GitBook: [#3039] No subject

SUMMARY.md

@@ -190,16 +190,13 @@
 * [Pentesting Network](pentesting/pentesting-network/README.md)
   * [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
   * [Spoofing SSDP and UPnP Devices with EvilSSDP](pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
-  * [Wifi Attacks](pentesting/pentesting-network/wifi-attacks/README.md)
-    * [Evil Twin EAP-TLS](pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md)
   * [Pentesting IPv6](pentesting/pentesting-network/pentesting-ipv6.md)
   * [Nmap Summary (ESP)](pentesting/pentesting-network/nmap-summary-esp.md)
   * [Network Protocols Explained (ESP)](pentesting/pentesting-network/network-protocols-explained-esp.md)
   * [IDS and IPS Evasion](pentesting/pentesting-network/ids-evasion.md)
   * [DHCPv6](pentesting/pentesting-network/dhcpv6.md)
-* [Radio Hacking](pentesting/radio-hacking/README.md)
-  * [Pentesting RFID](pentesting/radio-hacking/pentesting-rfid.md)
-  * [Pentesting BLE - Bluetooth Low Energy](pentesting/radio-hacking/pentesting-ble-bluetooth-low-energy.md)
+* [Pentesting Wifi](pentesting/pentesting-wifi/README.md)
+  * [Evil Twin EAP-TLS](pentesting/pentesting-wifi/evil-twin-eap-tls.md)
 * [Pentesting JDWP - Java Debug Wire Protocol](pentesting/pentesting-jdwp-java-debug-wire-protocol.md)
 * [Pentesting Printers](pentesting/pentesting-printers/README.md)
   * [Accounting bypass](pentesting/pentesting-printers/accounting-bypass.md)
@@ -632,6 +629,9 @@
 
 ***
 
+* [Radio Hacking](radio-hacking/README.md)
+  * [Pentesting RFID](radio-hacking/pentesting-rfid.md)
+  * [Pentesting BLE - Bluetooth Low Energy](radio-hacking/pentesting-ble-bluetooth-low-energy.md)
 * [Burp Suite](burp-suite.md)
 * [Other Web Tricks](other-web-tricks.md)
 * [Interesting HTTP](interesting-http.md)

pentesting/pentesting-network/README.md

@@ -64,8 +64,8 @@ nmap -T4 -sY -n --open -Pn <IP/range>
 
 Here you can find a nice guide of all the well known Wifi attacks at the time of the writing:
 
-{% content-ref url="wifi-attacks/" %}
-[wifi-attacks](wifi-attacks/)
+{% content-ref url="../pentesting-wifi/" %}
+[pentesting-wifi](../pentesting-wifi/)
 {% endcontent-ref %}
 
 ## Discovering hosts from the inside

pentesting/pentesting-wifi/README.md

@@ -1,4 +1,4 @@
-# Wifi Attacks
+# Pentesting Wifi
 
 ## Wifi basic commands
 
@@ -49,11 +49,34 @@ docker run \
 
 From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux)
 
-## Resume attacks
+### wifiphisher
+
+It can perform Evil Twin, KARMA, and Known Beacons attacks and then use a phishing template to manage to obtain the network real password or capture social network credentials.
+
+```bash
+git clone https://github.com/wifiphisher/wifiphisher.git # Download the latest revision
+cd wifiphisher # Switch to tool's directory
+sudo python setup.py install # Install any dependencies
+```
+
+### [Wifite2](https://github.com/derv82/wifite2)
+
+This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically:
+
+* Set the interface in monitor mode
+* Scan for possible networks - And let you select the victim(s)
+* If WEP - Launch WEP attacks
+* If WPA-PSK
+  * If WPS: Pixie dust attack and the bruteforce attack (be careful the brute-force attack could take a long time). Notice that it doesn't try null PIN or database/generated PINs.
+  * Try to capture the PMKID from the AP to crack it
+  * Try to deauthenticate clients of the AP to capture a handshake
+  * If PMKID or Handshake, try to bruteforce using top5000 passwords.
+
+## Attacks Summary
 
 * **DoS** 
   * Deauthentication/disassociation -- Disconnect everyone (or a specific ESSID/Client)
-  * Random fake APs -- Hide nets, possible crash scanners)
+  * Random fake APs -- Hide nets, possible crash scanners
   * Overload AP -- Try to kill the AP (usually not very useful)
   * WIDS -- Play with the IDS
   * TKIP, EAPOL -- Some specific attacks to DoS some APs
@@ -70,7 +93,7 @@ From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://g
   * **Open** Evil Twin \[+ DoS] -- Useful to capture captive portal creds and/or perform LAN attacks
   * **WPA-PSK** Evil Twin -- Useful to network attacks if you know the password
   * **WPA-MGT** -- Useful to capture company credentials
-* **MANA**, **Loud MANA**, **Known beacon**
+* **KARMA, MANA**, **Loud MANA**, **Known beacon**
   * **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks
   * **+ WPA** -- Useful to capture WPA handshakes
 
@@ -186,7 +209,7 @@ A simple packet fuzzer with multiple packet sources and a nice set of modifiers.
 
