In early August this year, the folks behind the Hashcat password cracking tool posted a thread on a new attack against Wi-Fi Protected Access (WPA/WPA2) using the Pairwise Master Key Identification technique. The attack differs from the traditional WPA/WPA2 attack vector in that it does not require the capture of a full Extensible Authentication Protocol over LAN (EAPoL, a network port authentication protocol used in 802.1x) four-way handshake. Rather, it simply relies on the Robust Security Network Information Element (proposed by the 802.11i standard), which can be found in 802.11 management frames of an EAPoL frame and is a much more trivial thing to capture.
The thread outlines several advantages to this attack, but two, in particular, stand out to me: No users are required and there is no waiting for a complete four-way handshake. Removing these two elements alone reduces the difficulty of creating a scenario where captured wireless traffic can be gathered for offline attacks.
The Difficulty with Traditional WPA Public-Key Authentication
If you’ve ever tried to capture a four-way handshake for a wireless network — for instance, to troubleshoot network issues or roaming — you’ll know that this isn’t always the easiest of tasks. To successfully capture this exchange, you must be physically close enough to “hear” the access point and client, and have a client on the network; that client must also complete a four-way handshake (ideally, joining the AP you are listening to without having roamed there).
In a legitimate troubleshooting effort where you control the network and know the pre-shared key (PSK), this handshake allows you to decode the captured traffic and see the contents of the encrypted frames in a tool such as Wireshark. In a traditional WPA PSK attack scenario (throughout this series, I will refer to WPA and the stronger WPA2 as the generic WPA), where you are trying to determine the PSK to join the network, decrypt traffic or other malicious activities, you need this handshake for the password cracking software to perform a dictionary attack to derive the PSK.
A seasoned wireless professional with all the controls in place may find this nontrivial, whereas an attacker (especially if attempting to be silent to avoid wireless intrusion detection and prevention systems) may find this very difficult — unless they can maintain persistence in the environment and have patience. The new attack vector allows the attacker to more efficiently gather data required for cracking without the elements that make this a longer game, requiring a user to be present and “hearing” the whole handshake.
Is This a Problem for My Organization?
For most organizations, this attack is not any more of a problem than it was previously. The good news here is that this new vector doesn’t break WPA encryption any more significantly than it was broken before. With the new vector, an attacker might be able to more quickly capture the data required for cracking, however, the same barriers to cracking the PSK lie in their path.
In Part 2 of this series, I go into some of the techniques and tools that attackers are using on WPA and explain how you can defend against them.