Wireless Penetration Tips

Adam Toscher
5 min readMar 10, 2020

--

A list for all things wireless that you may find useful while assessing a real world Wi-Fi Enterprise Network. How-to: Evil Twin, KARMA, MANA, EAP-GTC Downgrade, passivity perform wireless recon, capture WPA2 handshakes (WPA2 full, half, PKMID), and test guest networks for known misconfigurations.

Overview

Ive tried to consolidate information from a variety of sources to assist penetration testing during a wireless assessment. This list includes plausible tactics, techniques, and procedures (TTP). I’ve decided to publish these in an easy to read, and hopefully digestible blog fashion. Some of the items below will be updated occasionally, with new attack vectors.

  1. Find a device, tool, software or environment that is reliable for RF testing. There are so many tools, wrappers and hardware to choose from.
  2. Uncovering Hidden SSIDS: “Hidden SSID is a configuration where the access point does not broadcast its SSID in beacon frames”
  3. Building a Wireless Penetration Environment using Docker — “When Whales Fly”
  4. Aircrack-ng is a complete suite of tools to assess WiFi network security
  5. By using your Let’s Encrypt certificate you can effectively avoid internal SSL certificate issues, by not relying on self-signed certificates.
  6. There are a lot of devices you can use to test: “ESP32 WiFi Hash Monster — store EAPOL & PMKID packets in an SD card using a M5STACK / ESP32 device”
  7. Buy a WiFi Pineapple — “The WiFi Pineapple® NANO and TETRA are the 6th generation pentest platforms from Hak5.
  8. Learn how to use MANA, “SensePost’s modified hostapd for wifi attacks”
  9. Download Wpa sycophant for an EAP relay attack
  10. Cheap WiFi hacks
  11. Wpa3-vuln: wpa_supplicant 2.7 vulnerable to Mathy’s WPA3 bugs
  12. The default TX-Power of most USB wireless cards is 20 dBm, but by issuing two commands you can increase your transmission power. (Type “iw reg set BO” then “iwconfig wlan0 txpower 30”)
  13. Check out wiggle, there are a lot of of opportunities to use this data for offensive and defensive research.
  14. Captive Portal Attack attack attempts to retrieve the target access point’s WPA/WPA2 key by means of a rogue network with a border authentication captive portal”
  15. crEAP is a python script that will identify WPA Enterprise mode EAP types and if insecure protocols are in use, will attempt to harvest usernames and/or handshakes)
  16. You can deuathenticate a client by using a command like this: “aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0”
  17. Download Eaphammer, it allows targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.”
  18. Hcxdumptool is a small tool to capture packets from wlan devices.
  19. Hcxtools is a portable solution for conversion of WiFi Hcxdumptool files to hashcat formats
  20. Freeradius-wpe: Though dated, still may have a valid use case during a wireless assessment
  21. Hostapd-wpe (The first hostapd Evil Twin implementation and my favorite tool for WPA2-Enterprise attacks)
  22. Use the additional WPE command line “-s “ which return EAP-Success messages after credentials are harvested (See Understanding PEAP In-Depth)
  23. Pwning WiFi-networks with bettercap and the PMKID client less attack
  24. Build a pwnagtchi: Pwnagotchi is an A2C-based “AI” powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures
  25. When actively scanning the client endpoint searches for wireless networks by transmitting probes and listening for responses from the access points within range
  26. During a passive scan, the client device waits for beacons, which are specific frames transmitted by the AP. (A probe response, also includes the configuration and capabilities of the wireless networks they service)
  27. Wifite2: Automates attacks that you may need against WPS/WEP)
  28. Some wireless penetration tests may require one to ask for credentials and log onto their guest network. This is okay and doesn’t mean you have failed.
  29. Always check Guest Network for Client Isolation issues. — Can I get to sensitive areas of the “Corporate” network, or any wired network from the isolated network used by contractors, etc.?
  30. Ensure that Client Isolation is on all wireless networks if possible. (If client isolation is off, then you can perform man-in-the-middle attacks.)
  31. Look for rogue access points by detaching your omni antenna, or using a directional antenna for better results.
  32. Look into Fluke gear if performing extensive rogue access point hunting or heat mapping.
  33. Use KRACK to ensure a wireless device that has not been patched or updated is not vulnerable to known attacks.
  34. TP-Link Archer C5 AC1200 is a Wireless Evil Twin Hardware Penetration Testing Router .
  35. Test the companies WIPS/WIPS by connecting a hardware rogue access point to the corporate network.
  36. Most “Ralink Wi-Fi chipset” cards work out the box with Kali .(The ALFA and Panda’s in the gist below work out of the box with the latest Kali and can scan for 802.11ac clients)
  37. Always ensure your USB wireless card is capable of monitor mode when performing a wireless penetration test.
  38. Antennas do matter, they have different signal patterns. These signal patterns make a difference.
  39. Signal/power are obviously important, clients will roam from different the 2.4 and 5 GHz bands based on signal strength and distance to the AP
  40. In an EAP downgrade attack, modify the eap.user file when running hostapd so that it downgrades the EAP connection to use EAP-GTC for authentication. (This will affect Android and iOS and Mac OS Supplicants to downgrade the victim’s supplicant to use a less secure method. Let the clear text credentials rain in, aka getting some L00tbooty)
  41. Karma exploits a behaviour of some Wi-Fi devices, combined with the lack of access point authentication in numerous WiFi protocols. It is a variant of the evil twin attack.[1] Details of the attack were first published in 2004 by Dino dai Zovi and Shaun Macaulay.[2]
  42. Understand that you are not always trying to attack the access point — you must go after the user’s device or PNL.(Preferred Network List)
  43. When it comes to taxonomy and identifying clients, you may find that one program, or suite of tools is better than the other for certain set tasks.
  44. Know Beacon Attack — “An attacker that can guess the ESSID of an open network in the victim device’s Preferred Network List, will be able to broadcast the corresponding beacon frame and have that device automatically associate with an attacker-controlled access point”
  45. Ever get access to a network that was hardened — but it was a guest network? Set up your own Evil Twin network, using the real guest WPA2 PSK. This is a technique I use to show why companies should rotate their guest network passwords, it can affect offices globally.
----EAP-GTC Downgrade* PEAP [ver=1]
"t" GTC "t" [2]
----
Troubleshooting Monitor Mode# rfkill unblock all
# airmon-ng check kill
Injection Test# aireplay-ng -i wlan0mon -9 -D# Test Frequency Band and Capture Abilityairodump-ng wlan1 --band ag -M -U --wps --beacons -w captureallthewirelessPower Related# iw wlan0mon set txpower 30
# iwconfig wlan0mon txpower 30
# bccmd psget 0x0017
Channel Related# iwconfig wlan1 channel 149Driver Related

--

--

Adam Toscher

Adam is a offensive security engineer and red team operator with over 20 years of experience in IT