New Job-Role Training Path: Active Directory Penetration Tester! Learn More

Attacking WPA/WPA2 Wi-Fi Networks

This module explores the security challenges of WPA and WPA2 Wi-Fi networks, focusing on WPA/WPA2-Personal and WPA/WPA2-Enterprise. Although these protocols aim to secure wireless communication, attackers can exploit various weaknesses in home and enterprise environments. This module will delve deeper into WPA-Personal and WPA-Enterprise, demonstrating multiple attack vectors to compromise each. Understanding these attack vectors will give you insight into the vulnerabilities that could compromise WPA/WPA2 networks and how to secure them.

4.67

Created by Sentinal
Co-Authors: N1tr0x

Medium Offensive

Summary

Wi-Fi Protected Access (WPA) and its successor, WPA2, are security protocols designed to protect wireless networks by encrypting data and controlling access. WPA/WPA2 can operate in two modes: Personal (PSK) and Enterprise (MGT). The Personal mode uses a pre-shared key (PSK) for authentication, commonly used in home and small office networks. Enterprise mode, on the other hand, relies on the 802.1X standard and RADIUS servers to handle user authentication, providing greater control and scalability for larger organizations. In this module, we will delve deeper into both WPA-Personal and WPA-Enterprise, demonstrating various attack vectors to compromise each.

In this module, we will cover:

  • Wi-Fi Protected Access Overview
  • WPA/WPA2 Personal (PSK) Attacks, such as:
    • WPS Bruteforce
    • 4-Way Handshake Capture
    • PMKID Attack
  • WPA/WPA2 Enterprise (MGT) Attacks, such as:
    • Bruteforce Attack
    • EAP Downgrade Attack
    • Enterprise Evil-Twin Attack
    • PEAP Relay Attack
    • EAP-TLS Abuse
    • Cracking EAP-MD5
  • Skills Assessment

This module is broken down into sections with accompanying hands-on exercises to practice each of the tools, tactics, and techniques we cover. There are no specific WiFi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.

As you work through the module, you will see example commands and command outputs for the various tools and topics introduced. Reproducing as many examples as possible is recommended to reinforce the concepts presented in each section.

You can start and stop the module at any time and pick up where you left off. There is no time limit or grading, but you must complete all of the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

This module is classified as "Medium" and assumes a working knowledge of Linux systems and network fundamentals. Prior familiarity with the following topics is recommended for successful completion of this module:

Wi-Fi Protected Access Overview

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are security certification programs developed by the Wi-Fi Alliance after the year 2000 to secure wireless networks. These standards were introduced in response to significant vulnerabilities discovered in the earlier Wired Equivalent Privacy (WEP) system.

In this module, we will specifically focus on WPA and WPA2, exploring their security features and potential vulnerabilities.

Wi-Fi Authentication Types

The following diagram illustrates the different Wi-Fi authentication types. For this module, our primary focus will be on Wi-Fi Protected Access, specifically WPA and WPA2.

image

  • WPA (Wi-Fi Protected Access): Introduced as an interim improvement over WEP, WPA offers better encryption through TKIP (Temporal Key Integrity Protocol), but it is still less secure than newer standards.
  • WPA2 (Wi-Fi Protected Access II): A significant advancement over WPA, WPA2 uses AES (Advanced Encryption Standard) for robust security. It has been the standard for many years, providing strong protection for most networks.

WPA has two modes:

  • WPA-Personal: It uses pre-shared keys (PSK) and is designed for personal use (home use).
  • WPA-Enterprise: It is especially designed for organizations.

Later in the module, we will delve deeper into both WPA-Personal and WPA-Enterprise, demonstrating various attack vectors to compromise each.

WPA/WPA2 Personal (PSK)

Wi-Fi Protected Access (WPA) Personal was created to replace Wired Equivalent Privacy (WEP). WPA originally implemented the Temporal Key Integrity Protocol (TKIP), which used a dynamic per-packet key to address WEP's vulnerabilities, particularly those involving initialization vector attacks. In addition, WPA introduced Message Integrity Checks (MICs), improving security over the Cyclic Redundancy Checks (CRCs) used by WEP. WPA2 introduced support for CCMP and AES encryption modes, to provide more secure communications.

Although WPA/WPA2 Personal does not support some of the more robust security features seen in WPA/WPA2 Enterprise, it is still widely used for residential routers and in some business settings. Due to the nature of a re-used pre-shared key (Wi-Fi Password), it omits certain protections that are standard in more secure wireless environments. Some of the common methods for capturing the pre-shared key include Handshake Capture, PMKID Capture, Wi-Fi Protected Setup, and Evil-Twin/Social Engineering related attacks. With these techniques, an adversary will likely be able to retrieve the clear text version of the pre-shared key and subsequently compromise the wireless network.

WPA/WPA2 Enterprise (MGT)

Wi-Fi Protected Access Enterprise was developed to meet the need for stronger wireless encryption standards. By utilizing 802.1X security, WPA Enterprise offers more secure communication through the Extensible Authentication Protocol (EAP). Unlike its personal counterpart, WPA/WPA2 Enterprise relies heavily on authentication methods, with one of the key differences being its use of a RADIUS server for authentication.

The standard employs Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) to provide better encryption for client devices. WPA Enterprise offers various configuration options to accommodate different use cases, providing flexibility for network administrators. It also addresses vulnerabilities associated with pre-shared key attacks, such as dictionary and brute-force attacks, by supporting diverse authentication methods. However, misconfigurations and inherent design flaws have exposed vulnerabilities in the enterprise standard, making it susceptible to attacks such as evil-twin attacks (used to capture authentication hashes) or security-downgrading of client in order to retrieve plaintext credentials.

Hands-On Lab Scenarios

Throughout this module, we will cover real-world attack examples with accompanying commands and output, the majority of which can be reproduced on the lab machines spawned in each section. You will be provided with the knowledge and tools needed to master the WPA/WPA2 (Personal & Enterprise) attacks. Challenge yourself to reproduce all examples shown throughout the sections and complete the questions at the end.

This module assumes a basic understanding of Wi-Fi penetration testing and common attacks using the aircrack-ng suite. If you need a refresher, feel free to consult the Wi-Fi Penetration Testing Basics module.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections