How to crack corporate Wi-Fi: new features
There are a lot of articles about Wi-Fi hacking on the Internet, but most of them concern the WEP / WPA (2) -Personal operation mode, in which you need to intercept the client's “handshake” procedure and Wi-Fi-points. Many corporate Wi-Fi networks use WPA2-Enterprise security mode, with login and password authentication as the least expensive method. In this case, authentication is performed using a RADIUS server.
The client's OS establishes a connection to the RADIUS server using encryption using TLS, and authentication is mostly done using the MS-CHAPv2 protocol.
')
To test penetration of such a network, we can create a fake Wi-Fi hotspot with a RADIUS server — and get the login, request and response that MS-CHAPv2 uses. This is sufficient for further password brute force.
We need Kali Linux and a card that supports the work in Access Point mode, which can be checked using the iw list command, we are interested in the line:
A year ago, it was necessary to do a lot of manipulations in order to fake such an access point with the possibility of obtaining credentials. It was necessary to patch, build and properly configure certain versions of hostapd and FreeRADIUS. In August 2014, the Mana Toolkit toolkit appeared , allowing you to automate many attack vectors on wireless clients.
Since it is not always convenient to use a laptop, we will use a more compact version - a telephone . In addition, you can use Raspberry Pi + FruityWifi . WiFi Pineapple, unfortunately, does not support Mana.
Launch Kali
We connect Wi-Fi-card via USB-OTG-cable. Launch the NetHunter application.
The first thing to do is to define the interface of the connected Wi-Fi card. To do this, select Kali Launcher from the menu and launch Wifite.
In our case, this is the wlan1 interface.
In the menu, select MANA Evil Access Point.
Adjust the point:
Turning off karma (enable_karma = 0), specifying a buffer to which received logins and hashes will be sent (ennode).
We have a set of five scripts that run, in addition to the access point, additional utilities for the implementation of MITM-attacks. We are interested in the mana-noupstream-eap script, which is intended for points with 802.1x authentication.
By default, the script tries to “dump” the resulting hash, connect the client and conduct a MITM attack. Since hacking hashes on the phone is not the best idea, commenting out unnecessary lines, adding a command that will record the captured data to a file on a flash drive, and launch Mana.
As soon as the Wi-Fi client is close enough to our access point, it will try to authenticate to it. A good place for an ambush is at the entrance to the office or business center, the time is the beginning or end of the working day, when potential victims pass the checkpoint.
We stop Mana and check what we caught.
The format of the data: Protocol | Login | Challenge | Response
Now you can in a relaxed atmosphere on a normal computer to crack the received hashes.
This will help us:
- Asleap (used in the original script),
- John the Ripper (slightly modified hashes are required:
These accounts can be used to further penetrate the corporate network via Wi-Fi or VPN, as well as to gain access to corporate mail.
As it turned out, it is not always possible to intercept user hashes. Desktop OS (Windows, MacOS, Linux), as well as iOS users are best protected. When connecting to the OS for the first time, it asks if you trust the certificate that is used by the RADIUS server on this Wi-Fi network. When replacing a legitimate access point, the OS will ask about trusting a new certificate that uses a RADIUS server. This will happen even when using a certificate issued by a trusted certificate authority (Thawte, Verisign).
When using devices based on Android, the default certificate is not checked, but it is possible to specify a root certificate that can be used on this Wi-Fi network.
Windows Phone based devices by default validate the certificate. Server certificate verification options are also available:
Summarizing all the above, Positive Technologies experts recommend the following security measures:
Author: Dmitry Trifonov, Positive Technologies Research Center
The client's OS establishes a connection to the RADIUS server using encryption using TLS, and authentication is mostly done using the MS-CHAPv2 protocol.
')
To test penetration of such a network, we can create a fake Wi-Fi hotspot with a RADIUS server — and get the login, request and response that MS-CHAPv2 uses. This is sufficient for further password brute force.
