Hashcat Developers have just discovered a new method to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password. The Lead Developer of Hashcat, Jen “Atom” Steube revealed that the new attack method was discovered by accident during an analysis of the recently launched WPA3 security standard.
According to Steube –
“The difference between the new and older attacks is that the new method does not require capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), which is a network port authentication protocol. As an alternative, the attack targets the Robust Secure Network Information Element (RSN IE).”
By definition: RSN – is a protocol designed for establishing secure communications over an 802.11 wireless network and is part of the 802.11i (WPA) standard. When it begins to establish a secure communication channel, RSN broadcasts an RSN IE message across the network.
“One of the capabilities of RSN is PMKID (Pairwise Master Key Identifier), from which an attacker can obtain the WPA PSK (Pre-Shared Key) password. WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.”
“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube explained. “We receive all the data we need in the first EAPOL frame from the AP.”
An attacker can use the hcxdumptool tool to request the PMKID from the targeted access point and dump the received frame to a file. Hcxdumptool can then be used to obtain a hash of the password that Hashcat can crack. The recommendation is that the tool be run for up to 10 minutes before aborting the process.
“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers),” Steube said.
IT Security Expert and Penetration tester Adam Toscher has published a post explaining step-by-step how such an attack can be conducted. The method has been tested by several fellow IT experts and while some claim to have successfully reproduced the attack, others say they haven’t been able to do so.
Some members of the IT and CyberSecurity industry pointed out that while this new attack method can make the actual attack easier to conduct, brute-forcing is still involved, which means a strong WiFi combination password represents an efficient mitigation. Experts also noted that WPA Enterprise (i.e. systems using WPA2-EAP) is not impacted