breaking 802 11 using pmkid
play

Breaking 802.11 using PMKID Joakim Rdland Friday 25 th January, 2019 - PowerPoint PPT Presentation

Mar 12, 2023 •347 likes •835 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Breaking 802.11 using PMKID Joakim Rdland Friday 25 th January, 2019 Chair of Network Architectures and Services Department of Informatics

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Breaking 802.11 using PMKID Joakim Rødland Friday 25 th January, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Goal of this talk • What is PMKID • Background for the attack • How does one acquire PMKID • Another similar attack • Password cracking and Dice-ware • Conclusion R. Joakim — Breaking 802.11 using PMKID 2

  3. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  4. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this R. Joakim — Breaking 802.11 using PMKID 3

  5. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  6. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  7. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  8. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  9. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal • Where is the PMKID located? Answer is in the Robust Security Network Information ele- ment (RSN IN) frame. 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  10. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal • Where is the PMKID located? Answer is in the Robust Security Network Information ele- ment (RSN IN) frame. 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  11. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal • Where is the PMKID located? Answer is in the Robust Security Network Information ele- ment (RSN IN) frame. • „The PMKID Count specifies the number of PMKIDs in the PMKID List field. The PMKID .“ 1 list contains 0 or more PMKIDs that the STA believes to be valid for the destination AP 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  12. Background • Jens Steube posted May 2018 on hashcat 2 2 New attack on WPA/WPA2 using PMKID [2] R. Joakim — Breaking 802.11 using PMKID 4

  13. Background • Jens Steube posted May 2018 on hashcat 2 • A lot of different websites have information about the attack 2 New attack on WPA/WPA2 using PMKID [2] R. Joakim — Breaking 802.11 using PMKID 4

  14. Background • Jens Steube posted May 2018 on hashcat 2 • A lot of different websites have information about the attack • Enough about the background... -> Lets see how one can acquire a PMKID 2 New attack on WPA/WPA2 using PMKID [2] R. Joakim — Breaking 802.11 using PMKID 4

  15. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  16. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  17. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  18. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  19. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  20. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 2. Send (Re)Association Request to AP 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  21. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 2. Send (Re)Association Request to AP 3. If roaming is supported AP will respond with EAPOL frame 1/4 of the 4 Way-handshake 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  22. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 2. Send (Re)Association Request to AP 3. If roaming is supported AP will respond with EAPOL frame 1/4 of the 4 Way-handshake 4. ——> See paper for in more depth information 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  23. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack R. Joakim — Breaking 802.11 using PMKID 6

  24. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK R. Joakim — Breaking 802.11 using PMKID 6

  25. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK • And an already connected client on the targeted AP R. Joakim — Breaking 802.11 using PMKID 6

  26. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK • And an already connected client on the targeted AP • The attack pattern: R. Joakim — Breaking 802.11 using PMKID 6

  27. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK • And an already connected client on the targeted AP • The attack pattern: • Set Network Interface Card (NIC) in monitor mode R. Joakim — Breaking 802.11 using PMKID 6

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD Breaking down iD 15% Rendering Painting 21% Javascript 64% HTML A sample of what iD is doing behind the scenes Breaking down JS 13% Draw Vector

426 views • 27 slides
THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING p.1/31 OUTLINE Introduction Higgs sector Tree-level masses EWSB and fine-tuning Supersymmetric spectrum Dark

361 views • 34 slides
Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier with a Prenup) Easier with a Prenup) Gregory S. Gregory S. William Williams, , Esq. Esq. Carr rruthe uthers & rs & Roth, P.A.

