WIFI

Introduction

If the company has wireless access points (APs), an attacker could use them to gain access to the network infrastructure. Thus, the attacker should identify the communication stations and their clients for future attacks.

This section contains all the steps to identify Rogue Access Points, Hidden networks, connected devices, the APs software, etc.

Interface

Monitor mode

To set up your interface in monitor mode, you must execute one of the following commands.

# airmon-ng
airmon-ng check kill
airmon-ng [start | stop] <INTERFACE>
# iwconfig
ifconfig <INTERFACE> down
iwconfig <INTERFACE> mode monitor # "manager" mode for normal use
ifconfig <INTERFACE> up

Then, after restoring your network card to manager mode you should restart the network manager.

sudo service NetworkManager restart

Note: if you use Virtual Machines to perform penetrations tests, you need to insert an external Wi-Fi adapter because some visualisation software does not allow you to use the external Wi-Fi adapter in monitor mode.

Change Network card channel

To perform attacks using tools like aireplay-ng you need to change your network channel in order to be in the same channel as your victim's AP. To do so, you need to execute the following command.

iwconfig <IF> channel <CHANNEL>

Airodump-ng

After your wireless card is in monitor mode, you can start the scanning process with airodump in order to discover access points.

airodump-ng <MON_IF> [--band a]

You can force airodump to capture traffic on a specific channel and/or for a specific BSSID in order to filter the number of access points. With this method, you will be able to detect the clients associated with a specific AP.

airodump-ng [-c <CHANNEL>] [--bsid <BSSID>] [-w <PREFIX_NAME>] [--encrypt OPN|WEP|WPA|WPA1|WPA2|WPA3|OWE] <MON_IF>

The meaning of each column is the following:

  • BSSID: Access Point MAC Address.

  • PWR: Signal strength (The closer to zero, the stronger the signal is).

  • Beacons: Number of beacon packets sent by the AP. For an AP, if the number of beacons is 0, it is a hidden station.

  • #Data: Number of captured data packets.

  • #/s: Number of data packets per second, measured over the last 10 seconds.

  • CH: Channel number

  • MB: Maximum speed supported by the AP.

  • ENC: The encryption process (WEP, WPA, WPA2...).

  • CIPHER: The cipher algorithm used.(TKIP -> WPA, CCMP -> WPA2, RC4 -> WEP).

  • AUTH: The authentication protocol used (PSK, MGT, SKA (WEP) or OPN).

  • ESSID: Wireless network name.

  • STATION (client): MAC address of each associated station/s searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)".

  • Rate: The station's receive rate.

  • Lost: The number of data packets lost over the last 10 seconds.

  • Frames: The number of packets sent by the client.

Wireshark filters

  • Beacon Frames: wlan.fc.type_subtype==0x08

  • Management Frames: wlan.fc.type==0x0

  • Control Frames: wlan.fc.type=0x1

  • Data Frames: wlan.fc.type=0.02

  • ToDS Frames: wlan.fc.tods==1

  • FromDS Frames: wlan.fc.fromds==1

  • Source MAC address: wlan.sa == <MAC_ADDRESS>

  • Destination MAC address: wlan.da == <MAC_ADDRESS>

  • Transmitter MAC address: wlan.ta == <MAC_ADDRESS>

Discovery

This phase of wireless pentesting consists of walking inside the client building or office, listening to as many channels as possible, and looking for different types of APs and clients.

To do so, you can use airodump-ng to store all the gathered information in one or several CSV files for later use.

The time invested will depend on the size of the building and the number of channels monitored.

Discovery of unauthorised access points (Rogue Access Points)

Unauthorized access points are any access points inside the company's perimeter, installed without authorisation from a system administrator, used for granting access to non-corporate devices to the company's internal network or letting corporate devices access the Internet bypassing any kind of security measures.

Once you have executed airodump-ng and walked around the office, you can obtain all the unauthorised APs.

cat <airodump-01.csv> | sed '1d' | sed '/^Station MAC.*$/,$ d' | csvcut -c 1,6,7,8,14 | csvsort -c 1 | grep -v '<SCOPE_BSSID_1>\|<SCOPE_BSSID_2>'

The command removes the clients and then obtains the following information from the APs that are not in the scope of the audit.

  • BSSID

  • Privacy

  • Cipher

  • Authentication

  • ESSID

If airodump has created several CSV files on the same folder, you can use the following line liner to extract all the APs.

find . -name  'airodump*[[:digit:]].csv' | xargs -I {} bash -c "cat {} | sed '1d' | sed '/^Station MAC.*$/,$ d' | csvcut -c 1,6,7,8,14  | csvsort -c 5 | sed '1d'" | sort -t, -u -k 5 | sed  '1s/^/BSSID, Privacy, Cipher, Authentication, ESSID\n/' | csvgrep -c 1 -i -r '^$'  > APs.csv

To check the existence of these devices, you can compare the unauthorised devices found against a list of access points provided by the company. Another way is to check the behaviour of the devices like the authentication or encryption methods, etc.

