breaking 802 11 using pmkid
play

Breaking 802.11 using PMKID Joakim Rdland Friday 25 th January, 2019 - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Breaking 802.11 using PMKID Joakim Rdland Friday 25 th January, 2019 Chair of Network Architectures and Services Department of Informatics


  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Breaking 802.11 using PMKID Joakim Rødland Friday 25 th January, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Goal of this talk • What is PMKID • Background for the attack • How does one acquire PMKID • Another similar attack • Password cracking and Dice-ware • Conclusion R. Joakim — Breaking 802.11 using PMKID 2

  3. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  4. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this R. Joakim — Breaking 802.11 using PMKID 3

  5. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  6. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  7. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  8. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  9. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal • Where is the PMKID located? Answer is in the Robust Security Network Information ele- ment (RSN IN) frame. 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  10. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal • Where is the PMKID located? Answer is in the Robust Security Network Information ele- ment (RSN IN) frame. 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  11. What is PMKID • Part of the 4 Way-handshake EAP Over LAN -> Quick look at this • PMKID = Pairwise Master Key Identifier • Unique identifier for each PSK (Preshared Key) or password on an network • But which network? • WPA/WPA2-PSK or Personal • Where is the PMKID located? Answer is in the Robust Security Network Information ele- ment (RSN IN) frame. • „The PMKID Count specifies the number of PMKIDs in the PMKID List field. The PMKID .“ 1 list contains 0 or more PMKIDs that the STA believes to be valid for the destination AP 1 802.11i-2004 P . 31 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 3

  12. Background • Jens Steube posted May 2018 on hashcat 2 2 New attack on WPA/WPA2 using PMKID [2] R. Joakim — Breaking 802.11 using PMKID 4

  13. Background • Jens Steube posted May 2018 on hashcat 2 • A lot of different websites have information about the attack 2 New attack on WPA/WPA2 using PMKID [2] R. Joakim — Breaking 802.11 using PMKID 4

  14. Background • Jens Steube posted May 2018 on hashcat 2 • A lot of different websites have information about the attack • Enough about the background... -> Lets see how one can acquire a PMKID 2 New attack on WPA/WPA2 using PMKID [2] R. Joakim — Breaking 802.11 using PMKID 4

  15. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  16. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  17. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  18. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  19. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  20. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 2. Send (Re)Association Request to AP 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  21. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 2. Send (Re)Association Request to AP 3. If roaming is supported AP will respond with EAPOL frame 1/4 of the 4 Way-handshake 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  22. Acquire PMKID • Where is the PMKID located? -> ESN IN frame -> PMKID list • „The PMKID Count and List fields shall be used only in the RSN information element in the (Re)Association Request frame to an AP“ 3 • „ Preauthentication shall not be used unless the new AP advertises the preauthentication capability in the RSN information element.“ 4 • Answer in short: 1. Preauthentication means the use of roaming 2. Send (Re)Association Request to AP 3. If roaming is supported AP will respond with EAPOL frame 1/4 of the 4 Way-handshake 4. ——> See paper for in more depth information 3 802.11i-2004 P . 31 PMKID) [1] 4 802.11i-2004 P . 69 PMKID) [1] R. Joakim — Breaking 802.11 using PMKID 5

  23. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack R. Joakim — Breaking 802.11 using PMKID 6

  24. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK R. Joakim — Breaking 802.11 using PMKID 6

  25. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK • And an already connected client on the targeted AP R. Joakim — Breaking 802.11 using PMKID 6

  26. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK • And an already connected client on the targeted AP • The attack pattern: R. Joakim — Breaking 802.11 using PMKID 6

  27. Related attack on WPA/WPA2 PSK 4 Way-Handshake attack [3] • Different from the PMKID attack • Need the 4 Way-Handshake to acquire the PSK • And an already connected client on the targeted AP • The attack pattern: • Set Network Interface Card (NIC) in monitor mode R. Joakim — Breaking 802.11 using PMKID 6

Recommend


More recommend