170 views • 6 slides
The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking The Law Lyrics There I was completely wasting, out of work and down All inside it's so frustrating as I drift from town to town Feel as though

269 views • 10 slides
Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives

Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives

3/22/2012 Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives Understand and use the key steps in breaking bad news. Confirm and be able to use effective methods of communication in breaking

245 views • 8 slides
SUSY breaking and the MSSM Spontaneous SUSY breaking at tree-level ORaifeartaigh, Fayet,

SUSY breaking and the MSSM Spontaneous SUSY breaking at tree-level ORaifeartaigh, Fayet,

SUSY breaking and the MSSM Spontaneous SUSY breaking at tree-level ORaifeartaigh, Fayet, Iliopoulos Spontaneous SUSY Breaking 0 | H | 0 > 0 implies that SUSY is broken. 2 D a D a , V = F i F i + g 2 find models where F i = 0

249 views • 24 slides
Breaking Gridlock, Breaking Ground: Tackling Anchorage Housing Affordability Presented by Michele

Breaking Gridlock, Breaking Ground: Tackling Anchorage Housing Affordability Presented by Michele

Breaking Gridlock, Breaking Ground: Tackling Anchorage Housing Affordability Presented by Michele Brown MOA Senior Citizens Advisory Commission Senior Housing Forum Loussac Library October 22, 2014 Our Goal: All Anchorage residents have

496 views • 36 slides
i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

Symmetry is fundamental to our understanding of the basic laws of physics Mass is always associated with symmetry breaking Easier to discover the symmetry: e.g. SU(2) x U(1) Harder to discover the symmetry breaking mechanism, i.e., Higgs? 1

862 views • 24 slides
Dynamical SUSY breaking A rule of thumb for SUSY breaking theory with no flat directions that

Dynamical SUSY breaking A rule of thumb for SUSY breaking theory with no flat directions that

Dynamical SUSY breaking A rule of thumb for SUSY breaking theory with no flat directions that spontaneously breaks a continuous global symmetry generally breaks SUSY Goldstone boson with a scalar partner (a modulus), but if there are no flat

750 views • 36 slides
Breaking Down Barrie iers Asya Choudry Genetic Counsellor Community Engagement Manager for

Breaking Down Barrie iers Asya Choudry Genetic Counsellor Community Engagement Manager for

Breaking Down Barrie iers Asya Choudry Genetic Counsellor Community Engagement Manager for Breaking Down Barriers BREAKING DOWN BARRIERS WORKSHOP, BIRMINGHAM, SEPTEMBER 2018 Introduction Passion for Genetic Counselling GOSH/UCLH

125 views • 10 slides
Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware

Breaking Hardware Wallets Breaking Bitcoin September 2017 Nicolas Bacca @btchip Why Hardware Wallets ? - high level overview YES NO Do you want to send 1.337 BTC to Public data 1UnREADABLE Operations on private data, with user validation

739 views • 24 slides
2018-2019 BUDGET Breaking Down the Budget Breaking Down the Budget This presentation focuses on

2018-2019 BUDGET Breaking Down the Budget Breaking Down the Budget This presentation focuses on

A Citizens Guide to the 2018-2019 BUDGET Breaking Down the Budget Breaking Down the Budget This presentation focuses on the Jackson County School Districts budget for the 2018-2019 school year. In this report we will concentrate on the

234 views • 21 slides
Breaking and Mending Resilient Mix-nets Lan Nguyen and Rei Safavi-Naini School of IT and CS

Breaking and Mending Resilient Mix-nets Lan Nguyen and Rei Safavi-Naini School of IT and CS

Breaking and Mending Resilient Mix-nets 1 Breaking and Mending Resilient Mix-nets Lan Nguyen and Rei Safavi-Naini School of IT and CS University of Wollongong Wollongong 2522 Australia email: [ldn01,rei]@uow.edu.au PET03 Breaking and

488 views • 34 slides
Breaking Down Barrie iers Monitoring & Evaluation Oscar Bingham, Consultant (M&E)

Breaking Down Barrie iers Monitoring & Evaluation Oscar Bingham, Consultant (M&E)

Breaking Down Barrie iers Monitoring & Evaluation Oscar Bingham, Consultant (M&E) BREAKING DOWN BARRIERS WORKSHOP, BIRMINGHAM, SEPTEMBER 2018 Reminder: Why are we evaluating BDB? To highlight the good work of member organisations

454 views • 13 slides
Coupled-channel efgects in Heavy Hadrons 18th International Conference on Hadron Spectroscopy

Coupled-channel efgects in Heavy Hadrons 18th International Conference on Hadron Spectroscopy

