Introduction

Once you are into the network, it is time to analyse it, looking for further wireless-related vulnerabilities.

Capture and analysis of network traffic

Even if you encounter an open or WPA-PSK network, it is necessary to analyse the traffic looking for important or sensitive information transmitted through clear text protocols.

Open network

Because Open networks don't encrypt the traffic, it is pretty easy to capture and analyse the traffic.

For doing so, use airodump-ng to dump all the data into files. Then, filter the data and put everything on a single cap file. This way, analysing all the traffic on Wireshark is easier.

# Obtain the data
sudo airodump-ng <MON_IF> -c <CHANNEL> --bssid <TARGET_BSSID> -w <FILE_PREFIX>
# Filter data
seq -f %02g  1 <#CAP_FILES> | xargs -I {} bash -c "airdecap-ng -b <TARGET_BSSID> <FILE_PREFIX>-{}.cap -o /tmp/filtered_{}.cap"
# Append filtered data
mergecap -a  /tmp/filtered_*.cap -w open.cap

WPA-PSK

In the case of WPA-PSK, the network is encrypted, so you need to get the key to decrypt all the traffic and capture the WPA handshake during the sniffing process (Just deautenticate some users). But then, the process is almost the same.

# Obtain the data and handshake
sudo airodump-ng <MON_IF> -c <CHANNEL> --bssid <TARGET_BSSID> -w <FILE_PREFIX>
# Decrypt data
seq -f %02g  1 <#CAP_FILES> | xargs -I {} bash -c "airdecap-ng -e '<TARGET_ESSID>' -p '<PSK_KEY>' <FILE_PREFIX>-{}.cap -o /tmp/decrypted_{}.cap"
# Append decrypted data
mergecap -a  /tmp/decrypted_*.cap -w decrypted.cap

Exposed network admin panels

Inside the network, scan the devices with tools such as Nmap to find some network admin panels (ports 80, 443, 8080, etc.). These panels are typically located on the network gateway when the router also acts as an access point.

Then, try to access the panel using the default password or some dictionary brute force attack.

In some cases, the admin panel can modify the network segments, so you can use it to pivot or perform port forwarding, accessing other network resources.

Captive portal

Some wireless networks use a captive portal to authenticate users. It is necessary to examine the captive portal looking for vulnerabilities that could lead to access to the device or the network.

Web page

Captive portals use web pages asking for credentials to check the client's authenticity and allow it to enter the network.

In this task, you should evaluate the web security by bypassing the authentication mechanism or exploiting any other vulnerability that could compromise the company's security.

Unauthenticated access to other network segments

The captive portals introduce the client to a preventing network until it is authenticated and moved to the internal network.

You need to check if you can get access to other networks. For that, you can use the following tools.

• Netdiscover

• Frogger2

Outside traffic allowed

Users who are not authenticated and reside on the temporal network should not be allowed to send data to the Internet or other networks until they are authenticated.

To check this, you can try to resolve DNS names or ping hosts outside the network. If they work, you can use DNS or ICMP tunnels with the following tools:

• ICMPTX

• iodine (DNS)

• icmptunnel

References

• airdecap-ng

• OWISAM