Wireless Attacks
My notes on wireless attacks I made during my OSWP training
Last updated
My notes on wireless attacks I made during my OSWP training
Last updated
Monitor mode
airmon-ng
airmon-ng start wlan0
Manually
Managed mode
Needed for connecting to networks!!!
airmon-ng
sudo airmon-ng stop wlan0mon
Manually
We can also disconnect and reconnect the adapter. With iwconfig we can see the mode of the interface.
To connect to a network we need to reestart NetworkManager, if we killed it previously with airmon-ng check killsudo service NetworkManager start
If the network uses mac filtering we cannot connect. It can be blacklist or whitelist. If it's blacklist we can use any non blacklisted MAC. If it's whitelisted we need to use the MAC of a connected client. A symptom of MAC filtering is that the network is OPEN or we have a password and still can't connect
sometimes changed macs don't stay when trying to connect to the network
IMPORTANT, indent what's insde braces or it will fail (parsing error). If tabs fail, add a couple of whitespaces instead
IMPORTANT, if wpa_supplicant is connected via an interface to a network it cannot connect to another, search ps aux for wpa_supplicant processes and kill them before connecting to another network or with a different configuration
several interfaces of wpa_supplicant can be run in parallel for different interfaces with different configurations
scan_ssid -> send probe requests
Config file for open network
alternative:
Config file for WEP network
If we have a hex key, dont use quotation marks " and don't use : to separate bytes (the next two examples are equivalent, one with ASCII key and the other with hex key)
alternative
Config file for WPA-PSK network
Valid for WPA-PSK and WPA2-PSK
alternative
Specific config file for WPA2-PSK
but WPA2-PSK (only) can be specified like this also:
wpa_supplicant will automatically choose between TKIP and CCMP based on availability, but it is possible to force one or the other by adding pairwise=CCMP or pairwise=TKIP to the configuration if necessary.
RSN -> Robust Secure Network (this sets pairwise and group to CCMP, although it can be specified explicitely so that we are not downgraded in any case). Maybe specifying pairwise and/or group fails, don't specify them first
alternative:
WPA-Enterprise
PEAP-MSCHAPv2 authentication
PEAP-GTC WPA Supplicant Configuration
TTLS-PAP WPA Supplicant Configuration
TTLS-CHAP WPA Supplicant Configuration
TTLS-MSCHAPv2 WPA Supplicant Configuration
Tool to generate configuration files: wpa_passphrase. Mandatory parameter: ESSID. Optional parameter: passphrase
Connect to a network with wpa_supplicant and config file
-i -> interface used to connect
-c -> config file
-B -> run wpa_supplicant in the background
To get an IP after connecting to the AP: dhclient -v wlan0
alternative method:
Manually:
Mac-changer:
for 5 GHzairodump-ng --band a wlan0mon
For both 5 and 2.4 GHz:airodump-ng --band abg wlan0mon
Wifi bands
Decide which ranges of freqs can be used
Determine the channels that can be used
Clients must support the band used by the AP to connect to it or sniff traffic Most common bands:
a, only 5 GHz -> seems like scanning with airodump on band a can pick up 2.4 GHz APs too
b, g, only 2.4 GHz
n, both 5 and 2.4 GHz
ac, freqs lower than 6 GHz
Channel bonding: sometimes several channels are combined into one, used to avoid interferences between channels. 802.11 n - compatible networks means that they support channel bonding.
In 5 GHz there is no overlapping in frequency between adjacent channels, that increases throughput. In 2.4 GHz there is.
When a client sends the others cannot. For that is good to have low power APs, to avoid many clients connecting to the same AP and one of them takes over.
interface
make sure it is up (ifconfig wlan0 up)
make sure it is the correct mode (iw dev)
sniffing
sniff in all frequencies: (a, b/g)
use proper channel width, if there is channel bonding
Hidden networks
Hidden networks don't advertise their name (ESSID) but they advertise their presence (BSSID). This is enough for us to not be able to connect or try to crack their pass, or try to launch attacks against it. Airodump only shows the name length, but not its value. In windows we see "hidden network" and it asks for the name when we try to connect
If a network has hidden ESSID the first step is to ALWAYS try to find it. If there are clients connected we can deauth one of them and we will capture the name when he reconnects. If there are no connected clients try a dictionary attack, trying to connect to a network using different names from a dictionary
Non probing clients are clients which are there, but don't probe networks, therefore we cannot detect their presence. We can create fake APs to see if he connects to any of them.
