Hashcat Developer Discovers Simpler Way To Crack WPA2 Wireless Passwords

New submitter Woodmeister shares a report: While looking for ways to attack the new WPA3 security standard, Hashcat developer Jens "Atom" Steube found a simpler way to capture and crack access credentials protecting WPA and WPA2 wireless networks. The attacker needs to capture a single EAPOL frame after requesting it from the access point, extract the PMKID from it by dumping the recieved frame to a file, convert the captured data to a hash format accepted by Hashcat, and run Hashcat to crack it. Once that's done, the attacker has the Pre-Shared Key (PSK), i.e. the password, of the wireless network. Depending on the length and complexity of the password and the power of the cracking rig, that last step could take hours or days. "The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame," Steube explained. This makes the attack much easier to pull off, as the attacker doesn't depend on another user and on being in range of both the user and the access point at the exact moment when the user connects to the wireless network and the handshake takes place.

Re:Use good passwords

[gtwrek]

Someone's going to need to translate the likely length of a crack. The quote "that last step could take hours or days" isn't all that helpful.

If we have a WPA2 (max) 63 printable ASCII character random password, is the crackable time of this attack still on the order of "a couple of days"?

i.e. can casual users mitigate this attack by just increasing their WPA2 password length? To what size?

Or is this attack some sort of end-around where the size of the WPA2 ascii key doesn't matter. It's not clear to me, but then again, I'm no security expert either...

Re:Use good passwords

Very few of them, actually.

Moreover, if some attacker is going to use this approach, (s)he is likely not looking for the easiest target on the block, but for the ones worthy of his/her attention because (s)he has specific plans. If someone a worthy target, the attacker just passes by the relevant house or office, collects the data, and patiently cracks it. It doesn't matter if it takes them 1 day or 50. If the target is worth and the crack is computationally feasible, they'll do it and wait as long as needed.