Kali Linux – Rogue SSIDs Part 1 PSK

Wireless Penetration Test and Training Purposes Disclaimer:

The training material and exercises provided are for educational and training purposes only. The material and exercises are designed to provide participants with knowledge and skills related to a particular field or subject matter. The training exercises may simulate real-world scenarios, but they are not intended to be used for any illegal or unethical purposes.

The wireless penetration test to be performed is for the sole purpose of identifying vulnerabilities and weaknesses in the wireless network infrastructure of the target organization. The test will involve attempting to gain unauthorized access to the wireless network, identify weaknesses and vulnerabilities, and provide recommendations to improve the security posture of the wireless network infrastructure.

It is important to understand that the wireless penetration test carries risks and may cause unintended disruption to the target organization’s network operations. The wireless penetration test may cause temporary or permanent disruptions to the target organization’s network and may result in a loss of data, services, or system availability. The wireless penetration test may also cause the discovery of additional vulnerabilities that were not known before the test.

The wireless penetration test should only be performed by qualified and experienced professionals who have been authorized to conduct the test by the target organization. The target organization should have a clear understanding of the risks involved and provide explicit consent before the wireless penetration test is performed. The test should be performed in a controlled and planned manner to minimize any potential negative impact.

The penetration testers will take all reasonable precautions to avoid disrupting or damaging the target organization’s network infrastructure. However, the penetration testers cannot be held liable for any damages or losses that may occur as a result of the wireless penetration test.

By agreeing to the wireless penetration test, the target organization acknowledges the risks involved and accepts responsibility for any potential negative impact. The target organization agrees to hold the penetration testers harmless from any liability resulting from the wireless penetration test.

By signing this disclaimer, the target organization agrees to the terms and conditions of the wireless penetration test and acknowledges that they have read and understood the contents of this disclaimer.

Rogue SSID (Service Set Identifier)

A rogue SSID (Service Set Identifier) is an unauthorized wireless network that has been set up without the knowledge or consent of the network owner or administrator. Rogue SSIDs can be created by an attacker or an unintentional mistake by a network user, such as creating a hotspot on a mobile device and forgetting to turn it off.

These rogue SSIDs can pose a serious security threat to an organization’s network infrastructure. Attackers can use rogue SSIDs to launch various types of attacks, including man-in-the-middle attacks, phishing attacks, and data theft. Rogue SSIDs can also cause interference with legitimate network traffic, leading to performance issues and network downtime.

To protect against rogue SSIDs, organizations can implement security measures such as wireless intrusion detection systems (WIDS), which can detect and alert administrators to the presence of rogue SSIDs. Organizations can also use policies to control the use of wireless devices and enforce the use of secure wireless networks.

Connect the wireless adapters and verify their status
└─$ iwconfig   
                                                                                                                                        lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

wlan1     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

wlan2     unassociated  Nickname:"WIFI@RTL8814AU"
          Mode:Managed  Frequency=2.412 GHz  Access Point: Not-Associated
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=0/100  Signal level=0 dBm  Noise level=0 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

User airodump-ng to identify potential networks

Put the adapter into monitor mode

 sudo iw wlan0 interface add mon0 type monitor
 sudo iw wlan0 interface add mon1 type monitor

└─$ iwconfig

mon0      IEEE 802.11  Mode:Monitor  Tx-Power=20 dBm
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

mon1      IEEE 802.11  Mode:Monitor  Tx-Power=20 dBm
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

sudo airodump-ng mon1 --band abg

Using EAP Hammer to create a rogue SSID

└─$ sudo ./eaphammer -e RAGNAR -c 6 --hw-mode g --auth wpa-psk --wpa-passphrase letmein12345 --wpa-version 2 -i wlan1                                    

  ____ _____  ______ |  |__ _____    _____   _____   ___________
_/ __ \\__  \ \____ \|  |  \\__  \  /     \ /     \_/ __ \_  __ \
\  ___/ / __ \|  |_> >   Y  \/ __ \|  Y Y  \  Y Y  \  ___/|  | \/
 \___  >____  /   __/|___|  (____  /__|_|  /__|_|  /\___  >__|
     \/     \/|__|        \/     \/      \/      \/     \/

                        A nice shiny new access point.

