Recent in Technology

About PMKID Attack

PMKID Attack

On August 4, 2018, Hashcat's developers announced that they had discovered another attack that could attack WPA2-PSK. You can read the full announcement from the link below.

PMKID Attack by Hashcat

When using the Aircrack suite to attack WPA2, we can temporarily disconnect any client device connected to the Target AP. Only then will you be able to catch the re-connect and get the hash that will be included in the 4 way handshakes, then crack and try to know the password.

The problem we face here is when we find a nearby WiFi target but there is no connected client or we cannot reach the client, etc., when it becomes difficult to get 4 way handshakes.

So, the PMKID attack, which can attack only by getting a single frame, becomes the solution to this problem. To understand better, PMKID is an abbreviation of Pairwise Master Key IDentifier. When we turn on WiFi from our phone, if we look from settings >> WiFi, we have seen that when there are lines that have been connected, it connects and other available WiFis are also shown.

Once we start WiFi from our phone or computer, it sends probe requests for the known SSID in the background and searches for WiFi channels we've connected to before. So, when the SSID (AP's Name) and WiFi Access Point (WiFi line) in the transmitted Probe request are within the reach range of the transmitted packet, we will receive the Probe Request from our phone or computer's network adapter, and then respond to the request.

A guy named RSNIE, who includes information about security, was included in the response. Abbreviation for Robust Security Network Information Element.

The return response will reach us. Then the network adapter of our phone or computer can send the Authentication Request to the corresponding AP again. The AP that receives it can respond back with its authentication frame.

When the response is received by the network adapter, it must again send an Association Request with the ESSID and RSN. Then the AP sends back EAPOL called Extensible Authentication Protocol Over LAN. The EAPOL frame includes PMKID.

PMKID contains PMK (Pairwise Master Key). PMK is a key generated from the WiFi password. And PMK name, MAC address of AP and MAC Address of Station (network adapter) are included. All this information is combined and hashed with HMAC-SHA1-128 algorithm.

If you understand the outline, we will go to the Attack.

Post a Comment