Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

New Method Discovered for Cracking WPA2 Wi-Fi Passwords

Developers of the popular password cracking tool Hashcat have identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

Developers of the popular password cracking tool Hashcat have identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

Jens ‘Atom’ Steube, the lead developer of Hashcat, revealed that the new attack method was discovered by accident during an analysis of the recently launched WPA3 security standard.

According to Steube, the main difference between the new and older attacks is that the new method does not require capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), which is a network port authentication protocol. Instead, the attack targets the Robust Secure Network Information Element (RSN IE).

RSN is a protocol designed for establishing secure communications over an 802.11 wireless network and is part of the 802.11i (WPA) standard. When it begins to establish a secure communication channel, RSN broadcasts an RSN IE message across the network.

One of the capabilities of RSN is PMKID (Pairwise Master Key Identifier), from which an attacker can obtain the WPA PSK (Pre-Shared Key) password. WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube explained in a post on the Hashcat forum. “We receive all the data we need in the first EAPOL frame from the AP.”

An attacker can use the hcxdumptool tool to request the PMKID from the targeted access point and dump the received frame to a file. Hcxdumptool can then be used to obtain a hash of the password that Hashcat can crack. The recommendation is that the tool be run for up to 10 minutes before aborting the process.

Advertisement. Scroll to continue reading.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers),” Steube said.

Penetration tester Adam Toscher has published a blog post explaining step-by-step how such an attack can be conducted. The method has been tested by several individuals and while some claim to have successfully reproduced the attack, others say they haven’t been able to do so.

Some members of the industry pointed out that while this new method can make the attack easier to conduct, brute-forcing is still involved, which means a strong password represents an efficient mitigation. Experts also noted that WPA Enterprise (i.e. systems using WPA2-EAP) is not impacted.

New WPA2 attack method

As for WPA3, Steube noted that it’s “much harder to attack because of its modern key establishment protocol called ‘Simultaneous Authentication of Equals’ (SAE).”

Related: Lenovo Patches Critical Wi-Fi Vulnerabilities

Related: Dangerous WPA2 Flaw Exposes Wi-Fi Traffic to Snooping

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.