The Beginning of the End of WPA-2 — Cracking WPA-2 Just Got a Whole Lot Easier

It has been known for a while that WPA-2 (802.11i) has some fundamental security problems, and that these have thus led to the creation of WPA-3. A core problem is around the 4-way handshake, and here is me cracking WPA-2 by listening to the handshake with just a Raspberry PI and a $10 wi-fi transceiver:

For this I needed to capture the communication of the 4-way handshake, and then crack a PBKDF2-SHA1 hashed value. If a weak password is used, it is normally fairly inexpensive to crack the hash and gain access to the network.

As PBKDF2 is a slow hashing method, it will be costly to crack fairly complex passwords with brute force. Typically when using Hashcat, we focus on a range of rules which considerably improves the chances of success, such placing a digit at the end or making the first character an upper case one.

But recently things got even easier, as a Hashcat developer — Jens “Atom” Steube —who has found a way to crack the network without the involvement of the 4-way handshake. With this an attacker sends a single EAPOL frame to the access point. They then get back the PMK (Pairwise Master Key) and use Hashcat to generate the Pre-Shared Key (PSK). With a…