The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Capture and analysis of network traffic
  • Open network
  • WPA-PSK
  • Exposed network admin panels
  • Captive portal
  • Web page
  • Unauthenticated access to other network segments
  • Outside traffic allowed
  • References

WIFI

Introduction

Once you are into the network, it is time to analyse it, looking for further wireless-related vulnerabilities.

Capture and analysis of network traffic

Even if you encounter an open or WPA-PSK network, it is necessary to analyse the traffic looking for important or sensitive information transmitted through clear text protocols.

Open network

Because Open networks don't encrypt the traffic, it is pretty easy to capture and analyse the traffic.

For doing so, use airodump-ng to dump all the data into files. Then, filter the data and put everything on a single cap file. This way, analysing all the traffic on Wireshark is easier.

# Obtain the data
sudo airodump-ng <MON_IF> -c <CHANNEL> --bssid <TARGET_BSSID> -w <FILE_PREFIX>
# Filter data
seq -f %02g  1 <#CAP_FILES> | xargs -I {} bash -c "airdecap-ng -b <TARGET_BSSID> <FILE_PREFIX>-{}.cap -o /tmp/filtered_{}.cap"
# Append filtered data
mergecap -a  /tmp/filtered_*.cap -w open.cap

WPA-PSK

In the case of WPA-PSK, the network is encrypted, so you need to get the key to decrypt all the traffic and capture the WPA handshake during the sniffing process (Just deautenticate some users). But then, the process is almost the same.

# Obtain the data and handshake
sudo airodump-ng <MON_IF> -c <CHANNEL> --bssid <TARGET_BSSID> -w <FILE_PREFIX>
# Decrypt data
seq -f %02g  1 <#CAP_FILES> | xargs -I {} bash -c "airdecap-ng -e '<TARGET_ESSID>' -p '<PSK_KEY>' <FILE_PREFIX>-{}.cap -o /tmp/decrypted_{}.cap"
# Append decrypted data
mergecap -a  /tmp/decrypted_*.cap -w decrypted.cap

Exposed network admin panels

Inside the network, scan the devices with tools such as Nmap to find some network admin panels (ports 80, 443, 8080, etc.). These panels are typically located on the network gateway when the router also acts as an access point.

In some cases, the admin panel can modify the network segments, so you can use it to pivot or perform port forwarding, accessing other network resources.

Captive portal

Some wireless networks use a captive portal to authenticate users. It is necessary to examine the captive portal looking for vulnerabilities that could lead to access to the device or the network.

Web page

Captive portals use web pages asking for credentials to check the client's authenticity and allow it to enter the network.

In this task, you should evaluate the web security by bypassing the authentication mechanism or exploiting any other vulnerability that could compromise the company's security.

Unauthenticated access to other network segments

The captive portals introduce the client to a preventing network until it is authenticated and moved to the internal network.

You need to check if you can get access to other networks. For that, you can use the following tools.

  • Netdiscover

Outside traffic allowed

Users who are not authenticated and reside on the temporal network should not be allowed to send data to the Internet or other networks until they are authenticated.

To check this, you can try to resolve DNS names or ping hosts outside the network. If they work, you can use DNS or ICMP tunnels with the following tools:

References

Last updated 2 years ago

Then, try to access the panel using the or some dictionary brute force attack.

(DNS)

default password
Frogger2
ICMPTX
iodine
icmptunnel
airdecap-ng
OWISAM