Hashcat developer discovers simpler way to crack WPA2 wireless passwords
While looking for ways to attack the new WPA3 security standard, Hashcat developer Jens “Atom” Steube found a simpler way to capture and crack access credentials protecting WPA and WPA2 wireless networks.
The attack
The attacker needs to capture a single EAPOL frame after requesting it from the access point, extract the PMKID from it by dumping the recieved frame to a file, convert the captured data to a hash format accepted by Hashcat, and run Hashcat to crack it. Once that’s done, the attacker has the Pre-Shared Key (PSK), i.e. the password, of the wireless network.
Depending on the length and complexity of the password and the power of the cracking rig, that last step could take hours or days.
“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame,” Steube explained.
This makes the attack much easier to pull off, as the attacker doesn’t depend on another user and on being in range of both the user and the access point at the exact moment when the user connects to the wireless network and the handshake takes place.
“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers),” Steube added.
Other researchers have already started trying out the attack, so a list of vulnerable routers seems to be in the making.
Protect your network
According to Steube, this attack will be much harder to pull off against WPA3 because of its modern key establishment protocol called Simultaneous Authentication of Equals (SAE). Unfortunately, it will take many years until WPA3 becomes the norm.
Luckily, protecting one’s WPA and WPA2 wireless networks against this attack is as easy as setting a complex, long and random password – and not using the one generated by the router.