Several APs with different BSSID can share the same ESSID (this is, a single network with several access points)
The radiotap header that wireshark shows is added by wireshark, that information is not in packets sent through the air
Types of frames (for attacks, data frames are the important ones)
Management (advertisement, discovery, connection/disconnection)
Control (to facilitate delivery of Management and Data frames)
Data
WDS -> wireless distribution system: provide internet access from one wifi router to another via wifi (not by cable), so that the second one can cover a zone where the signal of the first doesn't reach
Beacon flood attack: fill the air with fake beacons so that clients see a lot of APs and the ones they want to see may fall out of the list mdk4 wlan0 b
Some wireless drivers ignore directed deauthentication and only respond to broadcast deauthentication. We can run the same aireplay-ng deauthentication command without the -c parameter.
If 802.11w is in use, unencrypted deauthentication frames are ignored. The only course of action is to wait for a client to connect.
The device simply didn't reconnect or was already out of range of the AP.
wigle.net -> geographical location of BSSIDs
Some phones randomize their MAC until the moment they connect to a network, when they switch to the good one. If we setup a honeypot we can get their real MAC if they connect to us
airmon-ng
Even if we don't see connected clients, send deauth packets against the different networks, with airodump listening in the specific channel (so that we don't miss reauth attempts if we are scanning other channels at that moment)
airodump-ng
aireplay-ng
Sometimes aireplay-ng says that he can't find the BSSID, that's because it's not using the appropriate channel. For that, run airodump-ng in the appropriate channel before aireplay-ng, or set the channel with "iw dev wlan0 set channel 13"
airdecap-ng
aircrack-ng
If in a capture file an AP has hidden name but we find it in another way, we need to pass both arguments to aircrack-ng, -b and -e, so that it can match a BSSID to an ESSID
airgraph-ng
Creates graphs of APs and stations. Colors:
green -> WPA
yellow -> WEP
red -> open
black -> desconocido el cifrado
airolib-ng
manages password lists in SQLite (calculating pairwise master key (PMK) is slow, but it is constant for an AP. precomputing it saves time later).
a, only 5 GHz -> seems like scanning with airodump on band a can pick up 2.4 GHz APs too
b, g, only 2.4 GHz
n, both 5 and 2.4 GHz
ac, freqs lower than 6 GHz
SKA = shared key authentication (ver si sale en PA al intentar auth wep) [[4 - WEP#WEP SKA]]ICV = integrity value check (CRC)WEP cloaking = the AP injects fake wep packets to difficult crackingKeystream (created by RC4 from IV + key)
PSK = pre shared key (what the client enters to connect)PTK = pairwise transient keyPMK = pairwise master key (dynamic key generated in handshake using PBKDF2 (password based key derivation function 2)) - If there is a PSK, the PMK is the PSK - A PSK is either a 256-bit key or derived from a passphrase - If a passphrase is used, it generates the PSK using the AP SSID as the salt: PSK = PBKDF2(HMAC−SHA1, Passphrase, SSID, 4096, 256) - If there is no PSK, the PMK is derived using 802.1x EAP exchange, usually RADIUSGTK = group transient key (used when messages like ARP are sent to many people, everyone needs to decrypt it equally)WPS = wifi protected setup (Tools: wash, reaver, bully)PBC = push button configuration Encryption mechanismsTKIP (based on WEP, which uses RC4, xor, etc)CCMP (based on AES)
The 4-way handshake does the following:
Confirm the client’s knowledge of the PMK
Confirm the AP's knowledge of the PMK
Derive a new and unique PTK
Install encryption and integrity keys
Encrypt transport of the AP generated GTK to the client
Confirm cipher suite selection
The PMK, nonces, and handshake MAC addresses are run through a PRF based on HMAC-SHA1 to derive the 512-bit PTK. During the handshake the AP also transmits the 256-bit GTK, or Group Temporal Key, to the client. The PTK and GTK are split into several components, some of which are used as AES keys for different types of network traffic, and some of which are integrity keys.
