
New attack on WPA using PMKID - newman8r
https://hashcat.net/forum/thread-7717.html
======
zrm
Sometimes I wonder if trying to encrypt WiFi is even worth it. "E2EE or GTFO"
is pretty compelling.

The counterargument is keeping packet headers (i.e. remote IP addresses) and
plaintext DNS queries private, but that's already the use case of a VPN. Even
if it's just a "VPN" to your own home router. And then it protects you even
against the operator of the access point (or someone impersonating it because,
as usual, the passphrase is widely distributed).

~~~
consto
Even if encryption isn't worth it, the access controls it gives you are to
most access point owners. By limiting who can connect an owner can reduce
bandwidth usage, improve latency, and increase the quality of their
connection.

Not to mention that most protocols in current use at minimum leak metadata.
There would need to be a standard for an automatic authenticated VPN supported
by hotspots and operating systems. Regular users shouldn't need to perform
complex setup procedures.

And at that point, while I do like the seperation on concerns provided, why
not just fix or replace WPA?

~~~
zrm
Even for that, it's not the ideal layer. A basic connection should generally
be available for everyone even if it's a rate-limited logically-separated
segment that only provides internet access. Then if you want special treatment
for a specific subset of users they need something on top of that, but only
that subset of users -- notably not the ones who come and go all the time --
and authenticating them has no real relation to the WiFi. A VPN to an endpoint
on the same LAN works for this. There is also 802.1X, IPSec, etc., which
common operating systems already support.

Meanwhile the guest users should have their own external VPN to protect them
_from you_ , which they should only have to set up once for all networks.

~~~
viraptor
> A basic connection should generally be available for everyone even if it's a
> rate-limited logically-separated segment that only provides internet access.

As long as you're legally responsible for the traffic coming out of your
network, this is not a good thing to do. Unless people explicitly get the same
protection an ISP gets, I'll keep advising them to not to share their
connection openly.

~~~
zrm
> As long as you're legally responsible for the traffic coming out of your
> network, this is not a good thing to do. Unless people explicitly get the
> same protection an ISP gets, I'll keep advising them to not to share their
> connection openly.

That is obviously a jurisdiction-dependent legal question and anyone concerned
about it should consult an attorney.

But if you're suggesting that, for example, the CDA or DMCA safe harbors only
apply to Comcast and not book stores or auto shops or anyone else that
provides public WiFi, I would be interested to see a citation for that.

~~~
viraptor
I didn't mean DMCA only. Rather general dealing with law enforcement in
general.

But even with just DMCA to be a safe harbour you need to: have a service
policy, show it to the users, have the possibility to prevent access for
identified violations, and effectively keep some kind of connection record to
be able to identify which users you need to terminate. I doubt anyone fulfills
that at home. (I don't think shops and cafes do either)

~~~
zrm
I feel like this is why the advice is always to consult an attorney. If the
law has some easy to fulfill requirement (service policy) then concerned
people should have one even if they're only providing access to Uncle Bob and
not the general public. It may not be likely that Uncle Bob would cause any
trouble (though maybe his computer is infected), but it may not be likely that
_anyone_ with physical proximity would cause any trouble. If you're worried
about it then why not do the thing that mitigates the risk regardless?

It's even possible that _not_ providing public access may increase certain
risks. If you restrict access and someone guesses/cracks the password and does
something terrible, that may make it harder to argue that it wasn't you.

I'm also not sure where you're reading the requirement to identify the users.
There are many sites (e.g. Slashdot) where users can post anonymously (and via
Tor or equivalent). Are you saying they don't qualify?

They have some info here:

[https://openwireless.org/myths-legal.html](https://openwireless.org/myths-
legal.html)

But notice that half the page is dedicated to extra-legal ISP shenanigans,
which brings us back to routing your whole internet connection (guest net
included) through a VPN. Which, again, you probably want even if you're the
only one on your connection. It's not as if copyright trolls are renowned for
their accuracy in targeting only people who are actually infringing something.

~~~
viraptor
> I'm also not sure where you're reading the requirement to identify the
> users.

Not identify as in get their names. Just identify enough to know when they
come back. Knowing which MAC to filter would probably be enough.

[http://digital-law-online.info/lpdi1.0/treatise39.html](http://digital-law-
online.info/lpdi1.0/treatise39.html)

> First, the service provider is expected to adopt and reasonably implement a
> policy for the termination in appropriate circumstances of the accounts of
> subscribers of the provider’s service who are repeat online infringers of
> copyright.

You'd need to also identify which device was infringing by getting a
connection time/destination.

~~~
zrm
> You'd need to also identify which device was infringing by getting a
> connection time/destination.

I still don't see where it says you have to do that. Your link doesn't seem to
say anything about it.

I question the value of MAC address blocking in general. Anyone can change
their MAC address and popular systems are even using MAC address randomization
by default now.

And in a physically local context like this, couldn't you just tell the person
they're not allowed to use your wireless anymore, or remove them from the
property?

