New Method Makes Cracking WPA and WPA2 Passwords Easier

Jens Steube, the creator of the well-known password cracking tool Hashcat, has announced the discovery of a new, faster way to crack passwords for wireless networks. This new method was found almost by accident while Steube and his colleagues were searching for vulnerabilities in WPA3.

Previously, such attacks required the attacker to wait for the right moment when someone logged into the network, triggering a four-way EAPOL handshake. During this handshake, the client and router use the PMK (Pairwise Master Key) to confirm that both know the Pre-Shared Key (PSK). The attacker’s goal was to capture this handshake at the right time.

However, researchers have discovered that for WPA and WPA2 networks using 802.11i/p/q/r, things can be much simpler. The new attack is based on using the RSN IE (Robust Security Network Information Element) and extracting it from a single EAPOL frame. In fact, the attacker only needs to attempt authentication with the wireless network, extract the PMKID from one frame, and then, with the RSN IE data, can begin cracking the Pre-Shared Key (PSK).

For example, Hashcat can be used for this process. Researchers note that, on average, cracking a password takes about 10 minutes, but the actual time depends on the password’s complexity.

“Since the PMK in this case is the same as during a regular four-way handshake, this is an ideal attack vector. We get all the necessary data from the very first EAPOL frame,” Steube writes.

Experts have not yet reported which specific routers or manufacturers are vulnerable to this type of attack. Most likely, the issue affects all “modern routers” with roaming features enabled that operate with IEEE 802.11i/p/q/r.