WPA2-PKS Attack

RANT: Deauthing is illegal! So don't do it. Any wireless attack risks hitting the wrong target and you could take down a medical machine and kill someone. Is disconnecting your neighbours xbox still funny if it also murders their gran? Not worth it then, plus i you read this properly, you'll see I've deauthed my kids and its reconnected so fast they didn't notice. These deauth devices you can get on ali express or whatever, suck, they're bad, dangerous and take zero skill!

I wrote this ages ago, but it's late and my kali box is broken. Could just make a new one, but don't want to. Anyway...

I used an alpha AWUS036NHA  and also have a AWUS036ACH which is dual band so will do 2.4 and 5ghz but it costs a bit more. Use my link to buy because their affiliate links because the sugar tax on Coca-Cola is killing me! You could get a TP Link dongle that will do monitor mode for less but whats the point? Let's face it, you wont do many wireless attacks but having the range an alpha provides is awesome when on holiday and everyone's gathered near reception and you're chillin' on your balcony thanks the the alpha. Anyway... again...

Introduction

In the early 2000’s when people started putting wireless networks in their homes, most routers did not come with authentication pre-setup and when users did implement a security protocol, the standard at the time was WEP (Wired Equivalent Privacy) which proved to be greatly flawed and very quick and easy to crack. Because of this, manufacturers began to use WPA2-PSK (Wi-Fi Protected Access 2) and shipped products with WPA2 setup by default.

The vulnerability in WPA2 is during authenticating a device, during the 4-way handshake the encrypted password is shared. By de-authenticating devices off the network, causing them to reconnect we can intercept the 4-way handshake and attempt to crack the password.

Summary of Task: To obtain a plain text password for the target access point (my home wireless access point) using a Kali Linux Virtual box.

Walkthrough

The first step is to put the network card into monitor mode.

Airmon-ng start wlano

Then start looking at what traffic we can see. Which will give us the BSSID of out target.

Airodump-ng wlan0mon

Now we have the target BSSID and the channel we can focus on the correct access point. -c is used for the channel, in this case it is 6. Filename can be anything, I’d recommend using something like the ESSID to keep it unique but memorable.

airodump-ng –bssid 70:xx:xx:xx:xx:8a -c 6 –write filename wlan0mon

In a new terminal we can now deauth the network in order to capture the handshake.

Aireplay-ng –deauth 100 -a 70:xx:xx:xx:xx:8a wlan0mon

At this point my kids were watching Netflix and they didn’t notice the fact they’d been deauthed from the network as the reconnection happened fast enough that the films playback was not affected. This means that this attack can go unnoticed and at this point I still haven’t connected to the network.

After the deauth we go back to the terminal running airodump and check to see if the handshake was captured. In my case it was. If there isn’t a lot of traffic on the network a few attempts may be required but as long as there is a device connected it will eventually capture the handshake.

Now that we have the handshake, let’s try to crack the password with aircrack using the rockyou.txt password list that comes with kali.

aircrack-ng filename-o1.cap -w ../usr/share/wordlists/rockyou.txt

Phishing to Crack WPA – An Alternative Method

If a password is not in the password list and is unlikely to be brute forced, an alternative is to phish for the password. Using Fluxion a Linux tool, available on GitHub we can do just that. Two network cards that are capable of being put into monitor mode are needed for the attack. Once both cards have been selected, specify the target access point. Next set the attack type to Hostapd and use the aircrack-ng option to get the handshake. This is the same as how I got the handshake earlier but its more automated. Select to Deauth target, once the handshake is captured select the check handshake option and create SSL certificate. The next steps are to create the fake login page. Once done the targeted networks connected users will be deauthed and reconnected the fluxion man in the middle network that prompts the user with a phishing login page to enter the WPA key. When they enter a key, it is checked against the captured handshake. If it is key is wrong, they are prompted to enter it again otherwise they are allowed back onto the network and we have the key.

I did not attempt this as I would have had to do it on my home network to ensure I had the correct permissions to stay within the scope of this assignment and if anything breaks, I’m the one that fixes it and it is not a realistic test if I pretend to fall for my own phishing attack.

 

Solutions and Conclusion

Full disclosure, I added the password to the password list, but this was because I simply did not have the time to brute force it as this would have taken approximately 2.5 days. One issue is that 2.5 days is not a long time for someone that really wants to get access to a network. There are a few places online, I found a good list on hak5’s forums that detail how different vendors and manufactures format their passwords which vastly limits the possibilities making brute force attacks much quicker but using as long as possible, random letters, numbers and symbols for a passwords makes this kind of attack useless as it would take even a high end PC longer to crack then the Earth has existed. Another issue is that people do not change the default login on their routers and when an attacker gets access to their network is free to change the defaults and change the passwords if they want.