                             Version:  1.13.5
                            Codename:  Power Overwhelming
                              Author:  @s0lst1c3
                             Contact:  gabriel<<at>>solstice(doT)sh

[?] Am I root?
[*] Checking for rootness...
[*] Root privs confirmed! 8D
[*] Saving current iptables configuration...
[*] Reticulating radio frequency splines...

[*] Using nmcli to tell NetworkManager not to manage wlan1...

100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00,  1.00s/it]

[*] Success: wlan1 no longer controlled by NetworkManager.
[*] WPA handshakes will be saved to /home/lab/Downloads/eaphammer/loot/wpa_handshake_capture-2023-03-25-02-10-47-yHAHq8lQdaF44XvPDroHTPqUxO4d4ArK.hccapx

[hostapd] AP starting...

Configuration file: /home/lab/Downloads/eaphammer/tmp/hostapd-2023-03-25-02-10-47-IwU68LqfCDvxk5Zi7coIi0rRSqDBABbo.conf
wlan1: interface state UNINITIALIZED->COUNTRY_UPDATE
Using interface wlan1 with hwaddr 00:11:22:33:44:00 and ssid "RAGNAR"

Press enter to quit...

wlan1: interface state COUNTRY_UPDATE->ENABLED
  1. What happens when the rogue AP/SSID is created?
  2. What happens when the rogue AP/SSID is created? Wireless infrastructure side.

The clients should see the rogue SSID along with the real SSID. The rogue SSID looks identical to the client. The client can potentially connect to the rogue AP if its signal strength is stronger than the legitimate AP.

If rogue detection is enabled on the infrastructure, alerts can potentially be generated.

Rogue disabled

How do you detect rogue devices without commercial tools?

While commercial tools are great to use, you should possess the skills to identify potential rogue SSIDs/honeypots without the use of expensive commercial tools. How is this achieved?

The CWNP CWAP program offers an excellent course in wireless packet/frame analysis. Being able to analyze frames at layer two is one of the easiest ways to detect rogues.

How does an access point advertise itself to a client device?

Access Points (APs) advertise the name of the SSID and other important information via a Beacon frame.

802.11 Beacon frame is used in wireless networks to advertise basic information about the network, such as the SSID (Service Set Identifier), supported data rates, and security settings. The Beacon frame is broadcast periodically by the Access Point (AP) to announce its presence and availability to nearby wireless devices.

Here is the basic format of an 802.11 Beacon frame:

  1. Frame Control Field: This 2-byte field contains information about the type of frame and the format of the frame.
  2. Duration Field: This 2-byte field specifies the amount of time required for the transmission of the Beacon frame.
  3. Destination Address: This 6-byte field specifies the MAC address of the wireless device to which the Beacon frame is addressed. In the case of a Beacon frame, this address is set to the broadcast address, which allows the frame to be received by all devices within range.
  4. Source Address: This 6-byte field specifies the MAC address of the Access Point that is transmitting the Beacon frame.
  5. BSSID: This 6-byte field specifies the MAC address of the Basic Service Set (BSS) of the wireless network. The BSS is a group of wireless devices that are associated with the same Access Point.
  6. Sequence Control Field: This 2-byte field is used for frame sequencing and fragmentation.
  7. Timestamp: This 8-byte field contains the value of the Access Point’s timer at the time the Beacon frame was transmitted.
  8. Beacon Interval: This 2-byte field specifies the number of time units between Beacon frames.
  9. Capability Information: This 2-byte field contains information about the Access Point’s capabilities and features, such as whether it supports WEP encryption, QoS, or power management.
  10. Information Element (IE) Field: This field contains one or more Information Elements, which provide additional information about the network, such as the SSID, supported data rates, and security settings.

The Beacon frame is an important component of wireless network communication, as it allows wireless devices to discover and connect to available wireless networks.

Example Beacon Frame

Analyzing Beacon Frames

A Beacon frame is a management frame that carries the subtype of 8

The capture above depicts two Beacon frames. It is easy to spoof the MAC address/BSSID of a legitimate AP, which can make frame analysis more difficult. One of the easiest ways to differentiate between a legitimate SSID and a rogue SSID is to look at the contents of the frames. One key indicator is the frame “length.”