KCK = PTK bits 0-127, the key confirmation key
KEK = PTK bits 128-255, the key encryption key
TEK = PTK bits 256-383, the temporal encryption key for unicast traffic
TMK = PTK bits 384-511, the temporal MIC keys for TKIP
GEK = GTK bits 0-127, the group encryption key for multicast traffic
GIK = GTK bits 128-255, the group integrity key for TKIP
EAP = extended authentication protocol -> authenticate with RADIUS server (in airodump AUTH=MGT). Requires certificates on the server at least (deprecated EAP methods didn't require them)
EAP Transport Layer Security (EAP-TLS) is one of the most secure authentication methods, as it uses certificates on the server side and client side, instead of login and passwords, so the client and server mutually authenticate each other.EAPoL=extended authentication protocol over lan Identity = username Authentication methods: - EAP-MD5 (vulnerable to brute force, tool: eapmd5pass) - EAP-PAP - EAP-GTC - EAP-CHAP - EAP-MSCHAPv2 Encapsulations - PEAP - Protected Extensible Authentication Protocol(tunnel between client and RADIUS server, the AP sees nothing). creates a TLS tunnel before credentials are exchanged. Although different methods can be used within PEAP, MS-CHAPv2 is a commonly used inner method. PEAP and EAP-TLS mostly differ on how the data is exchanged inside the TLS tunnel. - EAP-TTLS - EAP Tunneled Transport Layer Security. also uses TLS. As opposed to EAP-TLS, it does not necessarily need client certificates. It creates a tunnel and then exchanges the credentials using one of the few possible different inner methods (also called phase 2), such as Challenge-Handshake Authentication Protocol (CHAP), Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), or MS-CHAPv2.
encrypt traffic during a connection, to prevent eavesdropping of credential exchange
enhanced version of diffie helmann where no pre shared key is necessary
First of all, if we know the AP model, check for default credentials. The first half of the BSSID can help: https://www.wireshark.org/tools/oui-lookup.html
The hashcat module to crack WPA/WPA2 is 2500
We can pause (p) and resume (r) the hashcat execution
Hashcat modules
WPA-EAPOL-PBKDF2
-m 2500
WPA-EAPOL-PMK
-m 2501
WPA-PMKID-PBKDF2
-m 16800
WPA-PMKID-PMK
-m 16801
2582a8281bf9d4308d6f5731d0e61c614604ba734d4e89acf0e761f4
TTLS-CHAP
-m 4800
ce8d3c0b4c5c9369ce426ba7d36d164e:38ddb29b0fea9243afb6fb9d6bb95bfb:2a
TTLS-MSCHAPv2
-m 5500
user1::::f4ed9fe147deaed3bfb1a1744ce1908788c66d281b134a11:d98dd4b772ee831c
John
The rules to mutate passwords are in /etc/john/john.conf
Rule to add 2 and 3 numbers at the end of the password:
Use --rules with john to apply rules
Crunch
Generate new passwords, we need to say the minimum and maximum length (WPA requires passphrases between 8 and 63 chars). Crunch also allows us to specify a pattern with the -t option with or without a character set. Different symbols in the pattern define the type of character to use.
@ represents lowercase characters or characters from a defined set
, represents uppercase characters
% represent numbers
^ represents symbols
Mangler
Ruby script to mutate passwords --allow-duplicates is usually worth it because of the time we save in not checking if there are duplicates
A set of three words generates about 6,000 passwords, four words generates about 23,000 passwords, and five words generates about 125,000 passwords. We need to take care to ensure the wordlist we begin with is a reasonable size.
