Hacker News new | comments | ask | show | jobs | submit login
Cracking WPA-2 Just Got a Whole Lot Easier (medium.com)
199 points by iou 6 months ago | hide | past | web | favorite | 50 comments

Note that the beginning of the article quickly mentions the new attack that doesn't require the 4-way handshake. Then the rest of the article describes the 4-way handshake attack.

Here is the source for information on the attack that only requires a single EAPOL frame[0].

"This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called "Simultaneous Authentication of Equals" (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

The main advantages of this attack are as follow: No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack) No more waiting for a complete 4-way handshake between the regular user and the AP No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results) No more eventual invalid passwords sent by the regular user No more lost EAPOL frames when the regular user or the AP is too far away from the attacker No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)" [0]

[0] - https://hashcat.net/forum/thread-7717.html

I'm not totally sure of what "cracking" means in this context. Without the 4-way handshake, what does "cracking" mean? Am I discovering the wifi network password, or am I able to decrypt a client's WPA2-protected connection? That's very different!

In WPA, in contrast with WEP, knowing a network's password does not automatically let you sniff another client's traffic. So, the distinction is quite interesting.

Thanks, that was something the article should have more more clear. The attack gets you the wifi password but you still can't eavesdrop on other users.

tl;dr: they're bruteforcing it. use a long, random string of characters as your passphrase and you'll be resistant.

This seems to be the attack mentioned in the blog: https://hashcat.net/forum/thread-7717.html

Basically it seems like there's a thing called PMKID, which is a HMAC-SHA1 of the PMK and things we know, which you can get just by asking for it.

Is there a new hardware dependency for supporting WPA3? Or could most existing 802.11ac era APs be firmware flashed to support WPA3? (Setting aside the business case where there's probably insufficient economies of scale for paid software upgrades for existing hardware that would enable WPA3, rather than just selling a new product.)

From browsing the DD-WRT forums it seems very likely that new hardware (802.11ax support specifically) will be required. If not in theory, at least in practice.

Near the end of the video didn't he supply the password (Ankle123)? If so, what was actually cracked?

I have a reasonably strong password on my wifi (it looks something like "OwEs3PMY7yk6qwR4ic"). Is this crackable with this guy's setup in a couple of days?

No. They use Hashcat to generate a large table of keys based on a dictionary + permutations. So "L4vend3rB1ue" is likely crackable in few days, whereas "kGsunI68$@4g" is not.

Also, they say "with a reasonably priced GPU cracking infrastructure, many systems can be cracked within a few days."

I take this to mean they're using something of the order of magnitude of a couple K80 instances on Google Cloud, which will cost $25 per day. By no means prohibitive if you want to try and crack one specific WiFi, but too expensive for wardriving etc.

This reminds me of something I've wondered about with brute force cracking.

Suppose Alice uses a 14 character password, each character chosen at random from the range [U+0021, U+007E] (e.g., the 94 printable ASCII characters above space). There are 4.21x10^27 or 2^91.8 possible passwords for Alice.

Bob, on the other hand, uses a 20 character password, also chosen at random, but Bob used a much smaller character set. He just used the 10 ASCII digits. There are 1x10^20 or 2^66.4 possible passwords for Bob. (Bob would need 28 digits for his password space to be as large as Alice's).

Bob's passwords come from a much smaller set, and so could be brute forced much faster--if the attacker knew that they only had to search that much smaller set. In most cases, though, the attacker will not know that.

But, a lot of people do use reduced character sets, so I'd expect brute force attackers to give some preference for searching those first--but how much? Would they be likely to find Bob's 20 character all numeric password ahead of Alice's 14 character all-94 password?

> But, a lot of people do use reduced character sets, so I'd expect brute force attackers to give some preference for searching those first--but how much?

The correct answer is that it barely matters.

So an Alice password is worth 27.6 digits and if you went in order of entropy you'd try them after you try 27 digit passwords.

Let's say you think it's overwhelmingly likely that a password is Alice-style, maybe 99% likely. This suggests that you devote 1% of your processing power to Bob style. Instead of trying Alice-style passwords after you try 27 digit passwords, you will try them after... 25 digit passwords

Because the difficulty increases exponentially, devoting just a smidge of processing power to each different kind means that your progress goes roughly in order of increasing entropy.

And Bob's password will be cracked first, since "digits" is a very reasonable category to devote some computation to.

Probably. I would try it first with normal letters and than with everything else.

But you should look up how the default password generation algorithm is from the vendor / model you try to crack.

I make my wifipassword way longer by using my phonenumber

For maximum safety you should assume your adversary knows which character set your password comes from. Frankly, there are few reasons not to assume this.

You can't use rainbow tables for WPA because the SSID is included in the hash. So the same password will result in a different key for different networks.

Ehhh. Hashcat has a mode (2501) that operates assuming the PMK is known.

Rainbow tables are fairly useless though.

Yes, but it makes possible to generate them for most popular SSIDs

So it follows there's some benefit to picking your own SSID? Nice, I wasn't aware of that.

Sounds like it's still a brute force method, so my guess would be no. The only bit that he's made easier is capturing the encrypted key in the first place.

Yes. "With a reasonably priced GPU cracking infrastructure, many systems can be cracked within a few days."

That's not an "everything's on fire" state of affairs, but it's plenty for a targeted attack against a specific domestic target to be feasible, since most home setups never rotate their password (and certainly aren't rotating it on a 2-day window).

The part that made me ask my question is many systems. What are the characteristics of the systems that cannot be cracked in a matter of days?

Increased password complexity?

WPA2's day is past imho. It's a shame that WPA3 looks like it might have its own problems thanks to closet development.

This story might want a caveat: "If the password doesn't change frequently."

I think most people still don't think of "Key can be brute-forced in a few days of offline processing" as "owned," necessarily.

"Several days" is orders of magnitude less than the interval between most password changes. The vast majority of users never change their WiFi password unless they get a new router.

It's a trade-off. If your data is valuable enough to change the password every day, it might be worth it for an attacker to rent a bunch of computing power and crack it in hours.

It's a whole lot closer to "owned" than "key can be brute-forced after centuries of online processing".

Previously, I believe, it was thought that you had to test the password against the actual router. An offline attack that lets you try millions of keys per second on as many machines as you want to spin up is pretty close to owned when compared to an online attack that only allows single-digit tests per second.

This isn't new. mode 2501 cracking in hashcat has been there for over a year.

It seems like it might be time to configure my mobile devices (e.g. phones and laptops) to use my newly configured Wireguard VPN even when using my own WPA2-PSK (AES) wifi at home.

Deploying WPA2-Enterprise is also an option, which is what I've done myself at home. There's plenty of affordable ways to do this - white box pfSense (install the FreeRADIUS package) + AP that supports WPA2-Ent, going full Ubiquiti with a UniFi Security Gateway + UniFi AP (you can just run the controller on your machine, a raspberry pi or a $5/mo VPS).

I have a small server rack at home so I've got a significantly more complicated (and expensive) setup that I wouldn't recommend to even the average reader on HN unless they were interested in the whole homelab thing.

You can't eavesdrop on other wifi users with this attack. This just gets you the wifi password.

Edit: There is another kind of attack that could extend this though. An attacker sets up an AP with the same SSID, and the same password (using the new attack). Then they kick you off the real network with a deauth attack and hope your device reconnects to theirs.

WPA2 doesn't have forward secrecy [1]

[1] https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#Lack_of...

I'm not an expert, but wouldn't they have to sniff the four-way handshake for that to work? This new attack specifically doesn't do that.

Am I correct that the attack your describing is what's commonly called an Evil Twin Attack?

Not trusting the network is especially helpful because routers tend to have security issues at an alarming rate and poor update cycles. Forget WPA2 being crackable; the router itself is in a botnet.

Is it bad that I want to go make a wardriving setup again?

This is about WPA2-PSK (aka WPA2-Personal), not WPA2 (aka WPA2-Enterprise). PSK was already vulnerable to brute force attacks. It always is.

Any recommendations on what an Airport Extreme user should move on to if they're looking for something similarly easy to set up?

I’ve yet to find a router that is as easy to set up and works as well. Asus routers are decent if you spend the time to configure, but there are tons of options. I use Asus with the Merlin open firmware and it’s great. I’m not aware of any router that supports wpa3 yet.

Edit: FWIW, mesh is the new hype, but it still can’t beat wired access points.

Although Netgear Orbi setups do have a full-featured web UI, you can also just stick to the mobile app for an Airport-like setup and management experience.

I replaced my router and helped a neighbor replace theirs. After a few months of use, I have no complaints.

Most routers nowadays are plug-and-play. A pre-set SSID and password come printed on the router, so there's no need to configure anything (unless you would like to change settings, of course).

Moved to an Eero on the weekend. Just wanted WiFi that works. Felt like a very Apple unboxing and easy setup. Performance seems good.

But that’s 1 data point.

Not every vendor is including RSN data. "A whole lot easier " is an overstatement imo.

> sparenly


Hahaha keep trying. I'm close to a solution to this wifi cracking problem! Taking days or even hours won't be able to touch what I have...

Would you care to share your approach?

flip the router over and write down the password?

Write? What kind of savage are you? Take a picture of it.

Good one!

No, because it is something I could sell to enterprise.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact