Community discussions

MikroTik App
 
squeeze
Member Candidate
Member Candidate
Topic Author
Posts: 145
Joined: Thu Mar 22, 2018 7:53 pm

PMKID Attack - clientless WPA2/WPA PSK attack

Sun Aug 05, 2018 2:55 pm

In the past 24h, there has been public information released in the Hashcat forums by one of their administrators of an improvement on brute force, offline dictionary attacks against WPA/WPA2 PSK (Pre-Shared Key) passwords. The specific improvement is that this can take place without the presence of clients and does not require a full handshake.

The attack can take place when an 802.11 management frame appears with an RSN IE (Robust Security Network Information Element) containing an RSN PMKID.

In mathematical terms:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

The PMKID can be brute-forced to grant the PMK, then the usual PSK attacks take place.

I have not called this a vulnerability because I do not know if Mikrotik is vulnerable to this attack nor does there appear to be a CVE number for it. Does anyone have information or can test to state otherwise?

Source: https://hashcat.net/forum/thread-7717.html
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: PMKID Attack - clientless WPA2/WPA PSK attack

Sun Aug 05, 2018 5:08 pm

This seems like it would only affect 802.1x / EAP setups.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: PMKID Attack - clientless WPA2/WPA PSK attack

Tue Aug 07, 2018 7:11 pm

I've attempted this attack against a wAP AC and it was unsuccessful. I don't think Mikrotik's wireless driver implements the features that this attack exploits.
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 822
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: PMKID Attack - clientless WPA2/WPA PSK attack

Tue Aug 07, 2018 8:13 pm

MikroTik (normal wireless or CAPsMAN) does not support 802.11r fast roaming, therefore the RSN IE's are not transmitted by the AP in the first place
 
nexact
just joined
Posts: 2
Joined: Tue Aug 07, 2018 11:22 pm

Re: PMKID Attack - clientless WPA2/WPA PSK attack

Tue Aug 07, 2018 11:33 pm

I tested the attack on a 2011UiAS-2HnD with RouterOS v6.41rc44 and I've been able to crack my pre-shared key really quickly (shame on me, not a really strong password).
 
User avatar
Davis
Member Candidate
Member Candidate
Posts: 117
Joined: Mon Aug 01, 2011 12:27 pm
Location: Latvia, Riga
Contact:

Re: PMKID Attack - clientless WPA2/WPA PSK attack

Thu Aug 09, 2018 12:01 am

It would be great to get an official response from MikroTik whether RouterOS is affected by this bug (sending PMKID for PSK networks).
And what are the plans for fixing this in case RouterOS is affected?

Although most likely this attack doesn't improve cracking speed, it greatly increases attack surface (as it does not require any clients to be connected when obtaining the password hashes).

P.S. There is a duplicate post about this issue.
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: PMKID Attack - clientless WPA2/WPA PSK attack

Thu Aug 09, 2018 10:41 am

Please see this forum topic regarding discussed WPA2-PSK brute force attack method:

viewtopic.php?f=21&t=137838

Who is online

Users browsing this forum: achu, ema81, neki, synchro, tesme33 and 27 guests