Tool that recovers WPA pre-shared keys using both dictionary and rainbow table attacks. Although coWPAtty is not being developed anymore, it is still useful, especially when using its rainbow table attack method. Install it with sudo apt install cowpatty
Automatic tool. It sends packets to the WEP network that we are trying to attack. It may be necessary to run this command several times, sometimes it fails.
ftp://ftp.openwall.com/pub/wordlists/ http://www.openwall.com/mirrors/ https://github.com/danielmiessler/SecLists http://www.outpost9.com/files/WordLists.html http://www.vulnerabilityassessment.co.uk/passwords.htm http://packetstormsecurity.org/Crackers/wordlists/ http://www.ai.uga.edu/ftplib/natural-language/moby/ http://www.cotse.com/tools/wordlists1.htm http://www.cotse.com/tools/wordlists2.htm http://wordlist.sourceforge.net/
CRC-32 is a digest, just like MD5
An attacker can sniff packets, where the IV (24 bit) is in plain text. since 24 bit is not much, capturing enough packets, statistical attacks can be run. RC4 generates the same keystring for a same IV+key. #Data in airodump shows how many useful packets have been captured. When enough are present we can crack it with:aircrack-ng archivo.cap
Sometimes aircrack doesn't return the ascii version of the key but we can connect to the network with the hex (without the ":" ).
If not many clients are connected we can force the AP to send us traffic. We first need to associate with it (otherwise it ignores our requests), then we can send packets and capture the IVs in the packets it returns to us.
For this, keep saving packets:sudo airodump-ng --bssid <bssid> --channel <channel> --write out wlan0mon
and do a fake auth (the 0 indicates that the attack is done once):sudo aireplay-ng --fakeauth 0 -a <AP bssid> -h <la MAC de wlan0mon> wlan0mon
In monitor mode, with ifconfig we see unspec instead of ether and the MAC looks longer, we need only the first 6 bytes:and for aireplay commands replace - by :
At this point we are only associated to the AP, not connected to it. There are several methods to generate traffic:
Crafted ARP packets
Wait till there is an ARP packet (sent by the clients already connected to the network). They will be encrypted but because of their length we know they can be ARP. We just relay them to the AP. The AP will respond to us with another packet with a new IV. We do this until we have enough IVs.
To do this (just befor this command run the --fakeauth just in case)
It is necessary to use a target client MAC with -h, the MAC of a client that is already connected to the network and sends valid IVssudo aireplay-ng --arpreplay -b <AP bssid> -h <target client MAC> wlan0mon
The -a used in other commands is replaced by -b for the BSSID and the --arpreplay doesn't have any number afterward
This captures packets until one of them is an ARP request, and then starts to generate traffic. Watch with airodump who many useful packets we have in #Data.
to capture useful ARP packets we either need to be associated with the AP (fakeauth) or use with aireplay-ng arpreplay the MAC of an associated client
Depending on the key length (64 or 128) bit it takes more IVs to crack the key
Stealthy sniffing
Just waiting for clients to send a lot of IVs to the AP can take a lot of time but it's stealty
Chop chop attack
Instead of replaying an ARP packet we determine the keystream of a packet, we craft a new packet with the keystream and inject it to the AP. The AP will respond with a new IV that we will replay, etc. Can be used when no clients are connected to the AP
The --fakeauth attack is only used against OPEN and WEP networks, it doesn't work against WPA/WPA2. Fake auth doesn't generate ARP packets. The lack of association with the access point is the biggest reason why injection fails, so we need to do fakeauth before trying to inject packets to WEP networks (ARP replay, chopchop, fragmentation attack). Sometimes you periodically get disassociation events. Some access points require to reassociate every 30 seconds, otherwise the fake client is considered disconnected. In this case, setup the periodic re-association delay:
If fake authentication is never successful (aireplay-ng keeps sending authentication requests) then MAC address filtering may be in place
more info and troubleshooting in: https://www.aircrack-ng.org/doku.php?id=fake_authentication
fragmentation attack
Similar to chop chop but we need to obtain 1500 bytes from the pseudo random generator algorithm (PRGA). With this attack another packet is forged, but it's faster than chop chop, although we need to be physically close to the AP so that it works better.
WEP SKA
Normally when we do fake auth with aireplay-ng to a WEP network we can see it becomes OPN, but some routers allow to configure Shared Key Authentication (SKA), which prevents that no one without that key can associate to the AP (unlike in OPEN networks, where anyone can associate). In networks with SKA set up we will see SKA after doing fake auth.
It is possible to deauthenticate a connected client, and capture the SKA when he reconnects. With this key we can associate to the AP and try the previous attacks to recover the WEP key.
