Hack WiFi: How to Crack WPA/WPA2 with PMKID Attack (WiFiBroot)

by hash3liZer . 20 August 2018

Hack WiFi: How to Crack WPA/WPA2 with PMKID Attack (WiFiBroot)

Since many of the last years we are continuously trying to stipulate with the same technique over and over again to somehow crack the WiFi passphrase. Unfortunately, this quest of ours has been invariabily one of those which usually have lesser outcomes and we usually end up with something like Rogue AP. However, with the uncovering of this new vulnerability now named PMKID, it's quite surprising that we can skip one of the most crucial steps in the traditional WPA/WPA2 cracking.

What was the way before this uprising PMKID cracking? You see, we try to capture a 4-way handshake by forcing the clients to re-authenticate with the Access point by forging those savage de-authentication frames. The later part is cracking the key (MIC) by comptuing hashes which are mingled through the 4 packets (HANDSHAKE).

Up until now, the process was same. But with the uncovering of this hostile vulnerability, thanks to Jen Steube, we can save quite a time of ours. Not just it decreased the time taken, rejected the need of a handshake but also increased the performance in terms of computing the cracking keys. With not dwelling more on to the topic, here's a logical statement to precisely compute the PMKID:

PMKID = HMAC-SHA-128(PMK, PMK Name" + AP MAC + STA MAC)

Jens Steube not just publicly published the vulnerability with his tool hashcat but also disclosed much wider information and allowed us to dissect our own frames to acheive much bigger aims. Now, if I had been planning on writing efficient code to crack WPA2 with PMKID, Python with scapy would have been my priority. Let's just focus on cracking WPA/WPA2 with what we now know as PMKID.

STEP 1

Cloning and Interface

Clone into the repository with git clone and move to the directory:

$ git clone https://github.com/hash3liZer/WiFiBroot.git
$ cd WiFiBroot/

WiFiBroot

Previously, in this tutorial we had covered doing the same attack through a different perspective, basically following the foot-steps of Jens Steube through different tools. With WiFiBroot, which is a tool written in Python we can do the same task with a single command.

WiFiBroot is built on the foundation of scapy, a well known packet forging library and tool. However, with upgradings and the continuous evolving of scapy, the layers and the fields within are slightly displaced from their orignal places. So, until a suitable version is released, the recommended version to install is 2.4.0 and so we will:

$ pip uninstall scapy  // Uninstalling Previous Version
$ pip install scapy==2.4.0

With hcx scanning tool, we had a very limited choice of supported adapters for injecting the right frames. Now, in this case, a simple adapter like WN722N would be enough the produce the PMKID. Put your wireless adapter in monitor mode:

$ airmon-ng start wlan1

STEP 2

Kick-Sart WiFiBroot

WiFiBroot support multiple modes and has multiple usages. If you had happened to get through the manual of WiFiBroot, you would have known all the names and the purpose of each one of them.

help manual

If you supply -h/--help argument with a valid mode, you will get all the available options for that mode. For Example, to print the options for de-authentication mode:

$ python wifibroot.py -m 4 --help

To get along in simple steps without wasting our time, we can kick-start the tool:

$ python wifibroot.py --mode 2 -i wlan1mon -d /path/to/wordlist
  • -m, --mode: Mode to use. Possible values: 1, 2
  • -i, --interface: Monitor Interface to use.
  • -d, --dictionary: Wordlist for cracking.
  • -w, --write: Write output to a file.

wifibroot in mode 2

There is a small wordlist included in the directory with WiFiBroot. Besides, just the wordlist, wifibroot will attempt to guess the key by making assumptions through default passwords and further reshuffle them in a way the most companies does with their routers.

Now, coming back to point; this will initiate the scanning of your sorrounding area, trying to discover the nearby wireless access points with 2.4 GHz frequencies. Before we proceed further, we need know what part of WPA/WPA2 is actually vulnerable. For the record, if you happen to have a WiFi with WPA only as it's encyption, you are safe from PMKID attack. It's WPA2 that on the spot is actually vulnerable. Choose your target network:

console output

STEP 3

Wait for the EAPOL

What makes this attack effective is the rejection of 4-way handshake as a need to crack WPA/WPA2 passphrases. EAPOL frames commence as successors to Authentication and Association requests. If both of the requests are to be successfully performed, both the station and the access point have to be agreed upon some terms. It is then after these requests that the access point dispatch the first EAPOL frame which contains the PMKID in RSN layer.

pmkid

You can see the following events happening in series:

  • Open Authentication
  • Association
  • 4-way handshake

Here, we got the PMKID:

pmkid

If an empty PMKID is received, you will be informed of the event and will be notified that access point is not fallible to this attack.

STEP 4

Cracking

Once we have the first handshake, we can crack the password right then and there. WiFiBroot does that as well. You will be notified that EAPOL first message has been captured and immediatly the cracking would start as can be seen in the screenshot. However, with the consideration in mind, we must conlude the fact that we are not going to acheive much speed with python as can be done through hashcat. So, we can also save the PMKID in the same format as of hcxpcaptools:

$ python wifibroot.py --mode 2 -i wlan1mon -d /path/to/wordlist -w output.txt

cracked pass

The output file can then be resued with both WiFiBroot and hashcat, if you prefer cloud computing. I personally prefer hashcat for cracking. To reuse the file with WiFiBroot, you can simple launch:

$ python wifibroot.py -m 3 --type 2 -r output.txt --essid "MyWiFiName" -d dicts/list.txt

STEP 5

Output

The file can be reused in a number of other cases including the famous hashcat tool. People usually prefer using hashcat when computing keys at a very high speed, usually in cloud servers nowadays. In the past couple years, cloud computing has become the most widespread norm among the computer industries and now people are using it to mine websites and data. Recently, this idea emerged of cracking WPA2 in cloud servers. You can setup your own server and use hashcat to crack the keys:

$ hashcat -m 16800 --force output.txt [wordlist]

Conclusion

WPA/WPA2 has been dwindling after the discovery of WPA2 key-reinstallation attack (KRACK) and while testing the new WPA3 protocol, Jens Steube stumbled upon on another vulnerability in WPA2 protocol, rejecting the need for a handshake to be in place. This highly visualized the traditional WPA/WPA2 cracking through MIC code into a new more robust EAPOL capture. The outcome of this is that now we are better able to crack WPA2 without handshake and can acheive more perfect performace.