 _**Airgeddon**_ offers most of the attacks proposed in the previous comments:
 
-![](<../../../.gitbook/assets/image (126).png>)
+![](<../../.gitbook/assets/image (126).png>)
 
 ## WPS
 
@@ -198,14 +221,15 @@ WPS uses a 8 length PIN to allow a user to connect to the network, but it's firs
 
 There are 2 main tools to perform this action: Reaver and Bully.
 
-* Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
-*   Bully is a new implementation of the WPS brute force attack, written in C. It has several advantages over the original reaver code: fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options. It runs on Linux, and was specifically developed to run on embedded Linux systems (OpenWrt, etc) regardless of architecture.
+* **Reaver** has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
+* **Bully** is a **new implementation** of the WPS brute force attack, written in C. It has several advantages over the original reaver code: fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options.
 
-    Bully provides several improvements in the detection and handling of anomalous scenarios. It has been tested against access points from numerous vendors, and with differing configurations, with much success.
+This attack takes advantage of a **weakness in the eight-digit WPS PIN code**; because of this issue, the protocol **discloses information about the PIN’s first four digits**, and the **last** digit works as a **checksum**, which makes brute forcing the WPS AP easy.\
+Note that some devices include **brute-force protections**, which usually **block MAC addresses** that repeatedly try to attack. In that case, the complexity of this attack increases, because you’d have to **rotate MAC** addresses while testing PINs.
 
 If the WPS valid code is found, both Bully and Reaver will use it to discover the WPA/WPA2 PSK used to protect the network, so you will be able to connect anytime you need it.
 
-```
+```bash
 reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot    
 bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3
 ```
@@ -242,7 +266,7 @@ Some really bad implementations allowed the Null PIN to connect (very weird also
 
 All the proposed WPS attacks can be easily performed using _**airgeddon.**_
 
-![](<../../../.gitbook/assets/image (201) (1).png>)
+![](<../../.gitbook/assets/image (201) (1).png>)
 
 * 5 and 6 lets you try **your custom PIN** (if you have any)
 * 7 and 8 perform the **Pixie Dust attack**
@@ -254,13 +278,13 @@ All the proposed WPS attacks can be easily performed using _**airgeddon.**_
 
 So broken and disappeared that I am not going to talk about it. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options.
 
-![](<../../../.gitbook/assets/image (125).png>)
+![](<../../.gitbook/assets/image (125).png>)
 
 ## WPA/WPA2 PSK
 
 ### PMKID
 
-In 2018 hashcat authors [disclosed](https://hashcat.net/forum/thread-7717.html) a new type of attack which not only relies **on one single packet**, but it doesn’t require any clients to be connected to our target AP or, if clients are connected, it doesn’t require us to send deauth frames to them, there’s no interaction between the attacker and client stations, but just between the attacker and the AP, interaction which, if the router is vulnerable, is almost immediate!
+In 2018 hashcat authors [disclosed](https://hashcat.net/forum/thread-7717.html) a new type of attack which not only relies **on one single packet**, but it doesn’t require any clients to be connected to our target AP but just communication between the attacker and the AP.
 
 It turns out that **a lot** of modern routers append an **optional field** at the end of the **first EAPOL** frame sent by the AP itself when someone is associating, the so called `Robust Security Network`, which includes something called `PMKID`
 
@@ -275,7 +299,7 @@ Description obtained from [here](https://www.evilsocket.net/2019/02/13/Pwning-Wi
 
 To **gather** this information and **bruteforce** locally the password you can do:
 
-```
+```bash
 airmon-ng check kill
 airmon-ng start wlan0
 git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install
@@ -290,7 +314,7 @@ hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1
 The **PMKIDs captured** will be shown in the **console** and also **saved** inside _ **/tmp/attack.pcap**_\
 Now, convert the capture to **hashcat/john** format and crack it:
 
-```
+```bash
 hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
 hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
 john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
@@ -301,7 +325,7 @@ __If yours **only** contains **3 parts**, then, it is **invalid** (the PMKID cap
 
 Note that `hcxdumptool` **also capture handshakes** (something like this will appear: **`MP:M1M2 RC:63258 EAPOLTIME:17091`**). You could **transform** the **handshakes** to **hashcat**/**john** format using `cap2hccapx`
 
-```
+```bash
 tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
 cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"]
 hccap2john pmkid.hccapx > handshake.john
@@ -330,7 +354,7 @@ _Note that as the client was deauthenticated it could try to connect to a differ
 
 Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
 
-![](<../../../.gitbook/assets/image (172) (1) (1).png>)
+![](<../../.gitbook/assets/image (172) (1) (1).png>)
 
 Once the handshake is captured you can **crack** it with `aircrack-ng`:
 
@@ -395,7 +419,7 @@ Reading [https://tools.ietf.org/html/rfc3748#page-27](https://tools.ietf.org/htm
 Even using one of the most secure of authentication methods: **PEAP-EAP-TLS**, it is possible to **capture the username sent in the EAP protocol**. To do so, **capture a authentication communication** (start `airodump-ng` inside a channel and `wireshark` in the same interface) and filter the packets by`eapol`.\
 Inside the "**Response, Identity**" packet, the **username** of the client will appear.
 
-![](<../../../.gitbook/assets/image (150).png>)
+![](<../../.gitbook/assets/image (150).png>)
 
 ### Anonymous Identities
 
@@ -423,13 +447,13 @@ With either protocol, the PEAP/TTLS server learns the user’s true identity onc
 
 If the client is expected to use a **username and password** (notice that **EAP-TLS won't be valid** in this case), then you could try to get a **list** a **usernames** (see next part) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
 
-```
+```bash
 ./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt
 ```
 
