Hack WiFi: How to Crack WPA2 without handshake, new PMKID method

by hash3liZer . 20 August 2018

Hack WiFi: How to Crack WPA2 without handshake, new PMKID method

A while ago, I came across with a tutorial on the latest vulnerability in WPA/WPA2 that make it possible to crack the passphrase without the need of capturing the handshake. The actual handshake cracking process works on three hashed keys to get to the actual passphrase key and these three keys are scattered through the 4-way handshake in such a way that a complete handshake is required for a successful cracking. While the newly discovered vulnerability depends only on the first message of handshake.

The first message in handshake contains a field called PMKID (PMK identifier). The value for this identifier is computed using the HMAC sha1 algorithm derived from Pairwise Master Key (PMK). PMK is derived from the PBKDF2 algorithm using the actual passphrase key and essid of the network as salt. Well, in basic logical statement, PMKID compution should be written something like this:

PMKID = HMAC-SHA-128(PMK, PMK Name" + AP MAC + STA MAC)

It is basically the HMAC function of derived PMKs as the key and concatenation of a fixed string and MACs of AP and Client as the data to function.

So, the basic task we have is to make the AP dispatch a handshake message. The EAPOL takes place after the process of authentication and association between STA and AP which in short is to verify the compatibility of both sides. However, depending on the STA signal strength and other capabilities, the AP can choose to not answer with the EAPOL frames.

Reading all the stuff about this vulnerability, my best plan was to follow the tutorial on hashcat forums. Unfortunately, my adapter (WN722N) didn't work for me. So, i'd to build a PoC tool after which I turned to release WiFiBroot V.1.3. Hope this works out.

STEP 1

Cloning and Interface

Clone into the repository with git clone and move to the directory:

$ git clone https://github.com/hash3liZer/WiFiBroot.git
$ cd WiFiBroot/
WiFiBroot

WiFiBroot heavily depends on scapy which is basically a packet manipulation module and an extensive networking library. So, install scapy with pip:

$ pip install scapy

Next, put your wireless card in monitor mode. You can use an adapter that supports packet injection as well as promiscuous mode, no special needs for an Alpha adapter, just make sure you are close enough to your target:

$ airmon-ng start wlan1

STEP 2

Kick-Sart WiFiBroot

If you go through the manual for the script, there are modes (currently 3) each specifc for a task. We are going to use the mode 2.

help manual

In simple and quick syntax:

$ python wifibroot.py --mode 2 -i wlan1mon -d /path/to/wordlist -w output.txt --verbose
  • -m, --mode: Mode to use. Possible values: 1, 2
  • -i, --interface: Monitor Interface to use.
  • -d, --dictionary: Wordlist for cracking.
  • -w, --write: Write output to a file.
  • -v, --verbose: Print verbose messages.
wifibroot in mode 2

This would start scanning the area for available networks. When you've your target on screen, press CTRL+C to stop the scanning for further execution. Then enter your target number as seen on the left side of console:

console output

STEP 3

Wait for the EAPOL

The next thing which is going to happen is almost automated. You just have to wait for a successful authentication with the Access Point (AP). As soon an EAPOL will get issued to the STA, the script will look for PMKID field and if not zero will attempt to crack the key using the dictionary provided:

pmkid

You can see the following events happening in series:

  • Open Authentication
  • Association
  • 4-way handshake

Here, we got the PMKID:

pmkid

STEP 4

Cracking

When the PMKID will be cached, cracking process will be started and print the passphrase if so found in dictionary with the used hashes, respectively PMKID and PMK, if ran in verbose mode:

cracked pass

STEP 5

Output

Since, we mentioned an output file by the name output.txt where the pmkid and other details will be stored. This file has the same format as used by the hcxpcaptool used in the the hashcat cracking process. So, you can later use it with the hashcat as well. For example:

$ hashcat -m 16800 --force output.txt [wordlist]

WiFiBroot also supports simple cracking:

$ python wifibroot.py --mode 3 --read output.txt -d [wordlist] --verbose

Conclusion

Today, we saw to use WiFiBroot to crack WPA2 passwords by using a newly discovered method, thanks to Jens Steube. An attacker now doesn't need to capture handshakes. For the information, it is only WPA2 that is affected. In the case of WPA, a handshake is still required.