Pentesting WiFi

Authentication Types and Protocol Information

WEP

• Wired Equivalent Privacy
• Original wifi security protocol, basic encryption but pretty easy to breach

WPA

• wifi Protected Access
• Better encryption via Temporal Kep Integrity Protocol, but still not as great as new standards

WPA2

• wifi Protected Access 2
• Uses AES for better security, standard for many years

WPA3

• wifi Protected Access 3
• Individualized data encryption and better password-based authentication; currently the best option

IEEE 802.11 Frames and Types

• Uses a MAC frame with 9 fields
  • Frame Control: Type, subtype, protocol version, order, and so on
  • Duration: Amount of time in which wireless medium is occupied
  • Address 1/2/3/4: MAC addresses involved in the communication (BSSID of access point (AP); client MAC)
  • Sequence Control (SC): Info to prevent duplicate frames
  • Data: The data transmitted to the receiver
  • Cycle Redundancy Check (CRC): 32-bit checksum
• Frame Types (what does the frame do):
  • Management (00): Used for management and control, allowing AP/client to control connection
  • Control (01): Used for managing transmission and reception of data frames (sort of a quality control)
  • Data (10): Contain data for transmission
• Management Frame Sub-Types:
  • Beacon Frames (1000): Frame used by AP to communicate its presence to client (supported ciphers, auth types, SSID, supported data rates)
  • Probe Request/Response (0100/0101): Client sends to discover nearby APs, which APs then respond to
  • Authentication Request/Response (1011): Sent by client to initiate connection process, used mainly to identify client to AP
  • Association/Reassociation Request/Response (0000/0001/0010/0011): Sent after performing authentication, informs AP of client’s capabilities; AP responds back with success/denial based on client capabilities
  • Disassociation/Deauthentication (1010, 1100): Sent by client to access point to terminate connection; contain a reason code listing reason for disconnection
• To identify these frames in Wireshark, use (wlan.fc.type == {frame_type_decimal}) && (wlan.fc.type_subtype == {frame_subtype_decimal})
  • For example, a beacon frame would look like (wlan.fc.type == 0) && (wlan.fc.type_subtype == 8), as the management frame ID is 00 and the decimal representation of a beacon frame ID is 8

Connection Cycle in Full

1. AP sends beacon frames out
2. Client notices AP, sends probe request
3. AP responds to probe request
4. Client sends authentication request to AP
5. AP responds with authentication response
6. Client sends association response
7. AP sends association response
8. Client performs EAPOL (handshake) if using WPA2+

Authentication Methods

Open System Authentication

• No shared secrets/credentials for initial access
• Usually used in open networks (allowing any device to connect without verification)

Shared Key Authentication

• Each side computes a challenge/response based on a shared key (a network password, e.g. 12345678), with WPA2 being:
  • The AP sends a nonce (ANonce) value to the client, which the client uses (alongside the shared key and both MAC addresses) to generate the Pairwise Master Key (PMK)
  • Client responds with a new nonce (SNonce) and the Message Integrity Code (derived from PMK with HMAC)
  • AP decrypts challenge and sends back success/failure
• WPA3 adds on additional security checks protecting against brute force attacks

WiFi Interfaces

• For external wifi adapters, drivers need to be installed to use wifi networks (as opposed to something like a laptop with the drivers preinstalled)

Interface Strength

• Pentesting wifi networks often comes down to physical positioning, so we can ramp up the strength of or card using iwconfig
  • This will tell us what interfaces we have available and at what strength (Tx-Power they’re operating at)
    • This often correlates with the country we’re in, as some countries make it illegal to increase this
  • Need to first set the interface down with sudo iwconfig {interface_like_wlan0} down
  • Then, increase the strength with sudo iwconfig {interface} txpower 30
    • Default is 20 dBm, but it can be increased to 30 as shown
  • Then, just set the interface back up with sudo iwconfig {interface} up
• List information about our interfaces with iw list, like what our interface supports
  • List available channels for our interfaces with iwlist {interface} channel
  • We can then configure our interface to use a specified available channel by setting the interface down, doing sudo iwconfig {interface} channel {channel_number}, and then bringing the channel back up
    • Similar story for setting frequency with freq "{desired_frequency_like_5.52G}"
• Scan for wifi networks with iwlist {interface} scan
  • To reduce to manageable information, use | grep 'Cell\|Quality\|ESSID\|IEEE'

Interface Modes

• Interfaces can have different modes depending on what we need them to do
• After setting the interface as down, we can change the mode with sudo iwconfig {interface} mode {mode}
• Managed mode
  • Have our interface act as a client/station (authentication to APs, have basic service set, and actively search for APs to connect to)
  • Usually the default, set with managed mode as shown above
  • Can then connect to a network with sudo iwconfig {interface} essid {AP_ESSID}
• Ad-hoc mode
  • Peer-to-peer mode and allows direct communication between wireless interfaces
  • Set to ad-hoc same as above
• Master mode
  • Essentially an AP/router mode
    • Useful for rogue AP or evil-twin attacks (trying to get people to connect to us)
  • Can’t simply just be set as a mode, requires a daemon and configuration
    • We can use hostapd for this, making a config file like below and using sudo hostapd {config_file} to bring it up

interface={interface}
driver=nl80211
ssid={network_name}
channel=2
hw_mode=g

• Mesh mode
  • Sets interface to join a self-configuring and routing network
    • Common in business applications with large coverage across a physical space
  • sudo iw dev {interface} set type mesh
• Monitor mode
  • Promiscuous mode where all wireless traffic will be captured regardless of intended recipient
  • Bring interface down, run sudo iw {interface} set monitor control, and then bring it back up