The issue is who has to identify the user. If all they gave you was your own
IP address with no accurate timestamp or ports, you wouldn't even be able to
get the effectively-useless MAC address, even with the connection records most
people don't keep. If they gave you the user's legal name (e.g. because the
user signed up for the file sharing service with it) then you wouldn't need
any connection records.

~~~
viraptor
The MAC is just an example. You need some way to block someone abusing your
connection. It's the first point raised in the requirements for safe harbour.
For this you need to be able to say "this is the same person/device as
before".

> couldn't you just tell the person they're not allowed to use your wireless
> anymore

The context we started with is wifi open to the public. You've never met your
users and you may never see them (directional antenna from a distance), so the
legal name is not useful either.

The situation where you know the users is much simpler.

~~~
zrm
> The MAC is just an example. You need some way to block someone abusing your
> connection.

You're thinking like a sysadmin. Think like an organization.

Compare the situation where you have a public space where everyone is welcome
except Bob, because when Bob was there in the past he caused trouble and was
asked never to come back.

You don't have to post guards checking ID because Bob knows he's not invited
and the laws against trespassing deter him from showing up.

> The context we started with is wifi open to the public. You've never met
> your users and you may never see them (directional antenna from a distance),
> so the legal name is not useful either.

Seeing isn't required for telling. If you have the legal name, why can't you
send a certified letter telling them they're not allowed to use your network
anymore, then if they continue you call the police?

------
aftbit
Can anyone provide a brief summary of the state of the art of WPA cracking?
How many bits of entropy do I need in my wireless password these days to deal
with cloud GPUs?

~~~
bsamuels
nobody is going to spend the atrociously high cost of cloud gpus to crack
someones home wifi password in an un-targeted attack. your home wifi threat
actor is your neighbors kid playing with aircrack.

in a corporate environment, use wpa2-enterprise, then password entropy doesnt
matter quite as much.

~~~
stefan_
I thought enterprise was even more fucked thanks to the horror that is
MSCHAPv2 and that no one bothers to setup the PKI stuff to authenticate the
APs.

~~~
dfox
In WPA-EAP the AP is not active part of the authentication flow (it only
forwards the frames) and as such does not directly authenticate itself to the
client (it happens indirectly by the fact that it can forward the frames).

The configuration space of WPA-EAP is huge and most combinations are horribly
insecure, but as long as you stick with one of the "tunnel everything through
TLS" EAPs (EAP-TTLS or PEAP) the result is safe against passive attackers even
when you don't verify server certificates (obviously you should verify the
certificates, because the active attack is trivial and does not have to
interact with your network).

~~~
spockz
How would one setup the certificates in a right way? I presume that needs MDM
anyways to conveniently distribute the certificates?

~~~
angry_octet
You can do it without MDM, just distribute via an https webpage. Most
universities do this, because it is 90% byod or guest access (you can only be
enrolled in one MDM).

~~~
spockz
So guests coming to your home would need to first download certificates in
order to be able to trust your network. But they would then need to trust that
certificate not to be used to MITM their own EAP servers... This doesn’t sound
very user friendly. Am I missing something?

~~~
angry_octet
Certificates, not CAs.

~~~
spockz
Right. Of course.

------
philjohn
Interestingly it seems limited to wifi networks that implement the roaming
extensions to 802.11. When setting up my network at home with several AP's
throughout the house I decided that, whilst roaming is nice, I don't trust
most devices to select the strongest AP to latch onto after some trial and
error, so disabled it wholesale.

------
mey
Is this an attack on WPA generally, or just WPA and not WPA2. I don't know if
WPA are discrete designs with a common name or an evolution of the same design
ala SSL.

~~~
Covzire
The title seems like it's got a typo and WPA2 should be in there along with
WPA: "New attack on WPA/WPA using PMKID".

Why say WPA/WPA instead of just WPA? Unless they meant WPA/WPA2.

~~~
mangix
Correct

------
PhantomGremlin
So, how secure is a network when the teenagers in the house give out the WiFi
key to all their friends when they visit? How secure is it when said teenagers
ask Dad to change the previous random-character password to a simple phrase to
make it easier for their friends to type it in?

Asking for a friend. :)

In other words, about 99% of the WiFi passwords out there are vulnerable to a
brute force attack. But we knew that already, didn't we? Was it not already
possible to brute force WPA2 before this new attack?

How much easier/faster is this new attack? It would have been nice if the
article itself said something like: "This new attack increases brute force
attack rate by a factor of 10x". Or whatever the right value is.

~~~
conception
I'm not sure when/how but all the newer wifi home systems I've seen prompt
people's devices to share the password when someone tries to join. So you can
have a complex password. Also a lot of those have guest networks so if you
need a week network you can have them. Finally you can xkcd your password and
make it something like "maytheforcebewithmyfriendmark" \- doesn't have to be
complex.

~~~
lucb1e
> Finally you can xkcd your password and make it something like
> "maytheforcebewithmyfriendmark"

No, no, no. The rest of your comment is spot-on, but I've done projects on
passphrases and everyone gets this backwards. That is not what XKCD says. Let
me quote the XKCD:

> four random common words

Random words, not a phrase like "may the force be with" and "my friend mark"
(I'm sure you can find those two online). When cracking public hash dumps
using phrases from public sources, I get hundreds of thousands of hits. If
your phrase (partially) exists online, it's not a secret one.