We can also inject an ARP packet using the MAC address of the client which is already connected to the AP. With this we can generate traffic to recover IVs and still crack the WEP password, despite not having the SKA.
The 802.11w standard protects against deauth attacks, buth must be supported by both the client and the AP
When we have cracked a WEP or WPA key we can decrypt captured traffic in wireshark:
preferences > protocols > IEEE 802.11, check "enable decryption", edit the decryption keys y create new entries. For WEP, use the key in hex format.`
If we don't have wireshark we can do:
We can craft packets by modifying the ICV (integrity check value, that is, a CRC) and the plantext of a message and do so in a way that the AP thinks that the message is legitimate.
With this we can modify a Gratuitous ARP packet and change it to an ARP request packet, to repeat the ARP attack
Client devices store the keys of the networks they already connected to in the past. If we create a fake AP that looks like on of the stored APs in the client PNL, he will connect to us and send WEP-encrypted data with the target AP key. Sometimes it sends also Gratuitous ARP packets, to say its IP and MAC In these messages we won't find the target MAC, and the target IP and sender IP are the same (that of the client). We as an AP send requests to the client, and he will return responses to us, from where we get valid IVs that can be cracked as always.
We don't have a valid WEP keys for the crafted packets, but due to the properties of XOR we can modify the packets that he sends us, and they will still be valid.
Hirte attack
AP-less attack
WEP protection in which fake packets are sent into the air to make it difficult to crack WEP (they try to difficult the statistical attacks)
https://www.youtube.com/watch?v=Ra0dGPYScLQ
Before trying to crack WPA find out if WPS is enabled, which is easier to crack
Method to authenticate to WPA without the passphrase, only with a 8 character ping. It can be cracked faster because of its length, and once obtained, the WPA/WPA2 passphrase can be automatically recovered.
Requirements (hard to find nowadays)
WPS must be enabled
WPS must be using pin authentication and not PBC (Push Button Configuration). With option, a physical button in the router must be pushed to activate the use of WPS for some time interval. PBC usually is active by default in modern routers, or WPS is directly disabled by default.
Reaver outputs the WPS pin if it can find it, and thanks to it it also retrieves the passphrase (WPA-PSK), which we can use to connect to the network. Even if it finds it, it's an slow attack, it can take a few hours to complete, depending on the router AP configuration and the value of the pin (if it's one of the last ones reaver tries)
These attacks usually fail, there are several possible sources of problems. Reaver can say that the AP is deauthenticating us, among other error messages. If WPS cracking doesn't work right away it probably won't work at all. Even if an AP's WPS is not locked the attacks can fail for other reasons. For example, some routers timeout WPS after a short time since it was activated.
There are APs that don't use a pin. With bully and reaver we can use the -p '' option to check if the pin is empty
Some APs use a pin that is linked to the first three bytes of the BSSID. Airgeddon contains them in known_pins.db
To check if a certain BSSID has known default pins, use the first three bytes of the AP (without the colon symbols, in this case XXYYZ for a BSSID= XX:YY:ZZ:AA:BB:CC)
Try manually the pins returned, if any
troubleshooting the reaver: 1- If it says it cannot associate with the AP -> we need to associate manually with aireplay-ng --fakeauth in another terminal, and keep the fake auth running while we try the reaver attack (which we must run with the -A option, so that it doesn't try to associate itself to the AP, since we already are associated via aireplay-ng)
2- Reaver says WPS transaction failed, re-trying last ping (we can see this with -vvv for debugging output). Then it retries the same pin all the time. Sometimes (we can see in the output) this is due to the use of NACK packets. We can try with the option -N (or --no-nacks) to not send them.
3- If reaver says "Waiting for beacon from XX:XX:XX:XX:XX:XX" we need to specify the channel manually (-c parameter)
4- The AP can have rate limiting enabled, and change state to locked (Lck) after some failed attempts. If we suspect the AP locked WPS, run wash again to check if it's in the Lck state. We can deauthenticate permanently all clients connected, so that someone complains or restarts the AP, so that we can continue bruteforcing pins. This is very clumsy and noisy, and if the rate limiting occurs fast it's probably going to be useless, as we will quickly lock WPS again.