Aircrack-ng

• Pretty comprehensive suite of tools meant for testing wifi
• Has tools focusing on monitoring, attacking, testing, and cracking

Airmon-ng

• Can be used to enable monitor mode on wireless interfaces
• Run sudo airmon-ng without params to show interface info
• Turn interface into monitor mode using airmon-ng start {interface}
  • Sometimes other processes can interfere, which we can check for with airmon-ng check
  • Make sure it’s running with iwconfig, which should show something like {interface}mon
• We can also monitor only a single channel with start {interface} {channel_number}
• Stop monitor mode with airmon-ng stop {interface}mon

Airodump-ng

• Used for capturing raw 802.11 frames and generating information files for scripting or investigation
• We first need monitor mode to be on, so airmon-ng start {interface}
• Then, start with airodump-ng {interface}mon
  • Can specify channels with -c {channel_number}
• Airodump scans 2.4GHz by default, so scan 5 GHz with --band a
  • a uses 5 GHz, b and g use 2.4 GHz
  • Can also just specify all three with --band abg
• Write to files with --write {prefix}, which will generate csv, cap, and netxml files

Airgraph-ng

• Used to graphically represent networks using information captured by airodump
• Color-coded by encryption type
  • Green for WPA, yellow for WEP, red for open networks, and black for unknown
• Run with sudo airgraph-ng -i {main_csv_file} -g CAPR -o {output_png_name}

Aireplay-ng

• Mainly used for generating traffic for later use in aircrack-ng (to crack the WEP/WPA-PSK keys)
• Has multiple attacks for causing deauthentication and capturing WPA handshake data
  • Can run aireplay-ng on its own to see the different attack types and names
  • Run an attack with -{attack_number} or the name of the attack with --{attack_name}
• Start by setting a channel with something like airmon-ng start {interface} 1
  • This will put the interface in monitor mode and set the channel to 1
• Then, test the interface with sudo aireplay-ng --test {interface}mon and look for Injection is working!
• Performing a deauthentication attack (mode 0)
  • First, start airodump-ng on the monitoring interface (sudo airodump-ng {interface}mon -w), as it will capture the reauthentication packets
    • We’ll need the MAC addresses of the AP and an active client to deauthenticate (which airodump-ng will show as well)
      • These will come in BSSID/STATION combinations, where BSSID is the AP’s MAC and STATION is the client’s MAC
    • -w causes it to save these packets to a pcap file
  • Then, perform the attack with sudo aireplay-ng -0 {number_of_deauths_to_send} -a {AP_MAC} -c {client_MAC} {interface}mon
    • We can continuously deauth the client by setting the number of deauths to send to 0

Aircrack-ng

• Used for cracking WEP and WPA/WPA2 networks offline
• Cracking WEP:
  • Use airodump-ng with --ivs to save a lot of Initialization Vectors
  • Once enough are captured, we use -K to use the Korek WEP cracking method on the .ivs file
    • aircrack-ng -K {ivs_file}
• Cracking WPA/WPA2:
  • Can only be accomplished via a dictionary attack, where a wordlist is passed with -w
    • aircrack-ng {pcap_file} -w {wordlist}

Airdecap-ng

• Used for decrypting wireless capture files after we’ve obtained a network key (WEP, WPA PSK, WPA2 PSK)
  • Usage: airdecap-ng -k [WPA_PSK_in_hex] {pcap_file}
    • If we have a passphrase instead of a key, we can use -p {passphrase} -e {network_ESSID_name} instead
  • For a WEP key: airdecap-ng -w {WEP_key_in_hex} {pcap_file}
• Generates a new -dev.cap file containing the decrypted version, which we can then open in Wireshark
• Also useful for removing useless frames not relevant to analysis with -b {AP_BSSID_MAC}

Misc

Connecting to Networks via CLI

• WEP: Specify wep.conf file as shown below and connect with sudo wpa_supplicant -c wep.conf -i {interface}
  • Then, just use dhclient to obtain an IP address
    • If we have an old IP address, we can kill it with -r

network={
	ssid="{network_name}"
    key_mgmt=NONE
    wep_key0={WEP_hex_key}
    wep_tx_keyidx=0
}

• WPA: Specify wpa.conf file with network name and password, and connect with sudo wpa_supplicant -c wpa.conf -i {interface}
  • Then just run dhclient

network={
	ssid="{network_name}"
    psk="{network_passphrase}"
}

• WPA Enterprise: Similar process, but our config file is larger (identity provided):

network={
  ssid="{network_name}"
  key_mgmt=WPA-EAP
  identity="{domain}\{user}"
  password="{domain_password}"
}

Finding Hidden SSIDs

• Sometimes networks will not broadcast their SSID as a form of security, though superficial
• We can just listen for these networks using airodump-ng -c 1 {interface}mon on a monitoring interface
  • This won’t reveal the SSID, but we can deauth users to find the SSID with airodump-ng
• If it’s a WPA3 network, we can’t perform deauthing attacks, so we’ll need to brute force the SSID
  • We can use mdk3 on an interface in monitoring mode for this task
    • Brute force with all possible values: sudo mdk3 {interface}mon p -b u -c 1 -t {target_AP_MAC}}
    • Use a wordlist: sudo mdk3 {interface}mon p -f {wordlist} -t {target_AP_MAC}

Bypassing MAC Filtering

• Sometimes even with a password we might not be able to connect due to MAC filtering
• We can just yoink a client MAC and spoof it as our own
  • We’ll need to first deauth the client (or wait for them to deauth if we’re kind)
• Scan for clients as usual with airodump-ng
• Use macchanger to spoof our MAC address
  • sudo iwconfig {interface} down
  • sudo macchanger {interface} -m {new_MAC}
  • sudo iwconfig {interface} down