This article is more than 1 year old

Cracking the passwords of some WPA2 Wi-Fi networks just got easier

Technique exploits weakness in design of roaming-enabled IEEE 802.11i/p/q/r wireless

The folks behind the password-cracking tool Hashcat claim they've found a new way to crack some wireless network passwords in far less time than previously needed.

Jens Steube, creator of the open-source software, said the new technique, discovered by accident, would potentially allow someone to get all the information they need to brute force decrypt a Wi-Fi password, by snooping on a single data packet going over the air.

Previously, an attacker would need to wait for someone to log into a network, capture the four-way handshake process used to authenticate users with a wireless access point, and use that to brute-force search for the password.

This particular technique specifically works against WPA and WPA2-secured Wi-Fi networks with PMKID-based roaming features enabled, and it can be used to recover the PSK (Pre-Shared Key) login passwords.

Wi-fi symbol made out of clouds. Photo by Shutterstock

With WPA3, Wi-Fi will be secure this time, really, wireless bods promise


"This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard," Syeube explained late last week, adding that it won't work against next-gen wireless security protocol WPA3.

"WPA3 will be much harder to attack because of its modern key establishment protocol called Simultaneous Authentication of Equals (SAE).

"The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame."

The team found that, when an attacker has the RSN IE information, the PMKID (the key needed to establish a connection between a user and an access point) can be pulled out via a packet capture tool and then brute-force decrypted with Hashcat. Steube noted that this can often be done in around 10 minutes or so, depending on noise over the Wi-Fi channel.

"Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector," Steube explained. "We receive all the data we need in the first EAPOL frame from the AP."

As a result, the attacker would be able to break into a vulnerable wireless network in far less time without needing to get any other information from other users or devices, only information the router itself provides to all users, authenticated or otherwise.

Steube said that while he does not yet know which brands and models of routers are specifically at risk to the technique, he believes "most modern routers" using IEEE 802.11i/p/q/r protocols with roaming functions enabled would be exploitable. ®

More about


Send us news

Other stories you might like