WIFI
Introduction
If the company has wireless access points (APs), an attacker could use them to gain access to the network infrastructure. Thus, the attacker should identify the communication stations and their clients for future attacks.
This section contains all the steps to identify Rogue Access Points, Hidden networks, connected devices, the APs software, etc.
Interface
Monitor mode
To set up your interface in monitor mode, you must execute one of the following commands.
Then, after restoring your network card to manager mode you should restart the network manager.
Note: if you use Virtual Machines to perform penetrations tests, you need to insert an external Wi-Fi adapter because some visualisation software does not allow you to use the external Wi-Fi adapter in monitor mode.
Change Network card channel
To perform attacks using tools like aireplay-ng you need to change your network channel in order to be in the same channel as your victim's AP. To do so, you need to execute the following command.
Airodump-ng
After your wireless card is in monitor mode, you can start the scanning process with airodump in order to discover access points.
You can force airodump to capture traffic on a specific channel and/or for a specific BSSID in order to filter the number of access points. With this method, you will be able to detect the clients associated with a specific AP.
The meaning of each column is the following:
BSSID: Access Point MAC Address.
PWR: Signal strength (The closer to zero, the stronger the signal is).
Beacons: Number of beacon packets sent by the AP. For an AP, if the number of beacons is 0, it is a hidden station.
#Data: Number of captured data packets.
#/s: Number of data packets per second, measured over the last 10 seconds.
CH: Channel number
MB: Maximum speed supported by the AP.
ENC: The encryption process (WEP, WPA, WPA2...).
CIPHER: The cipher algorithm used.(TKIP -> WPA, CCMP -> WPA2, RC4 -> WEP).
AUTH: The authentication protocol used (PSK, MGT, SKA (WEP) or OPN).
ESSID: Wireless network name.
STATION (client): MAC address of each associated station/s searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)".
Rate: The station's receive rate.
Lost: The number of data packets lost over the last 10 seconds.
Frames: The number of packets sent by the client.
Wireshark filters
Beacon Frames:
wlan.fc.type_subtype==0x08
Management Frames:
wlan.fc.type==0x0
Control Frames:
wlan.fc.type=0x1
Data Frames:
wlan.fc.type=0.02
ToDS Frames:
wlan.fc.tods==1
FromDS Frames:
wlan.fc.fromds==1
Source MAC address:
wlan.sa == <MAC_ADDRESS>
Destination MAC address:
wlan.da == <MAC_ADDRESS>
Transmitter MAC address:
wlan.ta == <MAC_ADDRESS>
Discovery
This phase of wireless pentesting consists of walking inside the client building or office, listening to as many channels as possible, and looking for different types of APs and clients.
To do so, you can use airodump-ng to store all the gathered information in one or several CSV files for later use.
The time invested will depend on the size of the building and the number of channels monitored.
Discovery of unauthorised access points (Rogue Access Points)
Unauthorized access points are any access points inside the company's perimeter, installed without authorisation from a system administrator, used for granting access to non-corporate devices to the company's internal network or letting corporate devices access the Internet bypassing any kind of security measures.
Once you have executed airodump-ng and walked around the office, you can obtain all the unauthorised APs.
The command removes the clients and then obtains the following information from the APs that are not in the scope of the audit.
BSSID
Privacy
Cipher
Authentication
ESSID
If airodump has created several CSV files on the same folder, you can use the following line liner to extract all the APs.
To check the existence of these devices, you can compare the unauthorised devices found against a list of access points provided by the company. Another way is to check the behaviour of the devices like the authentication or encryption methods, etc.
If the client has provided you a CVS file with their APs like so:
You could use the following command to retrieve the Rogue Access Points.
Discovery of Hidden networks
A hidden network is a network whose access point does not broadcast the ESSID. Nonetheless, in order to access a hidden network, the client device must provide the name SSID of the network.
On airodump-ng these networks have an ESSID similar to <length:X>
.
Finally, if you want to know the name of the hidden network there are two alternatives:
1. Deauthenticate all the clients and use Wireshark to gather the client connection packets, obtaining the ESSID.
2. Use brute force methods to obtain the name.
Discovery of unauthorised clients
This section aims to obtain all the devices associated with the APs in the scope. Then, the client will have to check whether those devices must be connected to the wireless network or not.
The command obtains the following information from the client:
Station MAC address
Associated AP
To obtain all the clients from several CSV files, you can use this one liner:
Discovery of known client device network preferences
The client devices periodically send a control frame called "probe request" containing a list of preferred networks. This procedure aims to search for known networks to connect to automatically.
This information can be helpful to find relationships between clients or create fake access points.
As an alternative, you can use probequest to obtain more results.
Dependencies: pip3 install faker faker_wifi_essid
Fingerprinting
Once the devices have been discovered, it is time to extract as much information about the devices as possible.
Identification of AP software
If WPS is enabled, you can obtain much information about the device with WPSIG.
Also, it is possible using Wireshark, filtering by the target AP wlan.sa == <MAC_AP>
and looking at the "Tagged parameters".
Finally, you can use the AP MAC address to identify the device vendor with tools like mac_lookup or webs like dnschecker.org or aruljohn.com.
Supported capabilities
In the "Fixed parameters" section, you can obtain information regarding the capabilities that the AP has implemented, are allowed or are being used.
Analysis of insecure security protocols
Wireless network security relies on a combination of encryption processes, cypher algorithms, and authentication protocols to provide maximum protection for a WLAN. Regarding the type of encryption process, cypher algorithm, and authentication protocol used in the APs set-up, the company's wireless security could be in danger.
All this information can be obtained by running airodump-ng against the company's APs.
Encryption methods
Nowadays, there are 4 publicly known encryption processes for obscuring information through wireless Access points: WEP < WPA < WPA2 < WPA3. Being the latter the most secure of all, but not so well spread in the industry nowadays.
During a WiFi pentest, you must pay attention to the encryption methods used by the APs in the scope, alerting the client if they are using WEP or WPA and suggesting them to use at least the WPA2 or WPA3 algorithms.
Cypher methods
Regarding the encryption method, different cyphers algorithms are used to transform the data into some kind of cyphertext that would be non-understandable for any third party that would intercept the information.
Authentication methods
After the discovery of a network, the authentication process is the second step to access a network even before encrypting the data. The commonly used authentication protocols in wireless networks are:
Small companies usually use WPA2-PSK because it is simpler to set up. However, it must be replaced by WPA2-EAP because it is more secure.
Depending on the authentication protocol used by the company, it is possible to gather more information that can be useful in future attacks.
WiFi Protected Setup (WPS)
The WiFi Protected Setup standard was created to minimise user interaction in small offices or domestic environments by simplifying the process of configuring security on wireless networks. However, the PIN can be obtained by performing brute-force attacks.
In order to perform this attack, we need to install wash and reaver to our systems with the following commands.
Finally, you need to use wash to discover the networks whose APs have WPS enabled.
-2
: Scans for 2GHz APs.-5
: Scans for 5GHz APs.-a
: Show all APs, even those without WPS.
Extensible Authentication Protocol (EAP) enumeration
The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication process.
Several tools can retrieve the allowed authentication processes by the network.
Note: Most of the tools are hard to install and might not work depending on the wireless network.
EAP_Buster: Lists what EAP methods are supported by the RADIUS server behind a WPA-Enterprise access point. Requires a valid identity .aka username to perform the attack. To obtain a username, you can use crEAP (Dependency: Scapy-com ), which retrieves the username of a NEW login connection.
Audit-radius: Audits the authentication mechanisms on WiFi and ethernet.
Wifipem: Obtains the certificate used during a handshake.
Eaptyper: Enumerates the EAP methods supported by the WPA2-Enterprise AP.
Security countermeasures
A company must have for granted that sooner or later is going to be attacked, and having wireless APs is just another entry vector that the attackers will try to exploit in order to access the company's networks. For doing so, it is necessary to install some countermeasures to difficult the task for the attackers.
Identification of wireless networks with generic ESSID
Using generic ESSIDs such as "WLAN_XXXX", "<ISP>_XXXX", dd-wrt, "<COMPANY_NAME>_5G", etc., can help an attacker discover the APs of the company and perform some attacks. For instance:
The access points belonging to the company. This is useful in a building with several companies on each floor.
It can indicate the device and if its configuration is as it comes from the factory.
The router's key generation algorithm or the key format (Length, use of symbols, etc.) may be known.
Hence, it is encouraged to change the ESSID of the APs to difficult performing wireless attacks.
Verification of wireless signal area coverage
An incorrect network configuration could allow the networks' coverage to spread outside the company's perimeter, making it easy for attackers to interact with the network from a greater distance without the aid of dedicated hardware.
To perform a wireless site survey, there are many tools, and some require GPS gadgets. Nonetheless, you can use Google Maps, airodump-ng and csvkit to get a similar result in a markdown table format.
1. Go to Google Maps and look for the company's building. Then, click on "Layers/More/Satellite" and "Global view" to adapt the view of the building.
2. Choose the locations around the building where you will use airodump. Suppose the company's office is in a building with different businesses, select points on each floor.
3. Use an image editor to add the points where you will retrieve the data with airodump.
4. Execute airodump-ng on each point, saving the information on a different file for each location.
5. Finally, retrieve each CSV file's information and convert it into a markdown table for each location.
The results for this task should be that the company's APs do not appear in any of the locations or that the "PWR" values have high lower values (the further from cero, the better).
Wireless Intrusion Prevention Systems (WIPS)
Some companies might have wireless prevention systems to detect rogue access points or deauthentication attacks.
In this section, you should create a fake access point to check if the WIPS detects it or if it is taken down through deauthentication packages. Furthermore, you can use the tool airgeddon, trying to perform deauthentication attacks to check if any alarm is triggered.
References
Last updated