We need Kali Linux and a card that supports the work in Access Point mode, which can be checked using the iw list command, we are interested in the line:
* #{ AP, mesh point } <= 8,A year ago, it was necessary to do a lot of manipulations in order to fake such an access point with the possibility of obtaining credentials. It was necessary to patch, build and properly configure certain versions of hostapd and FreeRADIUS. In August 2014, the Mana Toolkit toolkit appeared , allowing you to automate many attack vectors on wireless clients.
Since it is not always convenient to use a laptop, we will use a more compact version - a telephone . In addition, you can use Raspberry Pi + FruityWifi . WiFi Pineapple, unfortunately, does not support Mana.
Launch Kali
We connect Wi-Fi-card via USB-OTG-cable. Launch the NetHunter application.
The first thing to do is to define the interface of the connected Wi-Fi card. To do this, select Kali Launcher from the menu and launch Wifite.
In our case, this is the wlan1 interface.
In the menu, select MANA Evil Access Point.
Adjust the point:
- interface defined in the previous step (interface),
- SSID of the cracked Wi-Fi-network (ssid)
- use of the 802.1x authentication protocol (ie, ie8021x = 1),
- the wpa (wpa) options ( 0 = no WPA / WPA2; 1 = WPA; 2 = IEEE 802.11i / RSN (WPA2); 3 = WPA and WPA2),
- list of accepted key management algorithms (wpa_key_mgmt = WPA-EAP),
- a set of accepted encryption algorithms (wpa_pairwise),
Turning off karma (enable_karma = 0), specifying a buffer to which received logins and hashes will be sent (ennode).
We have a set of five scripts that run, in addition to the access point, additional utilities for the implementation of MITM-attacks. We are interested in the mana-noupstream-eap script, which is intended for points with 802.1x authentication.
By default, the script tries to “dump” the resulting hash, connect the client and conduct a MITM attack. Since hacking hashes on the phone is not the best idea, commenting out unnecessary lines, adding a command that will record the captured data to a file on a flash drive, and launch Mana.
As soon as the Wi-Fi client is close enough to our access point, it will try to authenticate to it. A good place for an ambush is at the entrance to the office or business center, the time is the beginning or end of the working day, when potential victims pass the checkpoint.
We stop Mana and check what we caught.
The format of the data: Protocol | Login | Challenge | Response
Now you can in a relaxed atmosphere on a normal computer to crack the received hashes.
This will help us:
- Asleap (used in the original script),
- John the Ripper (slightly modified hashes are required:
cat HASHES.txt | sed 's/://g' | sed 's/\([^|]*\)|\([^|]*\)|\([^|]*\)|\([^|]*\)/\2:$NETNTLM$\3$\4/' > john-HASHES.txt )These accounts can be used to further penetrate the corporate network via Wi-Fi or VPN, as well as to gain access to corporate mail.
As it turned out, it is not always possible to intercept user hashes. Desktop OS (Windows, MacOS, Linux), as well as iOS users are best protected. When connecting to the OS for the first time, it asks if you trust the certificate that is used by the RADIUS server on this Wi-Fi network. When replacing a legitimate access point, the OS will ask about trusting a new certificate that uses a RADIUS server. This will happen even when using a certificate issued by a trusted certificate authority (Thawte, Verisign).
When using devices based on Android, the default certificate is not checked, but it is possible to specify a root certificate that can be used on this Wi-Fi network.
Windows Phone based devices by default validate the certificate. Server certificate verification options are also available:
- not;
- always ask;
- Certification Authority.
Summarizing all the above, Positive Technologies experts recommend the following security measures:
- Users - check certificates when connecting not only to the Internet bank, but also to corporate Wi-Fi;
- Android users - install the root certificate that is used on the corporate network;
- Administrators - switch to using certificate-based authentication (or not be surprised if people with a phone and antenna appear periodically before entering the office).
Author: Dmitry Trifonov, Positive Technologies Research Center
Source: https://habr.com/ru/post/252055/
All Articles