Someone else mentioned diceware. Six random words from that dictionary
(potentially generated using real dice) is pretty much unbreakable, though it
has only a small security margin for when a protocol gets weakened but not
broken.

~~~
dogma1138
These passwords are not reselient to complicated attacks and are more easily
cracked than randomly generated passwords.

Limit the dictionary to the top Xk most common English words, if leetspeak
substitution is used you can also easily mask it.

We did this experiment and even randomly generating 6 word passwords using
Wikipedia as dictionary resulted in passwords which are faster to crack than
16 character randomly generated passwords and that is because you can’t count
the entropy as single characters sure if you brute force it char by char it
will take longer but if you use words as your base unit then you only need to
find 4-6 from a fairly limited pool of possibilities.

You can further limit it down by using grammar rules if your target is using
passphrases those are even faster to crack and can be generated using markov
chains or any basic grammar rule engine.

~~~
lucb1e
> These passwords are not reselient to complicated attacks and are more easily
> cracked than randomly generated passwords.

There is no fundamental difference. Either your pool of elements consists of
95 different symbols (ASCII printable characters and space) and you get
passwords like 'F~iV3Bcv>\Q@' or your pool of elements consists of thousands
of words and you get passwords like 'hubs exempted contend catchment others'.

As per Kerckhoff's principle, we should assume that the method of generating
the password is known (which set of elements, i.e. your charset or dictionary,
which RNG was used, and perhaps the length of the password).

The resulting strength in terms of bruteforceability of its hash is equal.
Assuming one picks sane values, e.g. 6 elements when using a 7800 element set,
or 12 elements when using a 95 element set, both are safe to use.

> randomly generating 6 word passwords using Wikipedia as dictionary

I don't understand what you mean by "using Wikipedia as dictionary". Wikipedia
contains whole sentences. Did you download a dump of the English Wikipedia and
split it on non-word characters and use that as dictionary? Did you remove
duplicate words? Or did you take Wiktionary's words?

> if you use words as your base unit then you only need to find 4-6 from a
> fairly limited pool of possibilities.

I think you're wrong, but feel free to prove me wrong :). Here are some
hashes:

    
    
        f4cd51713a3ac5798b3a0b40fe61aa2f
        f424f3432b7acbce2c2d3548490c9cc0
        71fa597116bfc54ecc6c48162629d391
        beb09edbc493bf826b61afa6905712df
        42251a29996a78ef023bdb03a8c22ea9
        3a80f15bd82c4f4c0a3338a1fa86adb9
    

They were generated using this script:

    
    
        function genphrase { 
            x=$1;
            while [ $x -gt 0 ]; do
                echo -n $(shuf /usr/share/dict/words | grep -v é | grep -v \' | tail -1)\ ;
                let x=$x-1;
            done;
        }
            
        for i in {1..6}; do
            phrase="$(genphrase $i)";
            sum=$(echo -n "$phrase" | md5sum | awk '{print $1}');
            echo "$sum $phrase";
        done;
    

Basically I take random words from /usr/share/dict/words so long as it does
not contain an apostrophe or an accented e. The md5 hash of the result is
generated, a very fast and well-supported algorithm (your favorite cracking
program should support it without any trouble). As an example, from another
run of the script, here is one of its output lines:

    
    
        75e6881687661e09e404b517e7ee2ce3 goodliest villeins gymnast 
    

You can use this sample output to verify that the hash is generated correctly
and that your tool works. I expect the first two hashes should not be an
issue, the third might be harder, the fourth would be impressive, and I expect
that the fifth and sixth will remain uncracked.

The dictionary version is 2018.04.16-1 (wamerican package in Debian), I
uploaded it here: [https://lucb1e.com/tmp/words](https://lucb1e.com/tmp/words)
(watch out clicking the link, it's a large file and your browser may just
display it instead of downloading it)

> You can further limit it down by using grammar rules if your target is using
> passphrases those are even faster to crack and can be generated using markov
> chains or any basic grammar rule engine.

At least in my research, I've found that markov chains and n-grams are of much
worse quality and slower than just using raw phrases from public sources. The
downloading and processing of those sources takes more time, but that's a one-
time action and not really part of the cracking process. And as I said in the
comment you're replying to, if your 'phrase' is not random words but actually
a logical 'phrase', then it's not suitable as passphrase. I think you're
confusing random phrases with logical sentences.

------
stryngs101
[https://github.com/stryngs/scripts/tree/master/pmkid2hashcat](https://github.com/stryngs/scripts/tree/master/pmkid2hashcat)

Enjoy =)

------
eboyjr
Call me paranoid, but my home setup requires a string of 64 hex digits. This
is troublesome as some implementations (like the factory setup screen for
(old?) versions of Android) cap the input "password" at 63 characters.

~~~
chrisper
Just thinking about typing in your PW on a printer makes me shiver.

~~~
sandworm101
That was what WPS was meant to address. But then everyone left it running 24/7
and a temporary-use tool became a massive backdoor.

------
bcaa7f3a8bbc
Impressive. Even brute-force attacks eventually get better.

