Skip to main content

New Attack on WPA/WPA2



Discovered by the lead developer of the popular password-cracking tool Hashcat, Jens 'Atom' Steube, the new WiFi hack works explicitly against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

The attack to compromise the WPA/WPA2 enabled WiFi networks was accidentally discovered by Steube while he was analyzing the newly-launched WPA3 security standard.


This new WiFi hacking method could potentially allow attackers to recover the Pre-shared Key (PSK) login passwords, allowing them to hack into your Wi-Fi network and eavesdrop on the Internet communications.

How to Hack WiFi Password Using PMKID

how to hack wifi password software
According to the researcher, the previously known WiFi hacking methods require attackers to wait for someone to log into a network and capture a full 4-way authentication handshake of EAPOL, which is a network port authentication protocol.

Whereas, the new attack no longer requires another user to be on the target network to capture credentials. Instead, it is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.

Robust Security Network is a protocol for establishing secure communications over an 802.11 wireless network and has PMKID, the key needed to establish a connection between a client and an access point, as one of its capabilities.

Step 1 — An attacker can use a tool, like hcxdumptool (v4.2.0 or higher), to request the PMKID from the targeted access point and dump the received frame to a file.

> ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status
Step 2 — Using the hcxpcaptool tool, the output (in pcapng format) of the frame can then be converted into a hash format accepted by Hashcat.

> ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password, and Bingo!

> ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
That's the password of the target wireless network, cracking which may take time depending on its length and complexity.

"At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)," Steube said.

Since the new WiFi hack only works against networks with roaming functions enabled and requires attackers to brute force the password, users are recommended to protect their WiFi network with a secure password that's difficult to crack.

This WiFi hack also does not work against next-generation wireless security protocol WPA3, since the new protocol is "much harder to attack because of its modern key establishment protocol called "Simultaneous Authentication of Equals" (SAE)."

This article was copied from thehackernews for future reference. 
Labels:

Popular posts from this blog

Importing Exploit-DB Exploits into Metasploit in Kali Linux for Offline Access

You're going to need three terminals open for this. Terminal 1 for starting metasploit Terminal 2 for importing the exploit to local Metasploit repository Terminal 3 for searchsploit which we will use to search for the exploit instead of opening your browser and looking in exploitdb. Let's be done with it! 1. First, open the first terminal to run metasploit with the following commands: > service postgresql start > msfconsole  2. Go to Terminal 3 and run the following command to update its database: > searchsploit -u 3. Open Terminal 2, then go to the metasploit modules directory by: > cd .msf4/modules 4. Then create a directory inside the msf4 modules folder: > mkdir exploits 5. Now, back to the Terminal 3. We will to search for an exploit we want to import. Let's first try to look for the explore ms15-100 by typing: > searchsploit msf15-100 After pressing Enter, you should be able to see the search result. It will be a t...
Read whole post

Using Termux in Android to Download Youtube Videos

In termux: apt update && apt upgrade Give termux access to your phone's filesystem via ~/storage/shared termux-setup-storage Install python: packages install python Install youtube-dl pip install youtube-dl Create a folder to store your downloaded videos: mkdir /data/data/com.termux/files/home/storage/shared/Youtube Create youtube-dl config (volume-down key emulates Ctrl in termux): nano ~/.config/youtube-dl/config The contents of my config is as follows: --no-mtime -o /data/data/com.termux/files/home/storage/shared/Youtube/%(title)s.%(ext)s -f "best[height<=480]" (the height<=480 tells youtube-dl to download the best quality version up to 480px in width. You can change to 240, 360, 720 or 1080, etc to suit your needs / bandwidth restrictions. Save with "Volume-down" + O, then close nano with "Vol-down" + X Create "termux-url-opener" in ~/bin to enable one-click download via the "Share" menu i...
Read whole post

Reset Local Admin Password / Add New User Account Without Logging In to Windows

You may need this tutorial for a number of different reasons. As for me -- a colleague left the company. His company-owned laptop having his Microsoft account as the only available user and we cannot recover his password. We needed his files so we cannot just reset the computer. So our only choice is to create a new local admin account and make sure this never happens again. Before we begin, please make sure that you have the DVD installer for your Windows OS. If you're all set, follow along the instructions below carefully: 1. Insert your Windows DVD into your DVD reader. 2. Boot from the DVD. You can do this by pressing the correct key while the computer is starting up. The key to press depends on the computer brand but it is commonly F2 or Esc . Please refer to this article . 3. Once you’re able to boot from the DVD, you will see the Windows Setup . It looks like this: 4. Now press Shift + F10 to bring up the Command Prompt. 5. Once the Command Prompt i...
Read whole post