BSides Buffalo 2026: Still Cracking: WPA2 Prevalence and Password Weakness in 2026

Uh okay. Uh welcome everybody to the final presentation of the day here in track one. Um please again make sure your cell phones are silent and do leave side doors. Um we have M weer here with a still cracking WPA2 um preveance and password weakness in 2026. Let's give him a round of applause. Give yourselves a round of applause for sticking around so long. I appreciate you. Yeah, the last couple talks are usually pretty rough. People die out. So again, pat yourselves in the back of yourselves around appreciate start my time. Okay. So, uh, as he introduced, I'm Demetri and I'll be presenting still practicing WPA presidents and password we um, realistically this talk exists

because I stopped, right? I had the hardware, right? I had routes planned. Uh I had a research protocol written out phase one, phase two, but I didn't have legal authorization. So I had to stop. I didn't have somebody who could audit and say like, "Yeah, you're not going to cause harm to the public." Um so I did build out this talk with what I could do legally. For the next 20 minutes, I'd like to take away that WK2 is still prevalent and it's not a solved problem. Um, it's the dominant wireless protocol in this city, probably in your neighborhood, and possibly even in your homes. We're going to cover the mechanisms, uh, beacon frames, four-way handshake, and

the PM kit itself. We're going to look at the real numbers that I pulled and compare it to Wiggle or Wiggly as I call it. I don't know if you guys pronounce it or if it's part of the tool. Wiggle E. I'm going to call it Wiggly. Any good PowerPoint needs and agenda. We're going to go over the introductions and disclaimers. Um then we're going to move into the foundations of Wi-Fi. after that uh specifically WPA2 and then focusing even more on the PM kit itself look at real world numbers uh and then we'll wrap up with what you can actually do about it and uh what my next steps are in research um we'll have references

at the end so a little bit about me I suck at describing myself the only thing that matters on this slide is that I like to break things for fun in my free time and that Um, I think like an attacker and I only do attacker things with permission. So, warning, there's a boring legal disclaimer coming up next. Very important as red teamers to do things legally and for the benefit of the community. So, never crack or attempt to capture hashes of networks. You cannot have written authorization. not just because you're curious, but actual written authorization. A few laws to keep in mind is the CFAA, which is the Computer Fraud Abuse Act. Uh that's the big federal

law. And then there is also the ECPA. Uh both of them is very loose language so that prosecutors can be creative when they charge you. Okay. Uh getting a little bit closer to home, we have Penal Code 156. Um and then finally we have what our friend is as researchers is the DOJ good faith law. All right. Uh that that allows us to conduct this type of research without moving to prison. Um another takeaway you can get both a federal charge and a state charge. They do not preempt >> quick rundown of the methodology. Uh phase one, I just did passive scans of a major city. I will not give you the name of the city, but we can take guesses.

All I did was listen for what Wi-Fi is naturally uh broadcast. It's the same thing that your phone does. The only difference is is I put it into a database and analyze it later. Uh phase two was separate. uh I did proof of concept in my own lab and against networks that I did have an authorization uh that u that got hung up there. Uh yeah that that entails u actually gathering the hash from uh public networks couldn't do that. Moving on. So, foundations of Wi-Fi. Uh, every 10 seconds, all access points are screaming out every 10 seconds. This is my Wi-Fi name. This is my MAC address. This is the security protocols I use.

Uh, this is the channel that I'm on and my signal strength every 10 seconds. Uh, sorry. Every tenth of a second, uh, signal strength and channel is broadcast. It's Perfect. Diving a little bit deeper to the WPA2, we're going to look at the four-way handshake stuff that we care about. To be able to get on that network, we need to know what the password is, right? Fun fact, in that four-way handshake, the password is actually never sent over the air. It gets turned into what's called a password master key. Uh that password master key then gets mixed up with a bunch of random letters or norms. um 4,96 times and gives you a 256- bit hash. Uh

