Cracking WiFi without clients: The PMKID method.

For those who don’t already know about the latest finding in the 802.11 world: clients who know the correct PSK are no longer required for WiFi cracking on some access points! In fact all that is required to begin cracking the PSK for an access point affected by this issue is that the WPA/WPA2 enabled AP and a wireless card running in monitor mode.

In this blog I will mount an attack on my home wireless access point following the instructions listed here by atom of the Hashcat project. The steps involving packet capture and processing were performed on a Ubuntu 18.04.1 operating system while the actual cracking was performed using hashcat for Windows 10 with a GeForce GTX 960M. The access point attacked is a Linksys EA6350 high-speed wireless router.

Capturing PMKIDs

First, install the required tools:

git clone https://github.com/ZerBea/hcxtools git clone https://github.com/ZerBea/hcxdumptool cd hcxdumptool make sudo make install cd ../hcxtools make sudo make install

Next, place your wireless interface in monitor mode (high gain alfa cards are a plus).

service network-manager stop ifconfig wlan1 down iwconfig wlan1 mode monitor ifconfig wlan1 up

Now use hcxdumptool to begin capturing PMKID packets. I recommend setting the channel using the -c flag. Take note of your wireless access point’s channel and BSSID for the next step.

hcxdumptool -c 6 -o test.pcapng -i wlan1 --enable_status

Let the tool run and see if a [FOUND PMKID] message appears with a BSSID matching your access point. The BSSID and STMAC are displayed to the right of the timestamp in the tool’s output. Below is a screenshot of an actual capture session using an ALFA high gain USB wireless card (The first PMKID found is from my AP).

If the message does not appear within a few seconds you may attempt to speed up the process by connecting to the access point using a WiFi enabled device. Enter an incorrect password to demonstrate to yourself that no client need be available that knows the actual password. This is an important distinction since until now a client device that knows the correct PSK was required to begin cracking WPA/WPA2 password. For more information, consult the below links.

WPA/WPA2 Cracking

WPA/WPA2 Fake AP (half-valid handshake) Cracking

My access point is dual-band so a second capture was performed to capture the PMKID from the 5G network. For this network I had to use the method described above to force a PMKID to be captured. My ALFA USB wireless card only supports 2G so I was forced to use my laptop’s internal wireless card.

Processing

Next, dump the WPA-PMKID-PBKDF2 hashes.

hcxpcaptool -z test.16800 test.pcapng

The hashes will be dumped to the file test.16800 in hashcat format. To save the SSIDs of the networks in the capture file to a file, add the -E flag followed by the filename.

hcxpcaptool -E essid_list.txt -z test.16800 test.pcapng

Cracking

To crack the hashes I used hashcat on my Windows 10 machine (easier setup) but any operating system with a working instance of hashcat should suffice.

hashcat64.exe -m 16800 -a 0 --kernel-accel=1 -w 4 --force test.16800 rockyou.txt

Note: –kernel-accel=1 –force was required to get hashcat running.

The cracking speed appears to be identical to cracking a regular WPA2-PSK handshake. The password was successfully recovered on both the 2G and 5G networks without capturing any (valid) EAPOL handshake from a client device!

I tried the procedure above again but using the mobile hotspot on my Nexus 6P (latest AOSP version) as the access point but was unsuccessful in capturing a PMKID.

Conclusion

The best mitigation is to use a strong WiFi password. Mitigations to the issue itself are not forthcoming at this time. If your AP has the option, you may attempt to disable Fast BSS transition (fast roaming) and see if this is effective in stopping the attack. Until the widespread adoption of WPA3, this finding is sure to be another valuable recipe in the pentester’s cookbook for cracking WPA/WPA2 passwords when no clients are connected.