Top Five Ways I gained access to Your Corporate Wireless Network (Lo0tBo0ty KARMA edition)

KARMA + HOSTAPD-WPE + Lo0tBo0ty
Corporate wireless access obtained from KARMA Lo0tBo0ty

At DEF CON 21, Josh Hoover(@wishbone1138) and James Snodgrass (@PunK1nPO0P) dropped their research on utilizing Generic Token Cards to get clear-text credentials from mobile devices connected to enterprise wireless. Josh does a fantastic job of covering the technical details, so I won’t cover them again here, but the tl;dr is that by having your authentication server request a one time password (i.e. GTC) and by sending a successful connection back to the client, you can get enterprise creds in clear text from mobile devices. I tested this on Android 5.01, and it still works! In the DEF CON talk, Josh and James released their tool “lootbooty“, which features a patch for freeradius-2.2. In addition, their tool featured a script to install and tear down the environment. This sounds like the perfect use case for a Docker container!

Note: Their talk/tool also featured an attack against ios devices, but this seems to be patched now.

Lo0tBo0ty

hostapd-wpe is the replacement for FreeRADIUS-WPE
(http://www.willhackforsushi.com/?page_id=37).

It implements IEEE 802.1x Authenticator and Authentication Server impersonation attacks to obtain client credentials, establish connectivity to the client, and launch other attacks where applicable.

hostapd-wpe supports the following EAP types for impersonation:
1. EAP-FAST/MSCHAPv2 (Phase 0)
2. PEAP/MSCHAPv2
3. EAP-TTLS/MSCHAPv2
4. EAP-TTLS/MSCHAP
5. EAP-TTLS/CHAP
6. EAP-TTLS/PAP

Example of a legitimate Radius cert

A trick of mine, when creating a Radius certificate for my Evil Twin, is to try and make the fake certificate look as much as possible as the real certificate. If there are misconfigurations made within the environment, or client policy doesn’t enforce checking the legitimacy of the Radius server certificate, users will connect to your hostapd-wpe regardless; but having an almost identical certificate may lure a few more unsuspecting victims to your Evil Twin.

Hostapd-WPE mschapv2 hash

The idea remains the same; stand up an Evil Twin and intercept credentials. The routers, and devices mentioned below allow persistent or covert testing which can make the difference when you are restrained by time or location.

There are so many wrappers for creating Evil Twins that use hostapd-wpe; that there are literally wrappers for other people’s scripts. Rogue adds some extra features and functionality to s0lst1c3's eaphammer.

My personal favorite mobile wireless testing device

Just like antennas both transmit and received data there’s a client and a server. Sometimes we have stop attacking EAP-TLS or a strong WPA2-PSK implementation and shift gears, targeting insecure or outdated client wirelesses supplicants. Client devices still send out beacons for networks. When one goes about penetrating a large and sophisticated corporation, you might find they corporation has taken the right measures to ensure that EAP-TLS is in place, and the guest network is WPA2-PSK. The WPA2 keys are rotated and not advertised ; you also can’t crack the WPA2 handshake and recover the passphrase. What does one do? Do we give up and go home, no… we persevere!

KARMA Open Network Evil Twin Attacks

KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targetted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.

Open KARMA Evil Twin
Hashes intercepted on the KARMA Open Evil Twin

Often corporations implement secure guest networks that require temporary credentials or a WPA2-PSK passphrase to gain access. These guest networks are intended for guest usage, but are often used by employees. Dependent on the environment, the WPA2 key may be supplied or even advertised in the lobby area of many corporations. Not rotating this key allows for a WPA2-PSK network twin to easily be turned into an Evil Twin

Cisco’s captive portal page
Nmap Scan enumerating a host’s open ports
Telnet enabled on a Guest Network

Wireless Client Isolation is a security feature that prevents wireless clients from communicating with one another. This feature is useful for guest and BYOD SSIDs adding a level of security to limit attacks and threats between devices connected to the wireless networks.

Rogue, really stands out here — it’s one of the only scripts that let’s you stand up an WPA2-PSK Evil Twin Network in an automated fashion. Once devices are connected, client isolation is obviously not enforced on your Evil Network. MITM all things, but be careful and responsible when dealing with out of scope or personal wireless endpoints.

Evil Network — 10.”666".0/24.

Full Feature List

  • Reaver Pixie-Dust attack (--pixie)
  • Reaver WPS PIN attack (--reaver)
  • WPA handshake capture (--no-reaver)
  • Validates handshakes against pyrit, tshark, cowpatty, and aircrack-ng
  • Various WEP attacks (replay, chopchop, fragment, etc)
  • 5Ghz support for wireless cards that support 5ghz (use -5 option)
  • Stores cracked passwords and handshakes to the current directory, with metadata about the access point (via --crackedcommand).
  • Decloaks hidden access points when channel is fixed (use -c <channel> option)
  • Provides commands to crack captured WPA handshakes (via --crack command)
# put your network device into monitor mode
Set interface down
$ sudo ip link set wlan0 down
Set monitor mode
# iwconfig wlan0 mode monitor
Set interface up
# ip link set wlan0 up
# listen for all nearby beacon frames to get target BSSID and
# airodump-ng wlan0 --band abg
Set 5 GHz channel
# iwconfig wlan0 channel 149
Start listening for the handshake
# airodump-ng -c 149 --bssid P4:E4:E4:92:60:71 -w cap01.cap wlan0
Optionally deauth a connected client to force a handshake
# aireplay-ng -D -0 2 -a 9C:5C:8E:C9:AB:C0 -c P4:E4:E4:92:60:71 wlan0
Convert cap to hccapx
# root@kali:~# aircrack-ng -J file.cap capture.hccap
Crack with hashcat:>hashcat.exe -m 2500 capture.hccapx rockyou.txt
Rogue access point that allowed corporate network access

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Adam Toscher

Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT