WPA / WPA2 have long been determined to be the most secure form of WiFi encryption. In October of 2017, however, the WPA2 protocol was found to be vulnerable to a KRACK attack for which mitigation techniques were established. It seems that the wireless network encryption is under attack once again, this time with the exploit of a WPA / WPA2 vulnerability dubbed PMKID.
— hashcat (@hashcat) August 4, 2018
This vulnerability was shared by a Twitter account (@hashcat) which tweeted an image of the code that could bypass the EAPOL 4-way handshake requirement and attack the network connection. In a post on the account’s website, the developers behind the exploit explained that they were looking for ways to attack the WPA3 security standard but were unsuccessful due to its Simultaneous Authentication of Equals (SAE) protocol. Instead, however, they managed to stumble across this vulnerability of the WPA2 protocol.
This vulnerability is exploited on the Robust Security Network Information Element (RSNIE) of a single EAPOL frame. It uses HMAC-SHA1 to derive the PMKID with the key being the PMK and its data being the concatenation of a fixed string “PMK Name” which incorporates the access point and station MAC addresses.
According to the developers’ post, to carry out the attack, three tools are needed: hcxdumptool v4.2.0 or higher, hcxtools v4.2.0 or higher, and hashcat v4.2.0 or higher. This vulnerability allows the attacker to communicate with the AP directly. It bypasses the eventual retransmission of EAPOL frames and the eventual invalid password entry. The attack also does away with lost EAPOL frames in the case that an AP user is too far away from the attacker, and it makes final data appear in a regular hex encoded string as opposed to output formats such as pcap or hccapx.
The code and details regarding how the code works to exploit this vulnerability are explained in the developers’ post. They’ve stated that they’re unsure about which WiFi routers this vulnerability affects directly and how effective it is on the respective connections. They believe, though, that this vulnerability can most probably be exploited in all 802.11i / p / q / r networks where roaming features are enabled as is the case with most routers these days.
Unfortunately for users, there are no mitigation techniques for this vulnerability as of yet. It emerged a few hours ago and there is no news of any router manufacturers taking (or making apparent that they’ve taken) notice.