Breaking 802.11 using PMKID Joakim Rdland Friday 25 th January, 2019 - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Breaking 802.11 using PMKID

Joakim Rødland

Friday 25th January, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Goal of this talk

• What is PMKID
• Background for the attack
• How does one acquire PMKID
• Another similar attack
• Password cracking and Dice-ware
• Conclusion
• R. Joakim — Breaking 802.11 using PMKID

2

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• PMKID = Pairwise Master Key Identifier

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• PMKID = Pairwise Master Key Identifier
• Unique identifier for each PSK (Preshared Key) or password on an network

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• PMKID = Pairwise Master Key Identifier
• Unique identifier for each PSK (Preshared Key) or password on an network
• But which network?

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• PMKID = Pairwise Master Key Identifier
• Unique identifier for each PSK (Preshared Key) or password on an network
• But which network?
• WPA/WPA2-PSK or Personal

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• PMKID = Pairwise Master Key Identifier
• Unique identifier for each PSK (Preshared Key) or password on an network
• But which network?
• WPA/WPA2-PSK or Personal
• Where is the PMKID located? Answer is in the Robust Security Network Information ele-

ment (RSN IN) frame.

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• PMKID = Pairwise Master Key Identifier
• Unique identifier for each PSK (Preshared Key) or password on an network
• But which network?
• WPA/WPA2-PSK or Personal
• Where is the PMKID located? Answer is in the Robust Security Network Information ele-

ment (RSN IN) frame.

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

What is PMKID

• Part of the 4 Way-handshake EAP Over LAN -> Quick look at this
• PMKID = Pairwise Master Key Identifier
• Unique identifier for each PSK (Preshared Key) or password on an network
• But which network?
• WPA/WPA2-PSK or Personal
• Where is the PMKID located? Answer is in the Robust Security Network Information ele-

ment (RSN IN) frame.

• „The PMKID Count specifies the number of PMKIDs in the PMKID List field. The PMKID

list contains 0 or more PMKIDs that the STA believes to be valid for the destination AP .“ 1

1802.11i-2004 P

. 31 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

3

Background

• Jens Steube posted May 2018 on hashcat2

2New attack on WPA/WPA2 using PMKID [2]

• R. Joakim — Breaking 802.11 using PMKID

4

Background

• Jens Steube posted May 2018 on hashcat2
• A lot of different websites have information about the attack

2New attack on WPA/WPA2 using PMKID [2]

• R. Joakim — Breaking 802.11 using PMKID

4

Background

• Jens Steube posted May 2018 on hashcat2
• A lot of different websites have information about the attack
• Enough about the background... -> Lets see how one can acquire a PMKID

2New attack on WPA/WPA2 using PMKID [2]

• R. Joakim — Breaking 802.11 using PMKID

4

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list
• „The PMKID Count and List fields shall be used only in the RSN information element in

the (Re)Association Request frame to an AP“3

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list
• „The PMKID Count and List fields shall be used only in the RSN information element in

the (Re)Association Request frame to an AP“3

• „Preauthentication shall not be used unless the new AP advertises the preauthentication

capability in the RSN information element.“4

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list
• „The PMKID Count and List fields shall be used only in the RSN information element in

the (Re)Association Request frame to an AP“3

• „Preauthentication shall not be used unless the new AP advertises the preauthentication

capability in the RSN information element.“4

• Answer in short:

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list
• „The PMKID Count and List fields shall be used only in the RSN information element in

the (Re)Association Request frame to an AP“3

• „Preauthentication shall not be used unless the new AP advertises the preauthentication

capability in the RSN information element.“4

• Answer in short:
• 1. Preauthentication means the use of roaming

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list
• „The PMKID Count and List fields shall be used only in the RSN information element in

the (Re)Association Request frame to an AP“3

• „Preauthentication shall not be used unless the new AP advertises the preauthentication

capability in the RSN information element.“4

• Answer in short:
• 1. Preauthentication means the use of roaming
• 2. Send (Re)Association Request to AP

