I was assigned a wireless pen-test for a medium sized network of access points. My initial reconnaissance using airodump-ng suggested a guest network and a corporate one.
I identified the wireless network to be used by the Guests/visitors to be:
Other networks in the vicinity seemed to be corporate ones. All these access points were using WPA for securing their network. I was not very hopeful, but at least the guest network was worth a shot. It made more ‘sense’ to keep easy to remember passwords for frequent – guest – users.
To compromise this network, I needed to capture a proper four way WPA handshake for this network and brute force to find the right password. This would entail fuzzing our way through thousands of existing passwords from my list [enhanced on top of rockyou.txt from Kali]
Below I list the steps I carried out to crack the WPA password to get access to the Guestwifi:
Step I: Set up the monitoring mode interface when in the range of the target wifi of the target. I set it as mon0.
Step II: Set the alpha card to the monitoring mode interface and start sniffing and dumping packets for the target network (in this case GUEST_WIFI network).
Step III: It was confirmed that WPA-Personal was enabled on the GUEST access points. This also gave us the channel, band, BSSID and other details about the target network.
This time I also used a tool called wifite. This gave a somewhat organized representation of the access points in target network ordered by their Power.
This proves to be helpful since the access point with greater number of clients and higher power is more likely to give complete handshake and quicker results.
As is clear from the screenshot, I used AP-3 for the capturing the handshake.
Step IV: As a next step, one should start dumping the packets sniffed and wait for client to connect to the wifi network. This would capture the WPA handshake packets and save it in a .pcap file for analysis.
This can be done using wireshark, airodump-ng or other tools. I used the same tool as above to dump the handshake packets to a pcap file.
[0:01:09] scanning wireless networks. 26 targets and 35 clients found
NUM ESSID CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- ------
1 ABCD 11 WPA2 62db n/a clients
2 ABC_GUEST 11 WPA2 61db n/a clients
3 X_GUEST_WIFI 11 WPA2 61db n/a client
4 Welcome 11 WPA2 58db n/a clients
5 APPLE 11 WPA2 58db n/a
6 Welcome 1 WPA2 54db n/a client
. . .
[+] select target numbers (1-26) separated by commas, or 'all': 3,2
[+] 2 targets selected.
[0:08:20] starting wpa handshake capture on "X_GUEST_WIFI"
[0:07:29] new client found: 34:23:87:E3:F8:01
[0:07:13] listening for handshake...
[0:01:07] handshake captured! saved as "hs/XGUESTWIFI_00-26-CB-4C-CD-AB.cap"
[+] 1 WPA attacks succeeded
GEP_GUEST_WIFI (00:26:CB:4C:CD:AB) handshake captured
saved as hs/XGUESTWIFI_00-26-CB-4C-CD-AB.cap
[+] starting WPA cracker on 1 handshake
[!] no WPA dictionary found! use -dict <file> command-line argument
Step V: Following this, I used aircrack-ng and a passwords file[rockyou.txt customized] to brute force the pcap file for the right key used in the handshake.
Step VI: I used this key to connect to the network and access internal systems.
Note: In this case it took 3 hours and 40 minutes to crack the key for the guest network.
If an attacker is anywhere around the network or access point in the broadcast range, she could use similar or more sophisticated tools to crack the password for the network and be a part of it. Since there are no restrictions to access internal servers and systems after joining the guest network, it is vulnerable to external attacks and could be compromised easily.
Now that the guest wifi was cracked, it was time to explore the network and move deeper.
I tried the same attack on the corporate wifi network however it did not succeed.
I was now a part of the Guest wifi so I started ping sweep to check for other live devices/systems. During the sweep I found an interesting device.
To check this out further I conducted a port scan on the device to find the http port open. I found the wireless controller interface for the network accessible directly as below:
I searched for the default credentials for this series of wireless LAN controllers from Cisco and used the same to login into the controller as Admin.
Hence, I was able to see and access all the APs. As the admin user I also had the rights to change the configuration to add APs, MACs for filtering, change passwords, enable/disable access points and do any change that could be done by an admin. Unfortunately, this device was also the controller for the APs in the corporate network.
This write-up demonstrates a dangerous combination of relying on weak passwords and bad configuration. A default set-up such as this can lead to any outsider/attacker and off course insider to not only access internet through your network but also compromise your whole network to any end[such as stealing your source code by accessing your corporate network]. Such incidents are subtle and can’t easily be traced or detected by the company.