The contents of the legitimate SSID.

A legitimate IEEE 802.11 frame should contain many tags.

The rogue SSID will most likely be smaller in length and will not contain as many tags.

The rogue SSID in the image above contains a limited number of tags (8) in this example.

In this example, I will look at the RSN information element.

802.11 RSN (Robust Security Network) is a security protocol used in Wi-Fi networks to provide secure communication between wireless devices and Access Points. RSN is an enhanced version of the earlier security protocol, WPA (Wi-Fi Protected Access), and provides stronger security features.

RSN uses the Advanced Encryption Standard (AES) encryption algorithm, which is a stronger and more secure encryption standard compared to the older Temporal Key Integrity Protocol (TKIP) used in WPA. RSN also provides support for other security features such as 802.1X authentication, key management, and message integrity checks.

TKIP (Temporal Key Integrity Protocol) and AES (Advanced Encryption Standard) are two encryption algorithms used in Wi-Fi networks to secure wireless communication between devices and Access Points.

TKIP was the encryption standard used in the first version of WPA (Wi-Fi Protected Access), which was introduced in 2003 as a replacement for the less secure Wired Equivalent Privacy (WEP) protocol. TKIP provides message integrity checks, key mixing, and per-packet keying to provide better security than WEP.

AES is a more advanced encryption standard that was introduced in 2004 and is used in the newer WPA2 (Wi-Fi Protected Access 2) security protocol. AES provides stronger security than TKIP and is less susceptible to attacks. AES uses a symmetric key encryption algorithm, which means that the same key is used to encrypt and decrypt the data. AES uses a block cipher encryption method, which encrypts data in fixed-size blocks.

TKIP vs. AES: The main differences between TKIP and AES are:

  1. Strength: AES is considered to be a stronger encryption algorithm compared to TKIP, as it uses a 128-bit key size, while TKIP uses a 128-bit key size for message integrity checks and a 256-bit key size for encryption.
  2. Compatibility: AES is not backward compatible with older wireless devices, while TKIP is backward compatible with older devices that support WPA.
  3. Performance: AES is faster than TKIP and requires less processing power to encrypt and decrypt data.

Overall, AES is considered to be a more secure and efficient encryption algorithm compared to TKIP, and it is widely used in Wi-Fi networks today. However, some older wireless devices may only support TKIP, so it may still be necessary to support both encryption algorithms for backward compatibility.

Note #1: This example does not involve a discussion about WPA3.

Note #2: TKIP is now considered insecure and has been deprecated by the Wi-Fi Alliance, which is an organization that certifies Wi-Fi products.

RSN Details of the legitimate SSID

  1. The SSID does not support or advertise TKIP.
  2. The SSID supports WPA2/AES.

RSN Details of the rogue SSID

The rogue AP is advertising the weak cipher of TKIP in addition to AES.


Wireless rogue analysis can be challenging for several reasons, including:

  1. Signal interference: Wireless signals can be disrupted by various factors, such as walls, metal objects, and other electronic devices. This interference can make it difficult to detect rogue access points, especially in larger environments.
  2. Multiple access points: In a large organization, numerous access points may need to be monitored for rogue activity. This can make it challenging to track and analyze wireless traffic effectively.
  3. Dynamic nature of wireless networks: Wireless networks are highly dynamic and can change rapidly due to user mobility and environmental conditions. Maintaining a complete, up-to-date list of authorized access points can make it challenging.
  4. Encryption: Many wireless networks use encryption protocols to secure their communications. This can make it challenging to analyze network traffic and detect rogue access points, especially if the encryption keys are not readily available.
  5. False positives: Wireless rogue analysis tools may sometimes generate false positive alerts, leading to unnecessary investigations and wasted time and resources.

To address these challenges, organizations should use automated and manual techniques for wireless rogue analysis, including regular network scans, wireless traffic monitoring, and access point configurations and logs analysis. It is also essential to keep wireless network security policies up-to-date and conduct regular security awareness training for employees to minimize the risk of introducing rogue access points into the network.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.