If the client has provided you a CVS file with their APs like so:

BSSID,ESSID,Location
XX:XX:XX:XX:XX:XX,WIFI_CORP_1,1st Floor (Reception)

You could use the following command to retrieve the Rogue Access Points.

cat <planta_X-01.csv> | sed '1d' | sed '/^Station MAC.*$/,$ d' | csvcut -c 1,6,7,8,14 | csvsort -c 1 | grep -v $(sed '1d' <CSV_SCOPE_FILE> |  csvcut -c 1 |awk 1 ORS='\\|' | sed   's/..$//')

Discovery of Hidden networks

A hidden network is a network whose access point does not broadcast the ESSID. Nonetheless, in order to access a hidden network, the client device must provide the name SSID of the network.

On airodump-ng these networks have an ESSID similar to <length:X>.

Finally, if you want to know the name of the hidden network there are two alternatives:

1. Deauthenticate all the clients and use Wireshark to gather the client connection packets, obtaining the ESSID.

2. Use brute force methods to obtain the name.

# Dictionary attack
mdk3 ath0 p -f <WORDLIST.TXT> -t <BSSID>  -c <CHANNEL>
# Brute Force
mdk3 ath0 p -b {a|l|u|n|c|m} -t <00:11:22:33:44:55> -c <CHANNEL> [-s 1]

Discovery of unauthorised clients

This section aims to obtain all the devices associated with the APs in the scope. Then, the client will have to check whether those devices must be connected to the wireless network or not.

cat <airodump-01.csv> | sed '0,/^\r.*/d' | sed '0,/^\r.*/d' | csvcut -c 1,6 | csvsort -c 2 -r | grep -v 'not associated'

The command obtains the following information from the client:

  • Station MAC address

  • Associated AP

To obtain all the clients from several CSV files, you can use this one liner:

find . -name  'airodump*[[:digit:]].csv' | xargs -I {} bash -c "cat {} | sed '0,/^\r.*/d' | sed '0,/^\r.*/d' | csvcut -c 1,6,7 | csvsort -c 2 -r | grep -v 'not associated'"

Discovery of known client device network preferences

The client devices periodically send a control frame called "probe request" containing a list of preferred networks. This procedure aims to search for known networks to connect to automatically.

This information can be helpful to find relationships between clients or create fake access points.

cat <airodump-01.csv> | sed '0,/^\r.*/d' | csvcut -c 1,6,7 | csvsort -c 3

As an alternative, you can use probequest to obtain more results.

Dependencies: pip3 install faker faker_wifi_essid

probequest <MON_ID> -w output.csv

Fingerprinting

Once the devices have been discovered, it is time to extract as much information about the devices as possible.

Identification of AP software

If WPS is enabled, you can obtain much information about the device with WPSIG.

./wpsig.py <IF>

Also, it is possible using Wireshark, filtering by the target AP wlan.sa == <MAC_AP> and looking at the "Tagged parameters".

Finally, you can use the AP MAC address to identify the device vendor with tools like mac_lookup or webs like dnschecker.org or aruljohn.com.

Supported capabilities

In the "Fixed parameters" section, you can obtain information regarding the capabilities that the AP has implemented, are allowed or are being used.

Analysis of insecure security protocols

Wireless network security relies on a combination of encryption processes, cypher algorithms, and authentication protocols to provide maximum protection for a WLAN. Regarding the type of encryption process, cypher algorithm, and authentication protocol used in the APs set-up, the company's wireless security could be in danger.

All this information can be obtained by running airodump-ng against the company's APs.

Encryption methods

Nowadays, there are 4 publicly known encryption processes for obscuring information through wireless Access points: WEP < WPA < WPA2 < WPA3. Being the latter the most secure of all, but not so well spread in the industry nowadays.

During a WiFi pentest, you must pay attention to the encryption methods used by the APs in the scope, alerting the client if they are using WEP or WPA and suggesting them to use at least the WPA2 or WPA3 algorithms.

Cypher methods

Regarding the encryption method, different cyphers algorithms are used to transform the data into some kind of cyphertext that would be non-understandable for any third party that would intercept the information.

Cypher process
Cypher algorithm
Breaking the encryption attakcs

WEP

RC4

Initialization Vector (IV) collision attack, Weak Key Attack, Reinjection Attack or Bit flipping attack.

WPA

TKIP

Cracking the password obtained during initial 4-way handshake

WPA2

AES-CCMP

Cracking the password obtained during initial 4-way handshake

WPA3

AES-CCMP or AES-GCMP

Not know an official standard vulnerability in the cypher algorithm.

Authentication methods

After the discovery of a network, the authentication process is the second step to access a network even before encrypting the data. The commonly used authentication protocols in wireless networks are:

Open (OPN)

No credentials are required to access the network.

Any attacker can have access to the network.

WiFi Protected Setup (WPS)

Allows users to access the network without needing to know the password, using a PIN generated by the router.

Attackers can gain access by finding out the PIN through brute force attacks.

