tbhaxor.com Open in urlscan Pro
2a06:98c1:3120::3  Public Scan

URL: https://tbhaxor.com/pivot-through-protected-wifi-network/
Submission: On September 15 via manual from CA — Scanned from NL

Form analysis 0 forms found in the DOM

Text Content

tbhaxor

 * About Me
 * Projects
 * Series
 * Support Me


wifi-security


BREAK INTO THE WIFI NETWORK AND INTERACT WITH SERVICES

In this post, I'll go over how to crack the key of a WEP-encrypted WiFi network
and pivot into it to interact with vulnerable services running on it.

 * 

GURKIRAT SINGH

Sep 15, 2022 • 6 min read
 1. Monitor Beacon Frames from AP
 2. Crack WEP Encryption
 3. Pivoting through WiFi Network
 4. Resources

Hello World! So, suppose you've cracked the WiFi network's encryption key (or
passphrase). What will you do now? Is that all you can do with it, or is there
more to it? Yes, we all started doing this for free internet from our
neighbours, but that is all there is to it. So, the goal of this post is to
first decrypt the WiFi network's WEP encryption, then connect to it and interact
with other hosts connected to the access point.

The lab I'm using for the demonstration is provided by AttackDefense and can be
found here. – https://attackdefense.com/challengedetails?cid=1330


MONITOR BEACON FRAMES FROM AP

To begin, use the following commands to configure the wlan0 interface in monitor
mode. If you have a different interface name, change wlan0 to that in the
following commands.

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

Set wlan0 interface in monitor mode

> Note – If you don't know from where or how these commands works, please check
> this post.

Because the WiFi interface is now in monitor mode, use the following command to
run the airodump-ng tool to capture all in-flight beacon frames and probe
requests.

airodump-ng --band abg wlan0

Capture beacon frames and probe requests from channels of 2.4Ghz and 5Ghz band
💡
If your card supports both bands, I would recommend to dump all the channels
from all the bands initially to get all the WiFi networks in your environment,
this can be done using --band abg option in airodump-ng.

The target network here is EpicMediaCorp (from lab description) which is
broadcasting on channel 6 and having BSSID set to B8:0D:F7:D5:79:F9.

Found EpicMediaCorp ESSID on channel 6


CRACK WEP ENCRYPTION

To crack WEP, approximately 10000 data packets with highly unique initialization
vectors (or IVs) are required. It will take time to capture that many packets in
normal traffic. However, the same data packet can be replayed to get unique IVs
from the access point. Because the size of an ARP packet is deterministic and
these data packets are common in the network, we will replay these packets to
generate more and more IVs.

Before you begin replaying and cracking, you must restart airodump with the
following command, which will set the channel to 6, set the BSSID filter to the
target network, and append live capture to the wep-capture file.

airodump-ng --channel 6 --bssid B8:0D:F7:D5:79:F9 --write wep-capture wlan0

Run airodump-ng on channel 6, filtering target BSSID and write the capture to
file
💡
Because there are other networks on the same channel, I used the BSSID filter to
keep the capture file small. It is, however, an optional argument, which I
recommend using unless you are performing replay for multiple networks.

Now you need to use the aireplay-ng tool to capture and replay the ARP packets
to the access point (specified via -b) for the associated client (specified via
-h).

aireplay-ng --arpreplay -b B8:0D:F7:D5:79:F9 -h 02:00:00:00:09:00 wlan0

Replay ARP packets with associated client MAC
💡
If no client is associated and an access-point is actively broadcasting beacon
frames, you can perform fake authentication replay before arpreplay.

As you can see, 46k packets are replayed here, but the acknowledgement is 0
because all of these packets are encrypted. Once enough data packets are
available, use Ctrl+C to stop airodump and aireplay and launch an aircrack-ng
cracking attack.

Replayed ~46k ARP packets
💡
Send a deauth replay attack if there are very few or no ARP packets flowing in
the network for the associated client. This will disconnect the client; when it
reconnects to the network, it will send ARP requests.

There are two capture files in the current working directory: one for the replay
and one from airodump, in this case wep-capture-01.cap. The latter will be used
to crack the encryption.

Find the name of the capture file

As illustrated below, pass the airodump capture file to aircrack-ng without any
further options.

aircrack-ng wep-capture-01.cap 

Comamnd to launch aircrack on the capture file

Because of the filter provided to the airodump command, aircrack will
automatically choose this network and crack the encryption key. Here you can see
that the key is 14332.

