CyberArk security researcher Ido Hoorvitch demonstrated how it is possible to crack WiFi at scale by exploiting a vulnerability that allows retrieving a PMKID hash.
Hoorvitch has managed to crack 70% of a 5,000 WiFi network sample in Tel Aviv to demonstrate that it is easy to compromise WiFi networks.
The expert gathered 5,000 WiFi network hashes by strolling the streets in Tel Aviv with simple WiFi sniffing equipment composed of an AWUS036ACH ALFA Network card ($50) that can work in monitoring mode and is able to inject packets.
The expert used the free and open-source packet analyzer.WireShark running on Ubuntu.
The PMKID is calculated by using a hashing function having the PMK, the PMK Name, the MAC_AP and the MAC_STA as input.
The PMK is calculated from the following parameters:
Hoorvitch used an attack technique devised by Jens “atom” Steube’s (Hashcat’s lead developer) to retrieve the PMKIDs that allowed him to derive the password.
“All of this changed with the atom’s groundbreaking research, which exposed a new vulnerability targeting RSN IE (Robust Security Network Information Element) to retrieve a PMKID hash (will be explained in a bit) that can be used to crack the target network password. PMKID is a hash that is used for roaming capabilities between APs. The legitimate use of PMKID is, however, of little relevance for the scope of this blog. Frankly, it makes little sense to enable it on routers for personal/private use (WPA2-personal), as usually there is no need for roaming in a personal network.” reads the post published by Hoorvitch.
The attack technique is clientless, this means that an attacker doesn’t need to carry out the attack in real-time, he just needs to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process.
The expert first used “mask attack” as a Hashcat cracking method, he used a combination of dictionary + rules and mask attack because many Israeli citizens have the bad habit of using their cellphone numbers as WiFi passwords.
Israeli phone numbers have 10 digits and starts with 05, so it’s only eight digits, this means that remained only 8 digits to guess. Using a standard laptop, Hoorvitch successfully cracked 2,200 passwords at an average speed of nine minutes per password.
“Each digit has 10 options (0-9), hence 10**8 possible combinations. One hundred million seems like a lot of combinations, but our monster rig calculates at the speed of 6819.8 kH/s which translates into 6,819,000 hashes per second.” continues the post. “A cracking rig is not required as my laptop can get to 194.4 kH/s, which translates into 194,000 hashes per second. That equals more than enough computing power to cycle through the possibilities necessary to crack the passwords. Consequently, it took my laptop roughly 9 minutes to break a single WiFi password with the characteristics of a cellphone number. (10**8)/194,000 = ~516 (seconds)/60 = ~9 minutes.”
In a second phase, the expert used a standard dictionary attack technique leveraging the ‘Rockyou.txt’ dictionary.
He cracked another 1,359 passwords using this technique, most of cracked passwords contain only digits or only lower-case characters.
The expert pointed out that only routers supporting roaming features are vulnerable to the PMKID attack, however, the research demonstrated that routers manufactured by major vendors are vulnerable.
“In total, we cracked more than 3,500 WiFi network in and around Tel Aviv – 70% of our sample.” concludes the expert. “The threat of a compromised WiFi network presents serious risk to individuals, small business owners and enterprises alike. And as we’ve shown, when an attacker can crack more than 70% of WiFi networks in a major global city with relative ease, greater attention must be paid to protecting oneself.”
Below are the recommendations provided by the expert to protect themselves:
(SecurityAffairs – hacking, WiFi)