Using USB ASIC Miners for WPA/WPA2 Handshake Dictionary Attacks

[SgtBot]

I was at HackArizona 2018 this past weekend, and I participated in Raytheon's IoT hacking competion. The competition involved hacking into an August smart lock, a Ring doorbell, a WRT54GL router with updated tomato firmware, and a raspi C. To hack the router, we captured a packet with a handshake to the router and used aircrack-ng to run a dictionary attack using the rockyou wordlist against the router to find the password. The attack took about 40 minutes to complete, and it got me thinking about the hardware limitations of the laptop we were using. If you don't know, when you capture a wpa/wpa2 handshake, you are essentially capturing the password itself -- only it is hashed. When you run a dictionary attack like we did, you are running passwords from a wordlist through the wpa/wpa2 encryption and comparing the hashed result with the handshake you captured to see if they match. If they do, you 0wn3d that machine, brah. So my question is, since I am not very familiar with cryptocurrency mining hardware, would you be able to use a USB ASIC miner such as the GekkoScience to perform dictionary attacks like this against hashed passwords? I don't see a reason why you couldn't... but I don't want to spend a bunch of money on hardware that I won't be able to use.

[AugOwnz]

Well you "could" but bitcoin mining ASICs are specifically made for SHA256, so any other algorithm won't work.

[SgtBot]

1 minute ago, AugOwnz said:

Well you "could" but bitcoin mining ASICs are specifically made for SHA256, so any other algorithm won't work.

Ah okay I suppose that makes sense. Could you re-purpose the hardware fora different encryption perhaps? Or is there any ASIC hardware that isn't bitcoin specific or SHA256 specific that could be purposed into WPA/WPA2 hashing hardware?

[AugOwnz]

1 hour ago, SgtBot said:

Ah okay I suppose that makes sense. Could you re-purpose the hardware fora different encryption perhaps? Or is there any ASIC hardware that isn't bitcoin specific or SHA256 specific that could be purposed into WPA/WPA2 hashing hardware?

I'm not really an expert in this but I don't think you can do that. ASIC means application specific integrated circuit so I don't think you could adapt it. Otherwise other people would have already done so.

[zephyrprime]

Wpa/wpa2 use Sha1 to produce their encryption keys.  It takes 4096 applications of sha1 to produce 1 key.  Sha1 is simpler than sha256.  I'm not sure if these bitcoin asics that are made for sha256 can do sha1 also.  Also, it would take some extra glue logic to assemble and go through the extra few steps to actually produce the keys and I don't know if those bitcoin asics could do that.  However, it's not completely out of the realm of the impossible unless someone has knowledge that those sha256 chips definiately can't do sha1.  

[Tsuki]

aircrack is cpu bound.  using hashcat to utilize your gpu and cuda could speed it up a bit.

even so, 40 minutes to burn through rockyou is pretty slow..

 

my laptop running an older i7 goes through the entire list (using aircrack) in about 25 minutes

 

 

but the important thing is, no, you cannot use asic to bruteforce passwords.  it might be used to crack SHA-256, but will be utterly useless for anything else