New Approach to Wi-Fi Cracking

Old Wi-Fi just turned into something less protected: According to Jens Steube, the developer behind Hashcat, has discovered a quicker, simpler approach to break WPA/WPA2 Wi-Fi networks.

Hackers have attacked off the WPA/WPA2 encryption protocols before, however it’s a slow and tedious process that requires a man-in-the-middle approach . It means waiting for a client to sign into the network, and being physically ready to utilize an over-the-air attack to intercept the data that is sent from the client to the Wi-Fi router during the four-way handshake process that is utilized for confirmation of security keys.

This new methodology enables an attacker to rather lift the PMKID straight from the switch, without waiting for a client to log in and getting his hands on the four-way handshake.

WPA/WPA2 Wi-Fi systems utilize Extensible Authentication Protocol (EAP) over LAN (EAPoL) to speak with client; it’s a network port validation protocol which was made to give a generic network sign-on to get to Wi-Fi resources. Inside that is Robust Secure Network (RSN) protocol, which is intended for building up secure correspondence channels over Wi-Fi. It utilizes a particular RSN Information Element (RSN IE) to make that connectivity works.

PMKID needed to sign into a WPA/WPA2 network is carried inside the RSN IE beacons in EAPOL activity. That implies that the router really gives it as a feature of its beaconing, so an unauthenticated aggressor can get to it by only trying to associate with the network.

“The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label ‘PMK Name,’ the access point’s MAC address and the station’s MAC address,” Steube explained in a posting late last week on the attack. “Since the PMK is the same as in a regular EAPOL four-way handshake, this is an ideal attacking vector. We receive all the data we need in the first EAPOL frame from the [Wi-Fi access point].”

Steube discovered the technique while attempting to crack the WPA3 encryption, which was released in January by the Wi-Fi Alliance. It incorporates dynamic data encryption, and it allows blocking of clients to after too many log-in attempts to help protect against brute-forcing thanks to a new key scheme.

“WPA3 will be much harder to attack because of its modern key establishment protocol called Simultaneous Authentication of Equals (SAE),” Steube explained.