Coupled-channel efgects in Heavy Hadrons 18th International Conference on Hadron Spectroscopy and Structure (HADRON2019) D.R. Entem Overview Symmetry breaking effects Isospin breaking Isospin breaking for the X(3872) Isospin breaking for

603 views • 36 slides
Math 104 Calculus 10.2 Infinite Series Math 104 -

Math 104 Calculus 10.2 Infinite Series Math 104 -

Math 104 Calculus 10.2 Infinite Series Math 104 - Yu Infinite series Given a sequence we try to make sense of the infinite sum

622 views • 12 slides
Michael Goldberg University of Cincinnati AMS National Meeting, Baltimore, MD. January 18, 2014.

Michael Goldberg University of Cincinnati AMS National Meeting, Baltimore, MD. January 18, 2014.

Bochner-Riesz Estimates for Functions with Vanishing Fourier Transform Michael Goldberg University of Cincinnati AMS National Meeting, Baltimore, MD. January 18, 2014. Support provided by Simons Foundation grant #281057. Motivation: When does

680 views • 16 slides
CTDB database vacuuming for geniuses Amitay Isaacs amitay@samba.org Samba Team IBM (Australia

CTDB database vacuuming for geniuses Amitay Isaacs amitay@samba.org Samba Team IBM (Australia

CTDB database vacuuming for geniuses Amitay Isaacs amitay@samba.org Samba Team IBM (Australia Development Labs, Linux Technology Center) Amitay Isaacs CTDB database vacuuming for geniuses CTDB Project Motivation: Support for clustered Samba

1.59k views • 116 slides
GOLD/SILVER/PLATINUM BARS & COINS RSBL 0.5 Gram 999 Purity Platinum Bar/Coin More Details

GOLD/SILVER/PLATINUM BARS & COINS RSBL 0.5 Gram 999 Purity Platinum Bar/Coin More Details

GOLD/SILVER/PLATINUM BARS & COINS RSBL 0.5 Gram 999 Purity Platinum Bar/Coin More Details RSBL 0.5 Gram 999 Purity Platinum Bar/Coin More Details RSBL 0.5 Gram 999 Purity Platinum Bar/Coin More Details RSBL 1 Gram 999 Purity Platinum

618 views • 12 slides
Tensor Approach to Optimal Control problems with Fractional Elliptic Operator Volker Schulz

Tensor Approach to Optimal Control problems with Fractional Elliptic Operator Volker Schulz

Tensor Approach to Optimal Control problems with Fractional Elliptic Operator Volker Schulz Gennadij Heidel Britta Schmitt www.alop.uni-trier.de Boris Khoromskij / Venera Khoromskaia (MPI Leipzig) Applications causing recent interest

752 views • 54 slides
An Optimal Transport View on Generalization Nemo Fournier January 13, 2020 An Optimal Transport

An Optimal Transport View on Generalization Nemo Fournier January 13, 2020 An Optimal Transport

Framework Main results An application Deep Neural Networks Conclusion An Optimal Transport View on Generalization Nemo Fournier January 13, 2020 An Optimal Transport View on Generalization 1 / 10 Framework Main results An application

675 views • 12 slides
Everything Great About Upstream Graphics Daniel Vetter, Intel VTT @danvet ELC Europe 2019,

Everything Great About Upstream Graphics Daniel Vetter, Intel VTT @danvet ELC Europe 2019,

Everything Great About Upstream Graphics Daniel Vetter, Intel VTT @danvet ELC Europe 2019, Lyon 10 or so years ago ... graphics execution manager kernel modesetting drm/i915, drm/radeon fbdev vs drm modesetting proudly

616 views • 19 slides
Classical dynamics, arrow of time, and genesis of the Heisenberg commutation relations Detlev

Classical dynamics, arrow of time, and genesis of the Heisenberg commutation relations Detlev

Classical dynamics, arrow of time, and genesis of the Heisenberg commutation relations Detlev Buchholz & Klaus Fredenhagen Mathematics of interacting QFT models University of York, July 1st 2019 1 / 14 Background Perturbative AQFT led

718 views • 16 slides

More recommend