It is crucial that all passwords are changed and that they are in fact strong passwords. In my opinion the manufacturers and providers should enforce that defaults should be changed. Some have random login details that are difficult to crack but I think the users need to be educated and if the system insisted on them changing the passwords, this type of attack would become redundant if they enforced stronger passwords. It is a trade off as companies make products that are user friendly and have minimal setup, but with all the media attention that black hats or state sponsored hackers have received recently, in my opinion user are more likely to be happy to do this as it will make them feel more secure.

 

Introduction To Web Application Security

The OWASP (the Open Web Application Project) community release a top 10 common vulnerabilities with web applications ranked based on severity and how common they are.  I will explain each vulnerability, what causes it and suggest some solutions. (soon..)

See https://owasp.org/www-project-top-ten/

(You should just go to there site, the rest of this post is copied from there and all links go to them)

• A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category.
• A02:2021-Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography which often leads to sensitive data exposure or system compromise.
• A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition.
• A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.
• A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.
• A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.
• A07:2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
• A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.
• A09:2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
• A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.

Hack This Site - Basic Challenges - Guide

Hack This Site - Basic Challenges (all 10) guide (not walkthrough!)

 Introduction

The internet is full of walk-throughs and guides that give you the solution. I could write those, but that takes away from your sense of victory. Rather than a “this is how you do it” I will write hints and “this is how this concept works”. So let's begin..

RANT: I'm going to repeat this over and over again but, there is no short cut into cyber security and if you think I'm going to give you a guide you can flick through in half an hour and you can hack NASA that is a million miles from reality. To actually exploit a real world system you first need to understand the workings of that technology enough to guess what the developers did. You might get lucky with a metasploitable service, but I can almost 100% guarantee (unless you got there first in a bug bounty) you will get caught. Basically, study hard, do not break the law and most importantly, stop looking for short cuts. Always make sure you only target either your own machines or one you have permission for and if you don't understand fully how to ensure you hit the right target, do not launch even an nmap scan.

Any way hack this site has some really cool, simple enough challenges we can do with just a web browser, so lets do them!

The Guide

Basic 1 - OK, this is called the idiot test so I don’t have any guidance here. You’re on your own for this one. 

On a completely unrelated note, something I’ve seen a lot of students do and it’s really bad practice is store creds in comments in code. The issue is, forgetting to remove the comments. It’s maybe worse than forgetting to change from default creds.

Basic 2 - This is a great one because it highlights that you need to first understand how the system works before you can exploit it. 

I’ll expand on what the task says. When the submit button is clicked, it will compare the input to the content of the file… that Sam… HINT: It's far easier than you think and if you get stuck sometimes just clicking stuff works.

Basic 3 - We can use the URL bar to try to navigate to any page. Inspect element is our friend.

Basic 4 - PHP runs server side which enables the devs to hide what's actually happening to the user. Sam should have hard coded his email into the PHP, then we’d never see it, but he hasn’t. 

Hint: having his email address is relevant, we don’t care what his email is. Hint 2: When HTML submits data to PHP its passing values to variables in code that's then executed to perform whatever function.. This is how code injection works, but you don’t want to inject code.

Basic 5 - Sometimes dev’s think they’ve fixed a problem and they haven’t. This is why its important to learn how the hack works so when you do patch systems, the patches actually work!

Basic 6 - encrypt a lot of a’s (aaaaaaaaaaaaa) and use this..

HINT: The encrypted password (for me but I'm told its random for everyone) is 07c9i6:8 first decrypted digit is 0, the second is 6

Basic 7 - This is some basic code injection. A semicolon ends a line of code. In other unrelated news, ls lists the content of a directory in linux. Then add the file to the end of the URL.

Basic 8 - This is a server side include attack, see here. Remember you’re looking for a PHP file.

If you manage to get this..

Well done, I should now mention that to go up a directory use ../ (that’s up one, ../../ is up two etc.)

Basic 9 - after the domain name of the URL, it's a path/a file structure on the server. HINT: modify what you just did. HINT 2: with a number.

Basic 10 - Sometimes we don’t even need a password.. It’s all about cookies! There’s a few ways I can think of doing this, if you want to fire up a kali box, go ahead and intercept but this can be done in the browser. HINT: browser extensions like “EditThisCookie”, for chrome, make cookie editing very easy in the dev tools.

Conclusion

So all of these can be done in the browser so no specialist tools are needed but they do need some knowledge of how web technologies (even if basic) work. But, assuming you didn’t cheat,  how good does exploiting stuff (legally) feel?! 

Going ahead I will cover the realistic challenges and move onto some VM’s and web apps. Small chance I’ll cover wireless attacks because my students are likely to not listen to the safety stuff and de-auth their friends! Maybe I can implement a disclaimer/terms of sorts. But this is supposed to be a blog post and it’s in a google doc because I haven’t worked out how I’m building the website yet.