that 25 bit hash is turned into a session key and that's split up to handle the different parts of authentication, network encryption and the actual key exchange itself. So what is the PMKit? It was actually added to the WPA2 protocol as a performance feature or roaming feature. So when you leave the range of the Wi-Fi and come back, you don't have to go through the whole four-way handshake. It's quite cool or if you move between two access points, uh the transition is more seamless. Uh, Jen's Stews, the dude that wrote Hashgat or the person that wrote Hashgat. I'm actually not sure if Jen um back in 2018, uh, found out you can just ask the Wi-Fi for this PM kit and

it'll hand it over. One frame, just hand it over and you can walk away, go sip coffee, and crack it at home. So this is what the PMKID formula is like how it's computated the bad acne is another good thing about the passwordbased key derivation which is a public formula you can get from the 802.11 framework you can reference that to find it um you just look up this formula to copy with these these mathematical information. So, but to get it you have the uh AA which is the access points um MAC address and then you have the um client MAC address and then this literal string PM kit and then the PMK which is the par

password master key. Right? So it's not the actual password, but it's a hashed version, a 256-bit hashed version of the password. Um, so really the only vulner variable that we don't know as an attacker in this exchange of information is that PMKit, but we do know the mathematical equation used to guess it, right? Um, so if we can get the PM kit, we can use a password list to hash those password guesses, right? Um, and then we can compare the two hashes and if they match, guess what? We're in, right? So, fun fact, this was a mistake. The person, the researcher that discovered this was trying to break WPA3. Uh, and just noticing the first message, here's

my hash and my password. Nice, right? Uh before this you needed a client on the network or um somebody actively trying to connect to the network and you watch right and if the client is connected you had to send a D off packet to get them to disconnect and reconnect so you can actually see that full-way handshake. Now you just pass the the access point and it gives it to you on your merry way. Very noisy before almost nothing now. You get one little blip. That's it. And we're honest. Humans are humans and we're not maybe lazy, but we don't necessarily always make the best password, especially at home. We want ease of access. Most of us here are

probably IT people, right? We don't want to deal with hard password. We just want it to work just like regular users do. So, what do the real numbers look like? Uh 74% of the population is still using WTX today. And I pulled this and compared this with 1,000 no sorry 1.7 billion access points W to upload to weekly no I collected about 20,000 myself for my uh survey and the numbers compared so one one major city in the US 70 74%. 3.22% 22% is on WPA, which is great, but it's more of a an install based problem. Like nobody's getting rid of their routers unless they >> presumably the the remaining uh 23% are uh like unprotected or

>> wide open or very little WPS, which is kind of nice to see. Have you found probably you won't maybe find it by scanning but anecdotally find that the it's the clients that tend to hold networks back uh because they need that backwards compatibility like uh I think a bunch of my smart plugs in my house like we only do WPA2 because we got to use this tiny little password. So we're asking like if manufacturer >> right >> hold back and I would say yes but in 2020 it's mandatory to be on new technology right you you have to make it so anyone anything manufactured before that can have WPA2 uh but it it's mandated now to be based on

>> so I got to spend more money >> you will eventually but you know WPA3 is backwards compatible it can work with their devices because of this thing which is honestly the only at least off the top of my vulnerability WPA3 has is a downgrade attack. >> Um, back to this. Did I'm sorry. Did that answer your question? >> It did. Thank you. >> Um, we had a similar researcher in Singapore. Uh, if you can I believe I have it in my uh resources, but if you can read his report, do it. It's very thorough, very detailed. uh shows you like how the map actually works with all of this the whole 802.11 uh framework.

