I was assigned a wireless pen-test for a medium
sized network of access points. My initial reconnaissance using airodump-ng
suggested a guest network and a corporate one.
I identified the wireless network to be used by the
Guests/visitors to be:
XGuestwifi
Other networks in the vicinity seemed to be
corporate ones. All these access points were using WPA for securing their
network. I was not very hopeful, but at least the guest network was worth a
shot. It made more ‘sense’ to keep easy to remember passwords for frequent –
guest – users.
To compromise this network, I needed to capture a
proper four way WPA handshake for this network and brute force to find the
right password. This would entail fuzzing our way through thousands of existing
passwords from my list [enhanced on top of rockyou.txt from Kali]
Below I list the steps I carried out to crack the
WPA password to get access to the Guestwifi:
Step I: Set up the monitoring mode
interface when in the range of the target wifi of the target. I set it as mon0.
Step II: Set the alpha card to the
monitoring mode interface and start sniffing and dumping packets for the target
network (in this case GUEST_WIFI network).
Step III: It was confirmed that
WPA-Personal was enabled on the GUEST access points. This also gave us the
channel, band, BSSID and other details about the target network.
This time I also used a tool called wifite. This
gave a somewhat organized representation of the access points in target network
ordered by their Power.
This proves to be helpful since the access point
with greater number of clients and higher power is more likely to give complete
handshake and quicker results.
As is clear from the screenshot, I used AP-3 for the
capturing the handshake.
Step IV: As a next step, one should
start dumping the packets sniffed and wait for client to connect to the wifi
network. This would capture the WPA handshake packets and save it in a .pcap
file for analysis.
This can be done using wireshark, airodump-ng or
other tools. I used the same tool as above to dump the handshake packets to a
pcap file.
Using Wifite:
[0:01:09] scanning wireless networks. 26 targets and 35
clients found
NUM ESSID CH ENCR
POWER WPS? CLIENT
---
-------------------- -- ----
----- ---- ------
1 ABCD 11 WPA2
62db n/a clients
2 ABC_GUEST 11 WPA2
61db n/a clients
3 X_GUEST_WIFI 11
WPA2 61db n/a
client
4 Welcome 11
WPA2 58db n/a
clients
5 APPLE
11 WPA2
58db n/a
6 Welcome 1
WPA2 54db n/a
client
. . .
[+] select
target numbers (1-26) separated by commas, or 'all': 3,2
[+] 2 targets
selected.
[0:08:20]
starting wpa handshake capture on "X_GUEST_WIFI"
[0:07:29] new
client found: 34:23:87:E3:F8:01
[0:07:13]
listening for handshake...
[0:01:07] handshake
captured! saved as "hs/XGUESTWIFI_00-26-CB-4C-CD-AB.cap"
[+] 1 WPA
attacks succeeded
GEP_GUEST_WIFI (00:26:CB:4C:CD:AB)
handshake captured
saved as
hs/XGUESTWIFI_00-26-CB-4C-CD-AB.cap
[+] starting WPA
cracker on 1 handshake
[!] no WPA
dictionary found! use -dict <file> command-line argument
|
Step V: Following this, I used aircrack-ng
and a passwords file[rockyou.txt customized] to brute force the pcap file for
the right key used in the handshake.
Step VI: I used this key to connect
to the network and access internal systems.
Note: In this case it took 3 hours and 40
minutes to crack the key for the guest network.
If an attacker is anywhere around the network or
access point in the broadcast range, she could use similar or more
sophisticated tools to crack the password for the network and be a part of it.
Since there are no restrictions to access internal servers and systems after
joining the guest network, it is vulnerable to external attacks and could be
compromised easily.
Now that the guest wifi was cracked, it was time to explore
the network and move deeper.
I tried the same attack on the corporate wifi
network however it did not succeed.
I was now a part of the Guest wifi so I started ping
sweep to check for other live devices/systems. During the sweep I found an
interesting device.
To check this out further I conducted a port scan on
the device to find the http port open. I found the wireless controller
interface for the network accessible directly as below:
I searched for the default credentials for this
series of wireless LAN controllers from Cisco and used the same to login into
the controller as Admin.
Hence, I was able to see and access all the APs. As
the admin user I also had the rights to change the configuration to add APs,
MACs for filtering, change passwords, enable/disable access points and do any
change that could be done by an admin. Unfortunately, this device was also the
controller for the APs in the corporate network.
Conclusion
This write-up demonstrates a dangerous combination
of relying on weak passwords and bad configuration. A default set-up such as
this can lead to any outsider/attacker and off course insider to not only
access internet through your network but
also compromise your whole network to any end[such as stealing your source code
by accessing your corporate network]. Such incidents are subtle and can’t
easily be traced or detected by the company.