Pre-Shared Key (PSK)

A pre-shared password is required to access the website.

If the pre-shared password is weak, it can be guessed by the attacker through brute force or dictionary attacks.

Extensible Authentication Protocol (EAP)

Users are required to authenticate themselves, using username and password, against an authentication server based on the 802.1x protocol.

An attacker could perform social engineering attacks to obtain a user's credentials.

Small companies usually use WPA2-PSK because it is simpler to set up. However, it must be replaced by WPA2-EAP because it is more secure.

Depending on the authentication protocol used by the company, it is possible to gather more information that can be useful in future attacks.

WiFi Protected Setup (WPS)

The WiFi Protected Setup standard was created to minimise user interaction in small offices or domestic environments by simplifying the process of configuring security on wireless networks. However, the PIN can be obtained by performing brute-force attacks.

In order to perform this attack, we need to install wash and reaver to our systems with the following commands.

sudo apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
git clone https://github.com/t6x/reaver-wps-fork-t6x
cd reaver-wps-fork-t6x*/
cd src/
./configure
make
sudo make install

Finally, you need to use wash to discover the networks whose APs have WPS enabled.

sudo wash -i <MON_IF> -s [-2 | -5] [-a]
  • -2: Scans for 2GHz APs.

  • -5: Scans for 5GHz APs.

  • -a: Show all APs, even those without WPS.

Extensible Authentication Protocol (EAP) enumeration

The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate (EAP-TLS) authentication and is a highly secure method for protecting the authentication process.

Several tools can retrieve the allowed authentication processes by the network.

Note: Most of the tools are hard to install and might not work depending on the wireless network.

  • EAP_Buster: Lists what EAP methods are supported by the RADIUS server behind a WPA-Enterprise access point. Requires a valid identity .aka username to perform the attack. To obtain a username, you can use crEAP (Dependency: Scapy-com ), which retrieves the username of a NEW login connection.

  • Eapeak: Gives useful information of WPA-Enterprise networks. Requires Scapy-com.

  • Audit-radius: Audits the authentication mechanisms on WiFi and ethernet.

  • Wifipem: Obtains the certificate used during a handshake.

  • Eaptyper: Enumerates the EAP methods supported by the WPA2-Enterprise AP.

Security countermeasures

A company must have for granted that sooner or later is going to be attacked, and having wireless APs is just another entry vector that the attackers will try to exploit in order to access the company's networks. For doing so, it is necessary to install some countermeasures to difficult the task for the attackers.

Identification of wireless networks with generic ESSID

Using generic ESSIDs such as "WLAN_XXXX", "<ISP>_XXXX", dd-wrt, "<COMPANY_NAME>_5G", etc., can help an attacker discover the APs of the company and perform some attacks. For instance:

  • The access points belonging to the company. This is useful in a building with several companies on each floor.

  • It can indicate the device and if its configuration is as it comes from the factory.

  • The router's key generation algorithm or the key format (Length, use of symbols, etc.) may be known.

Hence, it is encouraged to change the ESSID of the APs to difficult performing wireless attacks.

Verification of wireless signal area coverage

An incorrect network configuration could allow the networks' coverage to spread outside the company's perimeter, making it easy for attackers to interact with the network from a greater distance without the aid of dedicated hardware.

To perform a wireless site survey, there are many tools, and some require GPS gadgets. Nonetheless, you can use Google Maps, airodump-ng and csvkit to get a similar result in a markdown table format.

1. Go to Google Maps and look for the company's building. Then, click on "Layers/More/Satellite" and "Global view" to adapt the view of the building.

2. Choose the locations around the building where you will use airodump. Suppose the company's office is in a building with different businesses, select points on each floor.

3. Use an image editor to add the points where you will retrieve the data with airodump.

4. Execute airodump-ng on each point, saving the information on a different file for each location.

5. Finally, retrieve each CSV file's information and convert it into a markdown table for each location.

find . -name  'airodump*[[:digit:]].csv' | xargs -I {} bash -c "cat {} | sed '1d' | sed '/^Station MAC.*$/,$ d' | csvcut -c 14,9,1 | sed '1d'  | csvsort  -c 1| csvgrep -c 1 -i -r '^$'" | sed '1s/^/ESSID, Power, BSSID\n/' | csvlook | tee <wsac.md>

The results for this task should be that the company's APs do not appear in any of the locations or that the "PWR" values have high lower values (the further from cero, the better).

Signal strength
Quality to expect

>= -50 dBm

Excellent.

]-50,-60] dBm

Very good

]-60,-70] dBm

Good

]-70,-85] dBm

Poor

< -85 dBm

Unusable

Wireless Intrusion Prevention Systems (WIPS)

Some companies might have wireless prevention systems to detect rogue access points or deauthentication attacks.

In this section, you should create a fake access point to check if the WIPS detects it or if it is taken down through deauthentication packages. Furthermore, you can use the tool airgeddon, trying to perform deauthentication attacks to check if any alarm is triggered.

References

Last updated