With the frequent occurrence of various events such as Wi-Fi hijacking, it is not difficult to realize that traditional Wi-Fi is no longer secure. Recently, Hashcat’s lead developer Jens Steube revealed that he found a more comfortable and faster way to crack Wi-Fi networks protected by WPA / WPA2. The new policy allows an attacker to extract PMKIDs directly from the router without waiting for user logins and other information.
Image: © Raimond Spekking
The WPA / WPA2 Wi-Fi network uses the Extensible Authentication Protocol (EAP) over the LAN (EAPoL) to communicate with the client; it is a network port authentication protocol designed to provide a standard network for accessing Wi-Fi network resources log in. It incorporates a powerful Secure Network (RSN) protocol designed to establish a secure communication channel over Wi-Fi. It uses a particular RSN Information Element (RSN IE) to make this connection work.
It turns out that the PMKID required to log in to the WPA / WPA2 secure network is carried in the RSN IE broadcast of the EAPOL traffic. This means that the router provides it as part of its beacon, so an unauthenticated attacker can just access it by trying to connect to the network.
Steube explained: “Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector. We receive all the data we need in the first EAPOL frame from the AP. At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).”
Therefore, an attacker can obtain PMKID through a simple packet capture tool (Steube uses hcxdumptool); the average duration of this process is 10 minutes. Attackers can use this method to start the brute force process.
Steube stumbled upon the technology while trying to crack the WPA3 encryption protocol released by the Wi-Fi Alliance in January. It combines modern best practices such as dynamic data encryption and allows users to be blocked after too many login attempts fail to help prevent brute force attacks, thanks to the crucial new scheme.
WPA3 will be more difficult to attack because its common key establishment protocol is called synchronous peer-to-peer authentication (SAE). SAE needs to interact with the infrastructure to handle each guessed password, and the foundation can limit the number of guesses submitted. This new cracking technique only works for WPA and wpa2 secure routers that run the 802.11i/p/q/r protocol, and they must enable ppmid-based roaming. Upgrading routers are the best way to protect; however, older routers will continue to be used in homes and businesses for quite some time, so users should check the router manufacturer’s firmware updates. Also, using strong passwords is also a quick mitigation method.