We can run this "permanent" deauth withsudo aireplay-ng --deauth 1000000000000 -a <AP bssid> wlan0mon
We can also try the mdk3 tool, which can cause DoS to some routers and perhaps force them to restart. Some routers unlock WPS when they restart
Clients connect in amounts of 500 and it may say that it is vulnerable, or it may not say it. When we reach about 10000 stop mdk3 and use wash to check if WPS got unlocked (if the AP rebooted it will take a while before we can get useful output from wash)
karma attack: the fake AP listens to probes sent by clients when they search for known APs and responds, telling them that he is the AP they are looking for
WPA-> TKIP (based on WEP). WPA only required firmware update, for that reason it was accepted quickly WPA2 -> CCMP (based on AES). WPA2 needs new hardware to compute AES faster
Cracking is time consuming because of the computation of the PBKDF2 function (4096 iterations for AES). A rainbow table can be precomputed:
genpmk -f <wordlist> -d precomputed-common -s home
And we can crack with a rainbow table attack:cowpatty -d <precomputed wordlist> -s <ESSID> -r <capture file.cap>
If we see a client probing for a network but the network is not there, probably it's using WPA/WPA2, we can create a honeypot with that network name and capture traffic with airodump, so that when he tries to connect to us we capture a handshake that we can try to crack
It is not possible to crack WPA3. But we can try downgrade clients to WPA2 to capture a crackable handshake. This can be done with an evil twin with only WPA2 and 802.11w set to "optional".
If 802.11w is disabled, a client may never try to connect, but WPA2 clients rarely use it (and sometimes don't handle it well). The combination of only using WPA2 and 802.11w set to "optional" will gives us the highest chance that a client will be willing to downgrade.
To achieve this in the hostapd configuration: - wpa value should be set to "2"
there shouldn't be a wpa_pairwise parameter
rsn_pairwise should be set to "CCMP" only
To enable 802.11w, we would set ieee80211w as a new parameter with the value of "1" (indicating it is optional).
The latter also requires that we add "WPA-PSK-SHA256" to wpa_key_mgmt.
Each user uses his own user and password (if client certificates are not used). Each user's traffic is encrypted with a different key.In WPA enterprise we attack the clients, not the AP nor the RADIUS
Companies usually create their own CA to validate their certificates and make our forged certificates fail. For that they need to install a company certificate in every client
EAP-TTLS -> server authenicates with certificate. Client can optionally use certificate. There are versions EAP-TTLSv0 and EAP-TTLSv1. Inner auth methods: PAP, CHAP, MSCHAP, MSCHAPv2
PEAP vs TTLS: EAP-TTLS has option to use client side certificate EAP-TTLS-PAP support (cleartext passord) EAP-PEAP is a wrapper around EAP carring the EAP for authenication TTLS is a wrapper around TLVs (type length values), which are RADIUS attributes
The server gives to the client a certificate, to make sure that the client sends credentials to a trusted server
WPA-Enterprise, authentication via a RADIUS server, not on the AP
We can host a RADIUS server with freeradius to handle authentication and hostap with custom certificates to create en evil twin of a WPA-Enterprise network
WPA Enterprise uses Extensible Authentication Protocol (EAP). EAP is a framework for authentication, which allows a number of different authentication schemes or methods.
Authentication is done using a Remote Authentication Dial-In User Service (RADIUS) server. The client authenticates using a number of EAP frames, depending on the agreed upon authentication scheme, which are relayed by the AP to the RADIUS server. If authentication is successful, the result is then used as Pairwise Master Key (PMK) for the 4-way handshake, as opposed to PSK, where the passphrase is derived to generate the PMK.
Authentication to a RADIUS server with most common EAP methods, requires the use of certificates on the server side at the very least. Some older, now deprecated EAP methods don't require certificates. Although a number of authentication schemes are possible, just some of them are commonly used, due to their security, and integration with existing OS. It is common to use a username and password to authenticate, which could be tied to domain credentials.
We'll go over a few EAPs commonly used on Wi-Fi networks.
EAP-TLS
EAP Transport Layer Security (EAP-TLS) is one of the most secure authentication methods, as it uses certificates on the server side and client side, instead of login and passwords, so the client and server mutually authenticate each other.
