EAPHammer - Targeted Evil Twin Attacks Against WPA2-Enterprise Networks [Indirect Wireless Pivots Using Hostile Portal Attacks]

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:

# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds

Leverages a lightly modified version of hostapd-wpe, dnsmasq, dsniff, Responder, and Python 2.7.

Features

• Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
• Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
• Perform captive portal attacks
• Built-in Responder integration
• Support for Open networks and WPA-EAP/WPA2-EAP
• No manual configuration necessary for most attacks.
• No manual configuration necessary for installation and setup process

Upcoming Features

• Perform seemeless MITM attacks with partial HSTS bypasses
• Support attacks against WPA-PSK/WPA2-PSK
• Support for SSID cloaking
• Generate timed payloads for indirect wireless pivots
• Integrated PowerShell payload generation
• impacket integration for SMB relay attacks
• directed rogue AP attacks (deauth then evil twin from PNL, deauth then karma + ACL)
• Updated hostapd-wpe that works with the latest version of Hostapd
• Integrated website cloner for cloning captive portal login pages
• Integrated HTTP server

Will this tool ever support Karma attacks?

• At some point yes, but for now the focus has been on directed evil twin attacks.
• If Karma attacks are like a wireless grenade launcher, this tool is more like an easy-to-use wireless sniper rifle

Setup Guide

Kali Setup Instructions
Begin by cloning the eaphammer repo using the following command.

git clone https://github.com/s0lst1c3/eaphammer.git

Next run the kali-setup.py file as shown below to complete the eaphammer setup process. This will install dependencies and compile hostapd.

python setup.py

Other Distros
If you are not using Kali, you can still compile eaphammer. I just haven't written a setup script for your distro yet, which means you'll have to do it manually. Ask yourself whether you understand the following:

• python-devel vs python-dev
• service vs systemctl
• network-manager vs NetworkManager
• httpd vs apache2

If you looked at this list and immediately realized that each pair of items was to some extent equivalent (well, except for service vs systemctl, but you catch my drift), you'll probably have no problems getting this package to work on the distro of your choice. If not, please just stick with Kali until support is added for other distros.
With that out of the way, here are the generic setup instructions:
Use your package manager to install each of the dependencies listed in kali-dependencies.txt. Package names can vary slightly from distro to distro, so you may get a "package not found" error or similar. If this occurs, just use Google to find out what the equivalent package is for your distro and install that instead.
Once you have installed each of the dependencies listed in kali-dependencies.txt, you'll need to install some additional packages that ship with Kali by default. These packages are listed below. If you're on a distro that uses httpd instead of apache2, install that instead.

• dsniff
• apache2

Compile hostapd using the following commands:

cd hostapd-eaphammer
make

Open config.py in the text editor of your choice and edit the following lines so that to values that work for your distro:

# change this to False if you cannot/will not use systemd
use_systemd = True

# change this to 'NetworkManager' if necessary
network_manager = 'network-manager'

# change this 'httpd' if necessary
httpd = 'apache2'

Usage Guide

x.509 Certificate Generation
Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer's certificate wizard, just use the command shown below.

./eaphammer --cert-wizard

Stealing RADIUS Credentials From EAP Networks
To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the --creds flag as shown below.

./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth ttls --creds

The flags shown above are self explanatory. For more granular control over the attack, you can use the --wpa flag to specify WPA vs WPA2 and the --auth flag to specify the eap type. Note that for cred reaping attacks, you should always specify an auth type manually since the the --auth flag defaults to "open" when omitted.

./eaphammer --bssid 00:11:22:33:44:00 --essid h4x0r --channel 4 --wpa 2 --auth ttls --interface wlan0 --creds

Please refer to the options described in Additional Options section of this document for additional details about these flags.

Stealing AD Credentials Using Hostile Portal Attacks
Eaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.
The --hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.

./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth peap --wpa 2 --hostile-portal

./eaphammer --interface wlan0 --essid TotallyLegit --channel 1 --auth open --hostile-portal

Performing Indirect Wireless Pivots Using Hostile Portal Attacks
The hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use hostile portal attack to perform an SMB relay attack that places timed reverse shell on an authorized wireless devices. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.

Performing Captive Portal Attacks
To perform a captive portal attack using eaphammer, use the --captive-portal flag as shown below.

./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 6 --interface wlan0 --captive-portal

This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.

Additional Options

• --cert-wizard - Use this flag to create a new RADIUS cert for your AP.
• -h, --help - Display detailed help message and exit.
• -i, --interface - Specify the a PHY interface on which to create your AP.
• -e ESSID, --essid ESSID - Specify access point ESSID.
• -b BSSID, --bssid BSSID - Specify access point BSSID.
• --hw-mode HW-MODE - Specify access point hardware mode (default: g).
• -c CHANNEL, --channel CHANNEL - Specify access point channel.
• --wpa {1,2} - Specify WPA type (default: 2).
• --auth {peap,ttls,open} - Specify auth type (default: open).
• --creds - Harvest EAP creds using an evil twin attack.
• --hostile-portal - Force clients to connect to hostile portal.
• --captive-portal - Force clients to connect to a captive portal.

Download EAPHammer

Read More

LINSET - WPA/WPA2 Hack Without Brute Force

How it works

• Scan the networks.
• Select network.
• Capture handshake (can be used without handshake)
• We choose one of several web interfaces tailored for me (thanks to the collaboration of the users)
• Mounts one FakeAP imitating the original
• A DHCP server is created on FakeAP
• It creates a DNS server to redirect all requests to the Host
• The web server with the selected interface is launched
• The mechanism is launched to check the validity of the passwords that will be introduced
• It deauthentificate all users of the network, hoping to connect to FakeAP and enter the password.
• The attack will stop after the correct password checking

Are necessary tengais installed dependencies, which Linset check and indicate whether they are installed or not.

It is also preferable that you still keep the patch for the negative channel, because if not, you will have complications relizar to attack correctly

How to use

$ chmod +x linset
$ ./linset

Download LINSET

Read More

WiFiPhisher - Fast automated phishing attacks against WiFi networks

Wifiphisher is a security tool that mounts fast automated phishing attacks against WiFi networks in order to obtain secret passphrases and other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.

Wifiphisher works on Kali Linux and is licensed under the MIT license.

From the victim's perspective, the attack makes use in three phases:

1. Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by sending deauth packets to the client from the access point, to the access point from the client, and to the broadcast address as well.
2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled on the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.
3. Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials, for example one that asks WPA password confirmation due to a router firmware upgrade.

Usage

Short form	Long form	Explanation
-m	maximum	Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5
-n	noupdate	Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
-t	timeinterval	Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like 'no buffer space' try: -t .00001
-p	packets	Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2
-d	directedonly	Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs
-a	accesspoint	Enter the MAC address of a specific access point to target
-jI	jamminginterface	Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.
-aI	apinterface	Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.

Screenshots

Targeting an access point

A successful attack

Fake router configuration page

Requirements

• Kali Linux.
• Two wireless network interfaces, one capable of injection.

Download WiFiPhisher

Read More

[WirelessKeyView] Recover lost wireless network key

WirelessKeyView recovers all wireless network security keys/passwords (WEP/WPA) stored in your computer by the 'Wireless Zero Configuration' service of Windows XP or by the 'WLAN AutoConfig' service of Windows Vista, Windows 7, Windows 8, and Windows Server 2008. It allows you to easily save all keys to text/html/xml file, or copy a single key to the clipboard. You can also export your wireless keys into a file and import these keys into another computer.

Download WirelessKeyView

Read More

[WiFi Password Decryptor v3.0] Wireless Password Recovery Software

WiFi Password Decryptor is the FREE software to instantly recover Wireless account passwords stored on your system.

It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager. For each recovered WiFi account, it displays following information

WiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP) Password Type Password in Hex format Password in clear text

After the successful recovery you can save the password list to HTML/XML/TEXT/CSV file. You can also right click on any of the displayed account and quickly copy the password. Under the hood, 'WiFi Password Decryptor' uses System Service method (instead of injecting into LSASS.exe) to decrypt the WiFi passwords. This makes it more safer and reliable. Also it makes us to have just single EXE to work on both 32-bit & 64-bit platforms.  Download WiFi Password Decryptor v3.0

Read More

[WiFi Password Remover] Wireless (WEP/WPA/WPA2) Password/Profile Removal Software

WiFi Password Remover is the Free software to quickly recover and remove Wireless account passwords stored on your system.

