The Old Way to Crack WPA2 Passwords
The old way of cracking WPA2 has been around quite some time and involves momentarily disconnecting a connected device from the access point we want to try to crack. That has two downsides, which are essential for Wi-Fi hackers to understand.
The first downside is the requirement that someone is connected to the network to attack it. The network password might be weak and very easy to break, but without a device connected to kick off briefly, there is no opportunity to capture a handshake, thus no chance to try cracking it.
The second downside of this tactic is that it's noisy and legally troubling in that it forces you to send packets that deliberately disconnect an authorized user for a service they are paying to use. This kind of unauthorized interference is technically a denial-of-service attack and, if sustained, is equivalent to jamming a network. It can get you into trouble and is easily detectable by some of our previous guides.
A New Method of Password Cracking
Rather than relying on intercepting two-way communications between Wi-Fi devices to try cracking the password, an attacker can communicate directly with a vulnerable access point using the new method. On Aug. 4, 2018, a post on the Hashcat forum detailed a new technique leveraging an attack against the RSN IE (Robust Security Network Information Element) of a single EAPOL frame to capture the needed information to attempt a brute-force attack.
Similar to the previous attacks against WPA, the attacker must be in proximity to the network they wish to attack. The objective will be to use a Kali-compatible wireless network adapter to capture the information needed from the network to try brute-forcing the password. Rather than using Aireplay-ng or Aircrack-ng, we'll be using a new wireless attack tool to do this called hcxtools.
Using Hcxtools & Hashcat
Hcxdumptool and hcxpcaptool are tools written for Wi-Fi auditing and penetration testing, and they allow us to interact with nearby Wi-Fi networks to capture WPA handshakes and PMKID hashes. It works similar to Besside-ng in that it requires minimal arguments to start an attack from the command line, can be run against either specific targets or targets of convenience, and can be executed quickly over SSH on a Raspberry Pi or another device without a screen.
Once the PMKID is captured, the next step is to load the hash into Hashcat and attempt to crack the password. This is where hcxtools differs from Besside-ng, in that a conversion step is required to prepare the file for Hashcat. We'll use hcxpcaptool to convert our PCAPNG file into one Hashcat can work with, leaving only the step of selecting a robust list of passwords for your brute-forcing attempts.
It's worth mentioning that not every network is vulnerable to this attack. Because this is an optional field added by some manufacturers, you should not expect universal success with this technique. Whether you can capture the PMKID depends on if the manufacturer of the access point did you the favor of including an element that includes it, and whether you can crack the captured PMKID depends on if the underlying password is contained in your brute-force password list. If either condition is not met, this attack will fail.
0 comments:
Post a Comment