EAP-TTLS
EAP Tunneled Transport Layer Security (EAP-TTLS), as the name suggests, also uses TLS. As opposed to EAP-TLS, it does not necessarily need client certificates. It creates a tunnel and then exchanges the credentials using one of the few possible different inner methods (also called phase 2), such as Challenge-Handshake Authentication Protocol (CHAP), Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), or MS-CHAPv2.
PEAP (MS-CHAPv2 and others)
Similarly to EAP-TTLS, Protected Extensible Authentication Protocol (PEAP) also creates a TLS tunnel before credentials are exchanged. Although different methods can be used within PEAP, MS-CHAPv2 is a commonly used inner method.
PEAP and EAP-TLS mostly differ on how the data is exchanged inside the TLS tunnel.
PEAP hashes are of the type netNTLMv1, that can be cracked with -m 5500 in hashcat
The attack against WPA Enterprise consists in setting up a fake Access Point that imitates the target Access Point, so that clients connect to ours and in the process we capture hashes of their passwords, that can be cracked.
While it usually is not necessary, we will create a certificate similar to the one from the RADIUS server that the AP serves to its clients.
if no certificates are captured when the client reauthenticates, deauthenticate him again
We can check the validity by using openssl x509 -in CERT_FILENAME -noout -enddate where CERT_FILENAME is the .pem or .crt file.
We can now disable monitor mode
wireshark filter for packets with certificate: tls.handshake.certificate [[8 - wireshark#Tshark]]
With wireshark -> Packet Details > Extensible Authentication Protocol > Transport Layer Security > TLSv1 Record Layer: Handshake Protocol: Certificate > Handshake Protocol: Certificate > Certificates > Certificate. For each of them, right click > Export Packet Bytes. Alternatively, check with [[8 - wireshark#Tshark]]
install freeradius
Modify in folder /etc/freeradius/3.0/certs the files ca.cnf (certificate_authority section) and server.cnf (server section).
Run the following to regenerate diffie hellman with a 2048 bit key and create the certificates
The client error during the make command can be ignored, it's not necessary to create client certificates to get their hashes when they connect to us.
Run the command make destroycerts if you had previously created certificates, to start anew
If you don't have it, install hostapd-mana to create the fake Access Point:sudo apt install hostapd-mana
Also create the file /etc/hostapd-mana/mana.eap_user. Add the following contents to increase the chances of clients being able to connect to our fake AP
TIPS:
For testing you may need to change your client settings and turn off and on the wifi, while hostapd-mana remains running all the time, capturing creentials when connection attempts happen, and only if the configuration of the client is the right one for hostapd-mana to get hashes or credentials (EAP connections). at times hostapd-mana may behave strangely after many failed connections, just rerun it, but remember that most of the tweaking happens on the client when messing with the configuration, or if we want to generate traffic, just keep hostapd-mana running and turn off and on wifi on the client after changing the config.
The channel doesn't matter, but if we use the same as the original it's easier to monitor both networks at once with airodump
Disable monitor mode to host an AP with hostapd-mana
If we don't clone the BSSID the channel we use doesn't matter, but if we clone it, we must use a different channel to avoid errors
mana adds functions that hostapd doesn't have
Options in the configuration files of hostapd-mana
mana_wpe=1 -> to sniff credentials
mana_eapsuccess=1 -> To let the victim know that he was successful when connecting to us
mana_credout=<file> -> Saves creds to a file
eap_server=1 -> Use the internal EAP server, not an external one
enable_mana=1 -> karma attack, respond to every client that tries to connect to us, making him believe that we are the SSID that he is probing
host evil twin withhostapd_mana mana.conf
Attack PEAP-GTC
karma attack-> So that many clients can connect to us simultaneously
hostapd-mana returns strings to crack WPA-EAP in the following formats - asleap - john - hashcat I have found that sometimes one tool isn't able to crack it and other is (WTF?) so if one doesn't find the password try with other and the same dictionary
More info: https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/ https://www.youtube.com/watch?v=3FSLM1VY0SQ https://www.youtube.com/watch?v=XYgBw8mx9Jw
3 interfaces are needed:
wlan0 for hostapd-mana
wlan1 for sycophant
wlan2 recon and for deauthenticating clients
wlan0
file for hostapd-mana:
Run hostapd:hostapd-mana ap.conf
wlan1
sycophant configuration file:
In the last line we use the MAC of the interface with hostapd-mana (wlan0 in this case)
Run with./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan1
wlan2
Deauth a client connected to the target network so that it (hopefully) connects to our rogue AP, which will relay traffic to sycophantaireplay-ng -0 4 -a <target BSSID> -c <target client MAC> wlan2
We should see the connection in sycophant if everything goes well, and then in wlan2 we can do the following to get an IPdhclient -v wlan1
Tool to create fake APs
./eapmd5pass -w dict -r eapmd5-sample.dump
Evil twins can be in any channel, except if we clone the BSSID of the AP we want to impersonate, in which case the channel must be different. But APs with different BSSID and equal ESSID can coexist in the same channel.