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list
• „The PMKID Count and List fields shall be used only in the RSN information element in

the (Re)Association Request frame to an AP“3

• „Preauthentication shall not be used unless the new AP advertises the preauthentication

capability in the RSN information element.“4

• Answer in short:
• 1. Preauthentication means the use of roaming
• 2. Send (Re)Association Request to AP
• 3. If roaming is supported AP will respond with EAPOL frame 1/4 of the 4 Way-handshake

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Acquire PMKID

• Where is the PMKID located? -> ESN IN frame -> PMKID list
• „The PMKID Count and List fields shall be used only in the RSN information element in

the (Re)Association Request frame to an AP“3

• „Preauthentication shall not be used unless the new AP advertises the preauthentication

capability in the RSN information element.“4

• Answer in short:
• 1. Preauthentication means the use of roaming
• 2. Send (Re)Association Request to AP
• 3. If roaming is supported AP will respond with EAPOL frame 1/4 of the 4 Way-handshake
• 4. ——> See paper for in more depth information

3802.11i-2004 P

. 31 PMKID) [1]

4802.11i-2004 P

. 69 PMKID) [1]

• R. Joakim — Breaking 802.11 using PMKID

5

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• R. Joakim — Breaking 802.11 using PMKID

6

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• Need the 4 Way-Handshake to acquire the PSK
• R. Joakim — Breaking 802.11 using PMKID

6

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• Need the 4 Way-Handshake to acquire the PSK
• And an already connected client on the targeted AP
• R. Joakim — Breaking 802.11 using PMKID

6

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• Need the 4 Way-Handshake to acquire the PSK
• And an already connected client on the targeted AP
• The attack pattern:
• R. Joakim — Breaking 802.11 using PMKID

6

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• Need the 4 Way-Handshake to acquire the PSK
• And an already connected client on the targeted AP
• The attack pattern:
• Set Network Interface Card (NIC) in monitor mode
• R. Joakim — Breaking 802.11 using PMKID

6

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• Need the 4 Way-Handshake to acquire the PSK
• And an already connected client on the targeted AP
• The attack pattern:
• Set Network Interface Card (NIC) in monitor mode
• Use a packet dumping program to dump handshake/s in a file (Actively & Passively)
• R. Joakim — Breaking 802.11 using PMKID

6

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• Need the 4 Way-Handshake to acquire the PSK
• And an already connected client on the targeted AP
• The attack pattern:
• Set Network Interface Card (NIC) in monitor mode
• Use a packet dumping program to dump handshake/s in a file (Actively & Passively)
• Same as the PMKID attack -> last step is guessing the PSK (password)
• R. Joakim — Breaking 802.11 using PMKID

6

Related attack on WPA/WPA2 PSK

4 Way-Handshake attack [3]

• Different from the PMKID attack
• Need the 4 Way-Handshake to acquire the PSK
• And an already connected client on the targeted AP
• The attack pattern:
• Set Network Interface Card (NIC) in monitor mode
• Use a packet dumping program to dump handshake/s in a file (Actively & Passively)
• Same as the PMKID attack -> last step is guessing the PSK (password)
• Differences from the PMKID attack? -> Time and Access
• R. Joakim — Breaking 802.11 using PMKID

6

Password Cracking

• Choose from characters on keyboard -> 26 lower and upper case letters, 10 digits and 33

special char.

• R. Joakim — Breaking 802.11 using PMKID

7

Password Cracking

• Choose from characters on keyboard -> 26 lower and upper case letters, 10 digits and 33

special char.

• Diceware -> wordlist e.g 7744 words. Choose X amount of random words. 77444(words) =

3.6X1015 combinations.

• R. Joakim — Breaking 802.11 using PMKID

7

Password Cracking

• Choose from characters on keyboard -> 26 lower and upper case letters, 10 digits and 33

special char.

• Diceware -> wordlist e.g 7744 words. Choose X amount of random words. 77444(words) =

3.6X1015 combinations.

• R. Joakim — Breaking 802.11 using PMKID

7

Password Cracking

• Choose from characters on keyboard -> 26 lower and upper case letters, 10 digits and 33

special char.

• Diceware -> wordlist e.g 7744 words. Choose X amount of random words. 77444(words) =

3.6X1015 combinations.