For each recovered Wi-Fi account, it displays following details, WiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP) Password Type Password in Hex format Password in clear text

Once recovered, you can either remove single or all of them with just a click. Before proceeding with deletion, you can also take a backup of recovered Wi-Fi password list to HTML/XML/TEXT file. One of the unique feature of this tool is that it can recover all type of Wi-Fi passwords including the ones which are not shown by 'Windows Wireless Manager', thus allowing you to remove all the hidden wireless passwords/profiles also.

Download WiFi Password Remover v1.0

Read More

[Fern Wifi Cracker] Wireless security auditing and attack software to crack and recover WEP/WPA/WPS keys

Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks

Operating System Supported

The Software runs on any Linux machine with the programs prerequisites, But the program has been tested on the following Linux based operating systems:

• Ubuntu KDE/GNOME
• BackTrack Linux
• BackBox Linux

Prerequisites

The Program requires the following to run properly:

The following dependencies can be installed using the Debian package installer command on Debian based systems using "apt-get install program" or otherwise downloaded and installed manually

• Aircrack-NG
• Python-Scapy
• Python Qt4
• Python
• Subversion
• Xterm
• Reaver (for WPS Attacks)
• Macchanger

---

Features

---

Fern Wifi Cracker currently supports the following features:

• WEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack
• WPA/WPA2 Cracking with Dictionary or WPS based attacks
• Automatic saving of key in database on successful crack
• Automatic Access Point Attack System
• Session Hijacking (Passive and Ethernet Modes)
• Access Point MAC Address Geo Location Tracking
• Internal MITM Engine
• Bruteforce Attacks (HTTP,HTTPS,TELNET,FTP)
• Update Support

Download Fern Wifi Cracker

Read More

[oclHashcat-plus v0.14] Worlds fastest md5crypt, phpass, mscash2 and WPA/WPA2 cracker

Features

• Worlds fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker
• Worlds first and only GPGPU based rule engine
• Free
• Multi-GPU (up to 128 gpus)
• Multi-Hash (up to 15 million hashes)
• Multi-OS (Linux & Windows native binaries)
• Multi-Platform (OpenCL & CUDA support)
• Multi-Algo (see below)
• Low resource utilization, you can still watch movies or play games while cracking
• Focuses highly iterated modern hashes
• Focuses single dictionary based attacks
• Supports mask attack
• Supports distributed cracking
• Supports pause / resume while cracking
• Supports sessions
• Supports restore
• Supports reading words from file
• Supports reading words from stdin
• Supports hex-salt
• Supports hex-charset
• Integrated thermal watchdog
• 30+ Algorithms implemented with performance in mind
• ... and much more

Attack-Modes

• Straight ^*
• Combination
• Brute-force
• Hybrid dict + mask
• Hybrid mask + dict

Download here: http://adf.ly/145xV8

type: driver
file: host programs
desc: added support for AMD ADL v5.0 library

type: feature
file: hashcat-cli
desc: added mode -m 5500 = NetNTLMv1-VANILLA / NetNTLMv1+ESS
trac: #51
trac: #96

type: feature
file: hashcat-cli
desc: added mode -m 5600 = NetNTLMv2
trac: #56

type: feature
file: kernels
desc: added -m 5700 = Cisco-IOS SHA256
cred: philsmd

type: feature
file: kernels
desc: modified -m 5100 = Half MD5 so that it accepts only 16 byte input, see next change why
trac: #89

type: feature
file: kernels
desc: modified -m 5100 = Half MD5 so it can crack middle and right portions, too (not just left)
trac: #89

type: bug
file: kernels
desc: fixed bug in NVidia version had to switch back to bitness-depending kernels

type: bug
file: kernels
desc: fixed bug in NVidia version writing to constant memory from kernel isnt allowed

Read More