here and WEPKR and/or WPAKR here.


  1. Why is more packets a benefit for cracking WPA? When I do it, a single handshake is all you need, as shown here:

  2. Thanks Sam - was referring to WEP/WPA recovery tools in general and meant to say WEP only. Clarification made.

    Here's TamoSoft's statement on what's needed for WPA:
    To be able to recover a WPA-PSK key, WPAKR needs to receive packets with Association or Re-association Request followed by EAPOL key exchange packets. These are the packets used in WPA for negotiating session keys. It's important that all of the EAPOL key exchange packets and at least one Association or Re-association Request packet be successfully captured. A damaged or missing EAPOL packet will make it impossible for WPAKR to start a key recovery process, and capturing the next EAPOL conversation between the AP and station may be required. This is an important distinction in the way WEP and WPA traffic is decrypted.

    That said, WPAKR would display a new key recovery session only after CommView for WiFi has successfully captured a Association/Reassociation
    Request packet followed by an EAPOL key exchange. This means that you should start capturing traffic from a WLAN in CommView for WiFi and wait for the next EAPOL exchange. EAPOL exchanges take place during the station association that may be triggered by connecting or reconnecting to the WLAN by the client, or restarting the AP, or by using the Node Reassociation tool in CommView for WiFi.

    Thanks for the link to the site as well - I had forgotten about it...good wireless security resource.