Cracking WPA-2 Just Got a Whole Lot Easier

Note that the beginning of the article quickly mentions the new attack that doesn&#x27;t require the 4-way handshake. Then the rest of the article describes the 4-way handshake attack.<p>Here is the source for information on the attack that only requires a single EAPOL frame[0].<p><i>&quot;This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called &quot;Simultaneous Authentication of Equals&quot; (SAE).<p>The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.<p>At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i&#x2F;p&#x2F;q&#x2F;r networks with roaming functions enabled (most modern routers).<p>The main advantages of this attack are as follow: No more regular users required - because the attacker directly communicates with the AP (aka &quot;client-less&quot; attack) No more waiting for a complete 4-way handshake between the regular user and the AP No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results) No more eventual invalid passwords sent by the regular user No more lost EAPOL frames when the regular user or the AP is too far away from the attacker No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)&quot;</i> [0]<p>[0] - <a href="https:&#x2F;&#x2F;hashcat.net&#x2F;forum&#x2F;thread-7717.html" rel="nofollow">https:&#x2F;&#x2F;hashcat.net&#x2F;forum&#x2F;thread-7717.html</a>

I&#x27;m not totally sure of what &quot;cracking&quot; means in this context. Without the 4-way handshake, what does &quot;cracking&quot; mean? Am I discovering the wifi network password, or am I able to decrypt a client&#x27;s WPA2-protected connection? That&#x27;s very different!<p>In WPA, in contrast with WEP, knowing a network&#x27;s password does not automatically let you sniff another client&#x27;s traffic. So, the distinction is quite interesting.

This seems to be the attack mentioned in the blog: <a href="https:&#x2F;&#x2F;hashcat.net&#x2F;forum&#x2F;thread-7717.html" rel="nofollow">https:&#x2F;&#x2F;hashcat.net&#x2F;forum&#x2F;thread-7717.html</a><p>Basically it seems like there&#x27;s a thing called PMKID, which is a HMAC-SHA1 of the PMK and things we know, which you can get just by asking for it.

Is there a new hardware dependency for supporting WPA3? Or could most existing 802.11ac era APs be firmware flashed to support WPA3? (Setting aside the business case where there&#x27;s probably insufficient economies of scale for paid software upgrades for existing hardware that would enable WPA3, rather than just selling a new product.)

Near the end of the video didn&#x27;t he supply the password (Ankle123)? If so, what was actually cracked?<p>I have a reasonably strong password on my wifi (it looks something like &quot;OwEs3PMY7yk6qwR4ic&quot;). Is this crackable with this guy&#x27;s setup in a couple of days?

WPA2&#x27;s day is past imho. It&#x27;s a shame that WPA3 looks like it might have its own problems thanks to closet development.

This story might want a caveat: &quot;If the password doesn&#x27;t change frequently.&quot;<p>I think most people still don&#x27;t think of &quot;Key can be brute-forced in a few days of offline processing&quot; as &quot;owned,&quot; necessarily.

This isn&#x27;t new. mode 2501 cracking in hashcat has been there for over a year.

It seems like it might be time to configure my mobile devices (e.g. phones and laptops) to use my newly configured Wireguard VPN even when using my own WPA2-PSK (AES) wifi at home.

Is it bad that I want to go make a wardriving setup again?

This is about WPA2-PSK (aka WPA2-Personal), not WPA2 (aka WPA2-Enterprise). PSK was already vulnerable to brute force attacks. It always is.

Any recommendations on what an Airport Extreme user should move on to if they&#x27;re looking for something similarly easy to set up?

Not every vendor is including RSN data. &quot;A whole lot easier &quot; is an overstatement imo.

&gt; sparenly<p>?!

Hahaha keep trying. I&#x27;m close to a solution to this wifi cracking problem! Taking days or even hours won&#x27;t be able to touch what I have...