In the past 24h, there has been public information released in the Hashcat forums by one of their administrators of an improvement on brute force, offline dictionary attacks against WPA/WPA2 PSK (Pre-Shared Key) passwords. The specific improvement is that this can take place without the presence of clients and does not require a full handshake.
The attack can take place when an 802.11 management frame appears with an RSN IE (Robust Security Network Information Element) containing an RSN PMKID.
The PMKID can be brute-forced to grant the PMK, then the usual PSK attacks take place.
I have not called this a vulnerability because I do not know if Mikrotik is vulnerable to this attack nor does there appear to be a CVE number for it. Does anyone have information or can test to state otherwise?
I’ve attempted this attack against a wAP AC and it was unsuccessful. I don’t think Mikrotik’s wireless driver implements the features that this attack exploits.
I tested the attack on a 2011UiAS-2HnD with RouterOS v6.41rc44 and I’ve been able to crack my pre-shared key really quickly (shame on me, not a really strong password).
It would be great to get an official response from MikroTik whether RouterOS is affected by this bug (sending PMKID for PSK networks).
And what are the plans for fixing this in case RouterOS is affected?
Although most likely this attack doesn’t improve cracking speed, it greatly increases attack surface (as it does not require any clients to be connected when obtaining the password hashes).