Aircrack has successfully cracked the key

To connect to a WiFi network, you can use the wpa_supplicant tool which requires
a configuration file with following options.

network={
	# SSID of the network to connect
	ssid="EpicMediaCorp"
    
	# Do not use any key management (not required in WEP)
	key_mgmt=NONE
    
	# Set wep key 0 to 14332
	wep_key0="14332"
    
	# Use the key 0th indexed key, ie 14332
	wep_tx_keyidx=0
}

WPA Supplicant configuration to connect to the WiFi network

You can use this config file to connect to EpicMediaCorp using the wpa
supplicant utility, as demonstrated below.

 * -D nl80211 is the name of the kernel driver for the WiFi device; nl80211 is
   available in Linux operating systems.
 * -i wlan1 will connect to the access point via the wlan1 interface.

wpa_supplication -D nl80211 -i wlan1 -c wpa_supplicant.conf

Connecting to the WiFi network from wlan1 interface

The supplicant is successfully connected and associated to the wireless network.

Supplicant connected successfully


PIVOTING THROUGH WIFI NETWORK

I discovered that even if you enter a wrong key in the wpa supplication
configuration, the access point would still authenticate and associate you with
it.

Associated to the access point with wrong WEP key

However, if you are connected with the right key, the DHCP request will be
successful, and an IP address will be assigned to the supplicant interface.

Verify the IP address on wlan1 interface

The interface now has 172.18.0.181, and the WiFi router appears to be at
172.18.0.1. In the lab description it is given that only TCP and UDP traffic can
pass through WiFi AP, hence ping won't work. As a result, you can use the -Pn
option to nmap to skip the ping scan on the target host.

nmap --top-ports 65535 --min-rate 2000 -Pn 172.18.0.1

Scan for open ports on the WiFi router

The WiFI access point has three services running: SSH, DNS, and HTTP. According
to the lab description, the WiFi AP's SSH password is strong and random,
therefore it will not be vulnerable to a dictionary attack. As a result, we can
only look at HTTP right now.

SSH and HTTP default ports are open on WiFi router

Curl request on the HTTP service disclosed the internal IP address of the WiFi
router to which other devices are linked.

Get IP address of LAN interface

Assuming the target host is the next in the CIDR range 192.102.254.3/24, use
nmap to execute a TCP scan on the 192.102.254.4 address.

nmap --top-ports 65535 --min-rate 2000 -sT 192.102.254.4

TCP scan for all the ports on 192.102.254.4 host

The assumption was correct, as you can see, that host is currently running an
interesting service: SSH.

Found SSH port is open on the target

LAN machines could be subject to the dictionary attack because they frequently
use weak SSH passwords. You can use the password dictionary from
/root/wordlists/100-common-passwords.txt in the lab with hydra tool as shown
below.

hydra -l root -P /root/wordlists/100-common-passwords.txt ssh://192.102.254.4

Bruteforce the password for SSH of root user using hydra

Hydra reported a successful login to the target SSH service using the
root:1234567890 credentials.

Found valid login credentials for SSH using hydra

Now you can log in to SSH with the valid credentials obtained from the Hydra and
retrieve the flag from the host.

Extract the secret flag from the SSH server


RESOURCES

 * https://www.aircrack-ng.org/doku.php?id=arp-request_reinjection
 * https://www.geeksforgeeks.org/how-to-use-hydra-to-brute-force-ssh-connections/
 * https://www.aircrack-ng.org/doku.php?id=i_am_injecting_but_the_ivs_don_t_increase
 * https://wireless.wiki.kernel.org/en/developers/documentation/nl80211




DECRYPT WEP TRAFFIC USING BRUTEFORCE WITH INSUFFICIENT IVS

In this tutorial, you will learn how to crack the WEP key using only one data
packet and a wordlist, and then use the wireshark tool to decode the data
packet.
Sep 14, 2022 4 min read


UNDERSTAND AND INTERACT WITH OPENWRT

A gentle introduction to the OpenWRT web interface, LuCI, which can be used to
configure wireless interfaces as well as remotely monitor traffic.
Sep 5, 2022 4 min read


CREATING HONEYPOT ACCESS POINTS USING HOSTAPD

In order to rejoin the network when a client disconnects, the client sends probe
requests. To entice probing clients into the network and carry out additional
enumeration, you can use hostapd to establish fake hostspot networks.
Aug 25, 2022 3 min read
tbhaxor © 2022

Powered by Ghost