• We got 788 Million different password to hash conversions are made every second
• R. Joakim — Breaking 802.11 using PMKID

7

Password Cracking

• Choose from characters on keyboard -> 26 lower and upper case letters, 10 digits and 33

special char.

• Diceware -> wordlist e.g 7744 words. Choose X amount of random words. 77444(words) =

3.6X1015 combinations.

• We got 788 Million different password to hash conversions are made every second
• Can be used to calculate the time needed to find a mach
• R. Joakim — Breaking 802.11 using PMKID

7

Password Cracking

• Choose from characters on keyboard -> 26 lower and upper case letters, 10 digits and 33

special char.

• Diceware -> wordlist e.g 7744 words. Choose X amount of random words. 77444(words) =

3.6X1015 combinations.

• We got 788 Million different password to hash conversions are made every second
• Can be used to calculate the time needed to find a mach
• Amazon EC2 instances -> how much does it cost to rent a system to then do password

cracking?

• R. Joakim — Breaking 802.11 using PMKID

7

Diceware again

• Use a wordlist of 7744 words
• R. Joakim — Breaking 802.11 using PMKID

8

Diceware again

• Use a wordlist of 7744 words
• Choose 4 random words = 77444(words) = 3.6X1015 combinations
• R. Joakim — Breaking 802.11 using PMKID

8

Diceware again

• Use a wordlist of 7744 words
• Choose 4 random words = 77444(words) = 3.6X1015 combinations
• Nvidia GeForce GTX 980 = 788x106 conversions per secound
• R. Joakim — Breaking 802.11 using PMKID

8

Diceware again

• Use a wordlist of 7744 words
• Choose 4 random words = 77444(words) = 3.6X1015 combinations
• Nvidia GeForce GTX 980 = 788x106 conversions per secound
• 3.6X1015Comb./788x106conversions/second
• R. Joakim — Breaking 802.11 using PMKID

8

Diceware again

• Use a wordlist of 7744 words
• Choose 4 random words = 77444(words) = 3.6X1015 combinations
• Nvidia GeForce GTX 980 = 788x106 conversions per secound
• 3.6X1015Comb./788x106conversions/second
• 2.7 months
• R. Joakim — Breaking 802.11 using PMKID

8

Diceware again

• Use a wordlist of 7744 words
• Choose 4 random words = 77444(words) = 3.6X1015 combinations
• Nvidia GeForce GTX 980 = 788x106 conversions per secound
• 3.6X1015Comb./788x106conversions/second
• 2.7 months
• 77445(words) = 1648 years -> ++
• R. Joakim — Breaking 802.11 using PMKID

8

Conclusion

• PMKID attack are still limited to bruteforce
• R. Joakim — Breaking 802.11 using PMKID

9

Conclusion

• PMKID attack are still limited to bruteforce
• Length of passwords matters
• R. Joakim — Breaking 802.11 using PMKID

9

Conclusion

• PMKID attack are still limited to bruteforce
• Length of passwords matters
• Long enough password = several to thousands of years to crack
• R. Joakim — Breaking 802.11 using PMKID

9

Bibliography

• R. Joakim — Breaking 802.11 using PMKID

10

Bibliography

Institute of Electraical and Electronics Engineers (IEEE), "802.11i IEEE Standard for Infor- mation technology- Telecommunications and information exchange between systems- Lo- cal and metropolitan area networks- Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications", 3 Park Avenue, New York, NY 10016-5997, USA, Available: https://standards.ieee.org/standard/802_11i-2004. html, [Published: Juli. 21, 2004], [Accessed: Dec. 13, 2018], Page 20-27 Atom (Administrator), "hashcat", "New attack on WPA/WPA2 using PMKID", Available: https://hashcat.net/forum/thread-7717.html, [Published: Apr. 08, 2018], [Accessed:

• Nov. 15, 2018]

darkAudax, "Aircrack-ng" "Tutorial: How to Crack WPA/WPA2", Available: http://www. aircrack-ng.org/doku.php?id=cracking_wpa, [Published: Mar. 07, 2010], [Accessed: Dec. 10, 2018]

• R. Joakim — Breaking 802.11 using PMKID

10