WIFI
Last updated
Last updated
The WIFI section of the Information gathering phase explained how to discover the company's wireless Access Points and their clients. So, in this section, you will find some methods about how to crack them.
Despite having authentication methods, some networks also have access control lists based on the MAC address of the devices. Nevertheless, this can be bypassed pretty easily by changing the attacker's MAC address by one of the network's stations.
Depending on the authentication mechanisms implemented by the wireless networks, exists different methods to retrieve the password to access the network. However, all these mechanisms require of brute force attacks.
In order to obtain the PIN we can use or .
K
: Run pixiedust attack
vv
: Verbose
N
: Do not send NACK messages when out-of-order packets are received
w
: Mimic a W7 registrar
f
: Disable channel hopping
Note: I have not been able on any a single AP to obtain the PIN
If the WPS pin has been found we can ask the AP to provide the WPA key.
Note: The application can crash while attacking the AP; keep trying until obtaining the WEP key.
The attack process is the following:
1. Capture the target's AP traffic.
2. Deauthenticating a client or the entire network (More changes to obtain a handshake). keep doing this step until you get the "WPA handshake: XXXXX" message on airodump.
3. Cracking the password with dictionary attacks can be done with aircrack-ng or hashcat, being the latter faster.
Note: If you want to perform a brute force attack to crack the password, you can use the following command.
EAP-MD5 is a legacy authentication mechanism that does not provide sufficient protection for user authentication credentials. Users who authenticate using EAP-MD5 subject themselves to an offline dictionary attack vulnerability.
The WPA-EAP APs require of a user and a password to authenticate against the network. You can use the following tools for wireless networks to brute force some credentials.
Note: These tools are sometimes hard to set up in updated environments and, depending on the authentication protocol, might not work.
Furthermore, another test that could be performed is to try to block user accounts using a user provided by the company and make a lot of failed login attempts.
The wireless phishing attack consists of creating an evil twin AP while performing a deautentication attack against the target AP, to trick the victim into login into our fake AP and obtaining some credentials.
For environments that use WPA/2 with Pre-Shared key authentication, like a house or a small business, several tools can be used to create a fake access point, tricking the victim into providing the key. These tools are:
In order to obtain some credentials to access the network, you can create fake access points such as evil-twins, making the client connect to your AP and providing the credentials for later use.
For doing this type of attack you can choose between eaphammer or hostpad-wpe, depending on your hacking environment, if you are using WIFI pineapples or a kali machine.
Installation & Configuration
Because the version that is on the Kali Linux repositories has a programming error, you need to download the one from the GitHub repositories.
Attack
To set the rogue access point use the following command and do to forget to deautenticate the original AP.
With hostpad-wpe we can create a fake radius AP where the users can log in to obtain its credentials, that will require a post cracking phase.
For the latest version of the pineapple is more challenging to install, due to there is not available modules on the repositories. So, you will need to execute the following commands.
Configuration
Then, we need to modify the hostapd-wpe.conf
file setting the wireless interface that we are going to use, the name of the ssid that we want to spoof and the channel where this AP emits.
Attack
After that, we need to deautenticate the victim AP, execute hostapd-wpe and wait for users to log in. For doing so, execute the following commands.
Deautenticate the AP:
Execute hostapd-wpe:
-k
: Karma Mode (Respond to all probes)
-s
: Return Success where possible
Note: The device is never going to be able to connect to the AP and get Internet, automatically it will be disconnected due to wrong credentials. That occurs because our fake radius server does not have the credentials that the victim is providing.
Finally, we need to put every hashcat NETNTLM
into a file for offline cracking.
It may be the case that you need an access point with internet access for personal reasons or for man-in-the-middle attacks. Whatever the case, here's how to do it.
Note: The environment is a VM Kali machine, it might not work on other distros or require more steps.
Note 2: Depending on your network card, you might not be able to log in despite the ESSID being broadcasted, try using another.
1. you need to install the following programs.
2. Modify the file /etc/dnsmasq.conf
for dnsmasq to obtain a DHCP server.
3. Because Kali comes with systemd-resolved you avoid the conflicts with dnsmasq. To do so, change the file /etc/systemd/resolved.conf
and add the following line.
4. Add a user to login into the AP. For doing so, you need to edit the file /etc/hostapd-wpe/hostapd-wpe.eap_user
. Here you have some examples:
5. Configure the machine to allow IP forward persistently.
Every time, you restart your virtual machine you will need to set a static IP to your external network card and restart dnsmasq to detect the wlan0 interface with an IP.
Finally, you need to execute hostapd with the configuration file at /etc/hostapd-wpe/hostapd-wpe.conf
. In there, you can change the channel, ESSID, protocols, etc.
After detecting the WEP target network, the attacker can use (It also works for WPA -W
) which does the job pretty easily, returning the WEP key in hexadecimal (It can be converted using a HEX to ASCII converter). Nonetheless, you can always use aircrack-ng to obtain the ASCII version aircrack-ng <WEP.PCAP>
.
WPA2 replaced WEP due to its . However, WPA2-PSK still has flaws because the encrypted Pre-Shared Key (PSK) is shared during the process 4-way handshake. Hence, an attacker could sniff those network packets for password cracking in the future.
The tool can be used to retrieve the EAP-MD5 authentication exchange and start a dictionary attack against the user's password.
creates an evil twin in order to retrieve the handshake for later cracking.
After obtaining the handshake needs several transformations before being cracked with HashCat. You need to use hcxhash2cap and hcxpcapngtool from to transform the hccapx file into a hash.
in a very simple way creates a fake access point with a phishing webpage (it can be changed), inducing the victim to enter the wireless AP key. Furthermore, if a second wireless network interface is provided, it also makes a deautentication attack against the victim AP.
(Not tested)