Um he captured about 3,000 networks of PM kid hashes and he was only be able to capture or break 16% of them in a study that I don't recall the time so I'm sorry. uh he saw that an eightdigit character or eightdigit numeric password fell in under 10 minutes and that a lot of default cards were everywhere which is not news to many of us right um another research group called deep strike in 2025 set up a 12 rig 125090 rig setup and they were able to brute force so kept guessing each possible answer uh an 8 character lowercase password and that took three weeks That's a lot of horsepower. Like 12 GPUs is a lot. So just

>> it's impressive. But coupled with a word list >> took minutes, right? >> And we can get really creative with a word lists. I don't know if you know what permutation is or mutation is, just add a couple extra things at the the beginning or maybe move some stuff around or if you know a certain ISP sets up their default router password to be two dictionary words with a dash in the middle, right? You can build a password list out of that. or if you know a specific company you can call the website and get very detailed words that are likely in their passwords. >> What's the popular or famous um password is uh >> ah yes the the Rocky database is what

you're talking like the password list that's popular. But yeah, the Rocky database is the most common, most popular uh even today. Uh you find password lists like all over the internet, but that's probably the most stable and well yeah most stable you can use for research. Um and then coupled again with permutation like mixing up the order or adding extra words to it can really push. Thank you. So where do I go next? Um, I got to get someone to audit what my research actually looks like so that I can actually collect these PMs and hit them against

but the I just want to highlight the HX uh HCX dump tool. It's the it's a tool built to capture. So you don't have to reinvent the wheel, right? Somebody already built a tool that will elicit and capture this P kit for you. Make it easy. You can use other tools like um Kismmet. Kismmet will also do the same thing. Um but this targets this specific. So uh what can we do about it to fix it? The easiest thing in my opinion, upgrade your router to support WPA3. Use your devices to only use WPA3. Uh, next, use strong 12 character random 12 random character passwords. Uh, they're the most brute force resistant. Um, next, disabling WPS, which I saw like

maybe like one or two% which was kind of cool. I saw way more open networks, which I think is kind of common. People don't want to put in passwords in like coffee shops and stuff. They just want you to sign it. Maybe hit like a disclaimer that says you won't do bad things. Um the next thing uh patch 2, upgrade your stuff. Make a habit of it at home in your job. Drive it home. Keep your stuff up to date. Uh the last thing for people in the enterprise environment, we do have 802.1x which in introduces based authentication and if there's no pre-shared key can't crack it. Uh there is a very esoteric attack where you can

be on the actual physical network itself to capture the circ and then you can use it to cap uh break the Wi-Fi but it's a little more sophisticated and out of scope for this time. Uh that's it. Um WPA2 is still everywhere. It'll hopefully phase out in the next two to three five 10 years. We'll see. If you Yeah. You want to see the resources and the slide deck, you can scan um you can email anything at that URL or that domain. It's you got to you got to look real careful. There's some typos slotting in there. It's it's not there's not an it's our talk. I hope you have any questions. Please come see me, email me. I

appreciate your company. Was uh was WPA3 as part of like a Wi-Fi standard? Was it brought in like Wi-Fi 6 or was it independent from Wi-Fi standards? >> WPA3. Oh. Uh yeah, it's a different So, it's a different protocol from >> Yeah. It's not tied to not specifically. Now, that's like another iteration of like the actual wireless. >> Yeah. The frequencies and channels, etc. But so, do you need to be on a certain standard or would that be backwards compatible to certain? Honestly, I like I was saying, the only vulnerability off top of that I can think of for WPA3 is going to be a downgrade. Most routers that support WPA3 are also able to do

WPA2 and they'll just if I tell my phone to only use WPA2 connect to your router, it'll use WPA2. >> There's still like WRT 54GS out there, right? >> Say it one more time. >> There's people still using WRT 54GS out there, right? I'm not >> like the old school Lynx, >> right? So, what you do is you take a little Lynxis router and you flash it with an open source firmware open >> and man, I use that for Oh, man. >> router. >> Yeah. And it was just you just use an old commodity router and just flash it. It was It gave you a few more capabilities. I finally retired mine. >> Now of information, a Raspberry Pi 4 has

drivers for its wireless card to go into monitor. You don't need an actual separate adapter. You just do a Raspberry Pi 4. Let me say Raspberry 4. Just four, I'm pretty sure. But >> thank you. Anything else? >> Skip to me. No, I I definitely have to go home and check my router settings. >> Make sure we're on WPA3. Yes, please. Thank you.