cosa9
Member
- Joined
- February 10, 2026
- Messages
- 11
- Reaction score
- 93
- Points
- 13
- Thread Author
-
- #1
Attack on WiFi without clients ( PMKID attack )
There are a large number of various attacks on WiFi . The most universal attack (working against virtually all access points) is an attack on WPA/WPA2 technology, since it is used in the vast majority of wireless access points. WPA/WPA2, when clients connect to an access point, use the EAPOL security protocol, during which there is a gradual exchange of data between the access point and the client that wants to connect. The essence of the attack lies in the fact that it is necessary to intercept the entire (or at least a part) of the transmitted data and use the search method to find a suitable password. Simply put, you first need to grab a handshake (at the EAPOL stage), and then use brute-force to find the correct password.
At each of these two stages, difficulties may arise: problems with the seizure of a handshake can be caused by many reasons, the most fatal of them being the lack of clients. That is if there are no connecting clients, then the EAPOL protocol is not used, which means there is nothing to intercept.
Participants in the hashcat project discovered an attack vector which does not require the classic interception of a “handshake” between the client and the access point. This vulnerability has been identified through a study of the potential security problems of the new WPA3 protocol.
The main difference from the existing attacks is that in this attack a full 4-way handshake EAPOL is not required. A new attack is performed in the RSN IE (Robust Security Network Information Element), and for its successful replay a single EAPOL frame is enough. (Source: kalituts)
Currently, it is not known for how many routers this method will work – most likely, for all existing 802.11i / p / q / r networks with roaming features enabled, which is the majority of modern routers.
The main features of the pmkid attack :
WiFi technology uses a large number of implementations and all sorts of related technologies and solutions. Therefore, the method described here may not work in all cases – it depends on the device manufacturer and its implementation features. May also depend on the chip of your WiFi adapter.
Next, some theoretical information from the forum, and then an example of a real successful attack on this technology.
This attack was discovered by chance while searching for new ways to attack the future security standard WPA3. This WPA3 will be much harder to attack because of the modern key-setting protocol called “Simultaneous Authentication of Equals” (SAE).
It is not reported whether a new attack on WPA3 was found, but a new attack was opened for WPA / WPA2 PSK, and the necessary tools have already been prepared. The main difference from the existing attacks is that the new method does not require a full capture of the 4-stage EAPOL handshake. A new attack is performed on the RSN IE (Robust Security Network Information Element) single-frame EAPOL.
So far not enough information has been gathered to say exactly for which manufacturers or for which routers this technique will work, but the authors believe that it will work with respect to any 802.11i / p / q / r networks with roaming features enabled (most modern routers ).
In this list:
The main advantages of this attack are as follows:
Conclusion
The considered attack is a great addition to the existing ones. Using it, there is a real chance to get a password from completely “hopeless” Access Points (without clients and with WPS turned off).
Happy learning!
There are a large number of various attacks on WiFi . The most universal attack (working against virtually all access points) is an attack on WPA/WPA2 technology, since it is used in the vast majority of wireless access points. WPA/WPA2, when clients connect to an access point, use the EAPOL security protocol, during which there is a gradual exchange of data between the access point and the client that wants to connect. The essence of the attack lies in the fact that it is necessary to intercept the entire (or at least a part) of the transmitted data and use the search method to find a suitable password. Simply put, you first need to grab a handshake (at the EAPOL stage), and then use brute-force to find the correct password.
At each of these two stages, difficulties may arise: problems with the seizure of a handshake can be caused by many reasons, the most fatal of them being the lack of clients. That is if there are no connecting clients, then the EAPOL protocol is not used, which means there is nothing to intercept.
Participants in the hashcat project discovered an attack vector which does not require the classic interception of a “handshake” between the client and the access point. This vulnerability has been identified through a study of the potential security problems of the new WPA3 protocol.
The main difference from the existing attacks is that in this attack a full 4-way handshake EAPOL is not required. A new attack is performed in the RSN IE (Robust Security Network Information Element), and for its successful replay a single EAPOL frame is enough. (Source: kalituts)
Currently, it is not known for how many routers this method will work – most likely, for all existing 802.11i / p / q / r networks with roaming features enabled, which is the majority of modern routers.
The main features of the pmkid attack :
- No need to wait for clients – AP is attacked directly;
- no need to wait for a full 4-way handshake between the client and the AP;
- lack of retransmission of EAPOL frames;
- eliminates the possibility of capturing incorrect passwords from the client;
- loss of EAPOL frames in case of distance / loss of communication with the client;
- high speed due to the lack of need to fix nonce and replaycounter values;
- there is no need for a specialized output data format (pcap, hccapx, etc.) – the captured data is stored as hex strings.
WiFi technology uses a large number of implementations and all sorts of related technologies and solutions. Therefore, the method described here may not work in all cases – it depends on the device manufacturer and its implementation features. May also depend on the chip of your WiFi adapter.
Next, some theoretical information from the forum, and then an example of a real successful attack on this technology.
This attack was discovered by chance while searching for new ways to attack the future security standard WPA3. This WPA3 will be much harder to attack because of the modern key-setting protocol called “Simultaneous Authentication of Equals” (SAE).
It is not reported whether a new attack on WPA3 was found, but a new attack was opened for WPA / WPA2 PSK, and the necessary tools have already been prepared. The main difference from the existing attacks is that the new method does not require a full capture of the 4-stage EAPOL handshake. A new attack is performed on the RSN IE (Robust Security Network Information Element) single-frame EAPOL.
So far not enough information has been gathered to say exactly for which manufacturers or for which routers this technique will work, but the authors believe that it will work with respect to any 802.11i / p / q / r networks with roaming features enabled (most modern routers ).
In this list:
- 802.11i – improved security (2004).
- 802.11p – WAVE – Wireless Access for the Vehicle Environment.
- 802.11r – fast roaming
The main advantages of this attack are as follows:
- Regular users are no longer needed because the attacker interacts directly with the AP (also called “attack without clients”)
- No more waiting for a 4-step handshake between a regular user and an AP
- No more defective handshakes that can be made up of EAPOL frames of different handshakes (which makes it impossible to pick up a password, although the attacker may not be aware of this)
- No more incorrect passwords sent by regular users (if someone tries to connect to the AP but does it with the wrong password, this (incomplete) handshake can also be intercepted and used for hacking. You can even pick up the password that the client tried to use, but since this password is wrong, there’s no sense)
- No more lost EAPOL frames when a regular user or AP is too far from the attacker (in this case, you can get a handshake not suitable for hacking, or suitable for hacking, but depending on which frames are lost, we can not be sure that connection was successful)
- No more need to correct nonce and replaycounter values (leads to a slight increase in speed)
- Special formats (pcap, hccapx, etc.) are no longer needed – the final result will be presented as a regular string in hexadecimal encoding
Conclusion
The considered attack is a great addition to the existing ones. Using it, there is a real chance to get a password from completely “hopeless” Access Points (without clients and with WPS turned off).
Happy learning!