
Lightning round of thought processes to Wi-Fi penetration testing.
Here’s a quick overview of a great tool created by s0lst1c3: a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate just how fast this tool is, the Quick Start section provides an example of how to execute a credential stealing evil twin attack against a WPA/2-EAP network in just commands.
So with a Wi-Fi network you can disconnect the client, they reapply or resubmit their credentials into an evil twin or bad portal – and you’re in with that knowledge alone. After reading up on EAPhammer this is our workflow. Our team over at American Sentinel ran it as a course of action. And we had some super cool feedback and it was user-friendly.
So here’s how we usually work with hardware and software combined.
We set up routersploit and a few other SSH’s on an esp32 microcontrollers. Setting up the esp32 with an antenna is optional. That (esp32) little thing basically has everything you need for passive reconnaissance. All you would have to do is disconnect and upload the SD card that sits onboard. Worst case scenario your P-caps are jammed or encrypted, or simply the Wi-Fi 802 stack is heavily fortified or non-WPA2, which is rare and that’s hardly the case. After taking additional information from your drone with the rigged esp32 cyber payload for passive reconnaissance, it’s important to look and analyze your P-caps or packet captures. Specifically for this situation we used the never fails – shark tales – called WIRESHARK. A great program we talked about in a previous blog post. If you want to learn anything Wireshark check out Chris Greer’s Masterclasses via YouTube. It’s free and data forensics on steroids.
Quick segway on how we use esp32’s and drones for reconnaissance.
So how we connect the esp32 to the wireless network is a pretty cool yet intricate setting. We take a repository of code written in C. From there we’re able to send back data over Transmission Control Protocol (TCP) over the wireless network from a router using our esp32. Here it is if you want to go down the rabbit hole. Or you could simply utilize an MQTT method to send your esp32 data to the desired computer or multiple computers. Install the MQTT broker software on your raspberry pi. Connect the esp32 to that MQTT broker and publish your data to a specific topic. It’s a microcontroller and technically you can transmit data between two esp32’s without a router. Technically you don’t really need an antenna because most have them built on board. But if you do…. feel free to grab a PCB or rig it to a higher gain antenna. Also, in addition if you’re running a COTS drone. You can get esp32 data from esp32 to esp32 at around 500m. Simply because you have a better lob, datalink, and rc communication because your drone is within line of sight and it’s in the sky. At issue is if you’re operating in a densely populated forest or dense urban setting, you’ll have more interference. Nevertheless- Possibilities are truly endless!
Back on track…
Now if you can run this over the Silvus spectrum dominated network. Pushing data or radio over IP is going to be incredibly helpful in masking your red teaming operations. But since you’re not being paid to operate and pentest someone’s corporate enterprise. You can start with yourself and your home base location, to identify pitfalls, vulnerabilities, and implement contrarian thinking.
Goal is to disconnect and get credentials:
Pretty straight forward right? Staying task oriented. We use airodump-ng or aircrack-ng (essential to Wi-Fi pentesting), setting your parameters and double checking all bands within the scan. Now usually a solid 30 seconds might go by until we find a credible channel or ping on a Wi-Fi network. By scanning, identifying, and locking in on a channel you’re able to further look and analyze the P-caps found. In the first set of P-caps it’ll give you the client’s information or in this case “your” SSID. You’ll tally up your certificates that are used to deploy an attack. Than ultimately launch your attack.
In all honesty I feel like airgeddon was the best tool for a long time. Aircrack was just as cool. But for operation reasons and ease of use. EAPHammer is the way forward for the rest of 2023. Glad there’s only a few months left in this year..
Field toolkit.
Running a simple Wi-Fi antenna; connected to a microcontroller like an esp32 or raspberry pico; connected to a Gbox; connected to solar panels for power; connected to whatever else you’d like is usually the field EAPHammer pentesting kit.