If we get a connection in an evil twin, the connected client won't have internet access if we don't give him an IP with a dhcp server.
with hostapd, we need to be listening with airodump (on another wifi interface) at the same time that we host the fake ap, to capture handshakes of clients that try to connect to us, despite the PSK mismatch (since we don't know the real PSK but will crack it from their handshake to us)
Deauth a client if he doesn't connect to our APsudo aireplay-ng --deauth 4 -a <bssid> -c <client_MAC> wlan0mon
hostapd-mana is an enhanced version of hostapd. Both are used for hosting fake APs, but mana includes more options to do things like dump passwords obtained from the handshake. Hostapd-mana can read hostapd config files, but also includes other options
Install
Run
Parameters:
driver=nl80211 -> always the same for all linux devices
hw_mode=g -> 2.4 GHz y 54 Mb
auth_algs (this is for WEP, for WPA use the equivalent wpa parameter->
auth_algs=0 ->OPEN
auth_algs=1 ->WEP
auth_algs=2 -> Both
wep_key0 <- we can use up to 4
Type of security
wpa=3 -> activate both WPA and WPA2
wpa=2 -> activate only WPA2
wpa=1 -> activate only WPA
Type of authentication:
wpa_key_mgmt=WPA-PSK
wpa_passphrase=<passphrase> -> passphrase in the case of PSK auth, we can set anything here, we don't care it's wrong
Encryption type (if the target is exclusiveliy WPA1 or WPA2 use just one of the following):
wpa_pairwise=TKIP CCMP -> TKIP or CCMP encryption with WAP1
rsn_pairwise=TKIP CCMP -> TKIP or CCMP encryption with WPA2
- mana_wpaout-> where to save the captured handshakes (in a Hashcat hccapx format).
hostap with no encryption
hostap with wep
hostap with WPA-PSK
hostap with WPA2-PSK
alternative
Hosting several APs
Two different ESSIDs with the same wifi antenna (interface wlan1). With hostap, if we want to simulate several ESSIDs, the first one must use the keyword "interface" and the real interface name, and the next ones use the keyword "bss" and we use fictitious names, like wlan1_0. This can be used if a client probes different clients.
tls.handshake.certificate -> packets containing certificates (useful in WPA enterprise)
wlan.fc.type_subtype == 0x08 -> beacon frames
wlan.ssid == "XYZ" -> specify ESSID
wlan.bssid == 00:01:20:43:21:12 -> filter by BSSID
wlan.fc.type == X -> X represents frame types: 0 (management), 1 (control), 2 (data), and 3 (extension)
wlan.fc.subtype == X -> X represents frame subtypes
wlan.fc.type_subtype in {0x0 0x1 0xb} -> EAPoL frames
wlan.addr == xx.xx.xx.xx.xx.xx -> search for a certain client MAC address
More examples: https://www.wifi-professionals.com/2019/03/wireshark-display-filters
To transfer a capture file you can transfer it via scp, or encode it to base64 ( base64 wpa-eap-tls.pcap ) , copy the base64 displayed in screen (careful with large files, could result in data loss if the terminal doesn't contain many buffer lines) to a local file and decode it locally ( cat b64.txt | base64 -d > b64.pcap )