Scroll to top

Pentesting with Angry Oxide

drone

Here’s your task, understand the capabilities first!

Passive recon running Angry Oxide from Rage Security. A tool that actively hunts for relevant EAPOL messages from Access Points and clients. It has options to target specific MAC addresses or SSIDs, a whitelist feature to protect certain networks, and an auto hunt capability to scan across channels. The Terminal-UI displays data conveniently for SSH use. It also controls the number of DEAUTHENTICATION frames to prevent authentication issues and validates EAPOL 4-Way-Handshake using various methods. Additionally, it can retrieve PMKID from access points, uses GPSD, and provides pcapng files with embedded GPS information in Kismet Format. We’ve been working with Script Tactics to get this going on raspberry pi’s. We’ll post the rundown in our stories this week in an effort to onboard anyone wanting to conduct some air recon. Also we’ve been utilizing the password cracking book by Daniel Dieterle in conjunction with Angry Oxide. This is absolutely our favorite tool.

Here we’ll detail out the attack tools and capabilities for further understanding.

  1. Targeting and Collection:
    • By default, ANGRY OXIDE will attack all access points within its range. However, if specific targets are supplied, the tool will limit its active transmissions to those defined targets while continuing to passively collect data on other access points.
  2. Authentication and Association:
    • The tool attempts the authentication/association sequence to generate and collect EAPOL Message 1 for PMKID collection.
  3. Hidden SSID Retrieval:
    • It attempts to uncover hidden SSIDs by sending undirected probe requests.
  4. Anonymous Reassociation:
    • Utilizes anonymous reassociation techniques to compel access points to deauthenticate their own clients, effectively bypassing Management Frame Protection (MFP).
  5. Channel Manipulation:
    • ANGRY OXIDE will attempt to send Channel Switch Announcements to redirect clients to adjacent channels.
  6. RSN Mode Downgrade:
    • It tries to downgrade Robust Security Network (RSN) modes to WPA2-CCMP by injecting probe responses.
  7. EAPOL M2 Collection:
    • The tool attempts to collect EAPOL Message 2 from stations using probe requests, simulating a rogue access point.
  8. Deauthentication Attacks:
    • By default, ANGRY OXIDE will send controlled deauthentication frames to clients unless the –nodeauth flag is specified.

Operational Security and Control

All attacks executed by ANGRY OXIDE are rate-controlled. This ensures the prevention of erroneous EAPOL timer resets and maintains a certain level of operational security (OPSEC) by minimizing detection risks.

So what tools do we need?

Here’s where we practice our ABCDE’s

Antenna: Wifi Chipset (like Alfa Wireless)

Battery: LiPo to power the Raspberry Pi

Connections: pertinent cables

Device: Raspberry Pi Zero2W

Extras: SD card flashed with run on boot. Velcro hook & loop strips.

 

Further instructions on how to set up your Pi with Angry Oxide are here on Script Tactics’ repository. (click here)

Related posts