Hashcat creator Jens Steube accidentally discovered a new method to break into network routers while researching new ways to attack the new WPA3 security standard. He stumbled onto an attack technique capable of cracking hashed passwords based on the Wi-Fi Protected Access Pre-Shared Key (WPA-PSK) security protocol.
For starters, WPA is a mechanism in wireless networking that encrypts and decrypts data passed between the router and a connected device. The PSK aspect applies to the network’s password or passphrase, as the router creates a unique 256-character key that is shared between both devices. These keys change periodically to prevent hackers from infiltrating the network.
In a typical attack, the hacker must be in the range of a router and a connecting wireless device, and patiently wait for the latter device to log onto the network. When the wireless device begins the connection process, the hacker must run a tool in the exact same moment to capture the full four-way “authentication handshake” made between the router and the device.
That’s not the case in the new attack. With this method, the hacker needs only a small portion of the handshake called the Robust Security Network Information Element (RSN IE). Even more, the hacker can connect directly to the router and access the needed data rather than lurk in the background and wait for someone to connect.
“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11 i/p/q/r networks with roaming functions enabled (most modern routers),” Steube says.
The login aspect of connecting a wireless device to a router consists of a set number of steps or frames. The RSN IE is an optional field within one of those steps that contains the Pairwise Master Key Identifier, a networking component that verifies that both the router and wireless device know the PSK-based password. This component is the new method’s attack vector, retrieving the stored PSK-based password.
According to Steube, the attack requires three available tools: Hcxdumptool v4.2.0 or higher, Hcxtools v4.2.0 or higher, and Hashcat v4.2.0 or higher. The first tool on the list grabs the necessary connection frame and dumps it into a file. The second tool converts the saved data into a format that can be read by Hashcat. This third tool cracks the encryption.
Ultimately, this method reduces the time used to access the stored passwords but doesn’t lessen the time needed to crack the encryption protecting these passwords. The cracking duration depends on the password complexity, thus if router owners never change the password from the factory default, the password should take no time to crack.
To better protect yourself from a possible attack, change the default password on your router. Using your own password is supposedly better than allowing the router to create one for you, and always use a variety of characters: Lower and upper-case letters, numbers, and symbols. If you’re not great at remembering passwords, Steube suggests using a password manager.