 You could also do this attack using `eaphammer`:
 
-```
+```bash
 ./eaphammer --eap-spray \
 	--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
 	--essid example-wifi \
@@ -535,7 +559,7 @@ hostapd ./hostapd.conf
 
 ### Forwarding and Redirection
 
-```
+```bash
 iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
 iptables --append FORWARD --in-interface wlan0 -j ACCEPT
 echo 1 > /proc/sys/net/ipv4/ip_forward
@@ -563,7 +587,7 @@ You could also create an Evil Twin using **eaphammer** (notice that to create ev
 
 Or using Airgeddon: `Options: 5,6,7,8,9 (inside Evil Twin attack menu).`
 
-![](<../../../.gitbook/assets/image (148).png>)
+![](<../../.gitbook/assets/image (148).png>)
 
 Please, notice that by default if an ESSID in the PNL is saved as WPA protected, the device won't connect automatically to an Open evil Twin. You can try to DoS the real AP and hope that the user will connect manually to your Open evil twin, or you could DoS the real AP an use a WPA Evil Twin to capture the handshake (using this method you won't be able to let the victim connect to you as you don't know the PSK, but you can capture the handshake and try to crack it).
 
@@ -627,7 +651,7 @@ Or you could also use:
 `Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.\
 `Airggedon` offers you the possibility of a **continuous Evil Twin attack (noisy)** or **only create the Evil Attack until someone connects (smooth).**
 
-![](<../../../.gitbook/assets/image (129).png>)
+![](<../../.gitbook/assets/image (129).png>)
 
 ### Debugging PEAP and EAP-TTLS TLS tunnels in Evil Twins attacks
 
@@ -642,11 +666,11 @@ Now or later (when you have already captured some authentication intents) you ca
 
 Add a new entry and fill the form with this values: **IP address = any** -- **Port = 0** -- **Protocol = data** -- **Key File** (**select your key file**, to avoid problems select a key file **without being password protected**).
 
-![](<../../../.gitbook/assets/image (151).png>)
+![](<../../.gitbook/assets/image (151).png>)
 
 And look at the new **"Decrypted TLS" tab**:
 
-![](<../../../.gitbook/assets/image (152).png>)
+![](<../../.gitbook/assets/image (152).png>)
 
 ## KARMA, MANA, Loud MANA and Known beacons attack
 
@@ -654,7 +678,7 @@ And look at the new **"Decrypted TLS" tab**:
 
 The following table lists the different type of MFACLs (Management Frame Access Control Lists) available, as well their effects when used:
 
-![](<../../../.gitbook/assets/image (149).png>)
+![](<../../.gitbook/assets/image (149).png>)
 
 ```
 # example EAPHammer MFACL file, wildcards can be used
@@ -729,20 +753,17 @@ As known beacons are loud. You can use a script inside Eaphammer project to just
  --burst-count 5
 ```
 
-## Other tools
+## Wi-Fi Direct
 
-### [Wifite2](https://github.com/derv82/wifite2)
+Wi-Fi Direct is a Wi-Fi standard that allows devices to connect to each other without a wireless AP as one of the two devices will act as AP (called group owner). You can find Wi-Fi Direct in a lot of IoT devices like printers, TVs...
 
-This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically:
+Wi-Fi Direct relies on Wi-Fi Protected Setup (**WPS**) to securely connect the devices. WPS has multiple configuration methods such as **Push-Button** Configuration (PBC), **PIN entry**, and **Near-Field** Communication (NFC)
 
-* Set the interface in monitor mode
-* Scan for possible networks - And let you select the victim(s)
-* If WEP - Launch WEP attacks
-* If WPA-PSK
-  * If WPS: Pixie dust attack and the bruteforce attack (be careful the brute-force attack could take a long time). Notice that it doesn't try null PIN or database/generated PINs.
-  * Try to capture the PMKID from the AP to crack it
-  * Try to deauthenticate clients of the AP to capture a handshake
-  * If PMKID or Handshake, try to bruteforce using top5000 passwords.
+So the attacks previously seen to WPS PIN are also valid here if PIN is used.
+
+### EvilDirect Hijacking
+
+This works like an Evil-Twin but for Wi-Fi direct, you can impersonate a group owner to try to make other devices like phons connect to you: `airbase-ng -c 6 -e DIRECT-5x-BRAVIA -a BB:BB:BB:BB:BB:BB mon0`
 
 ## Interesting links