Admin:
1. All participants will receive a virtual machine for the training with all the tools that will be used during the workshop and a Linux 802.11 trouble shooting/commands guide.
2. Students will be in groups of 4 or 5. Each group will have two victim devices that they will use for the training. The participants will be divided into groups mainly to help with deconflicting channels to limit the amount of interference that is being generated internally. Depending on the size of the room used for the workshop, we will attempt to spread out so the groups are not right next to each other and limit "some" of the interference between groups. If need be, we will remove the external antennas from the Wi-Fi cards to further attenuate the signal.
Participants will not be collecting against the APs or the victim devices; all required captures will be in the slide show or distributed.
We will also limit the amount of de-authentication attacks during the class to a minimum.
The class is laid out as if participants are on a Wi-Fi assessment and we are deploying Rogue APs to test the client's network. Each section will start off with Wireshark captures for the network we will be using for the Rogue APs. We will use these captures to identify the necessary elements to set up a Rogue AP.
The final portion of the class will be MITM tools; this will be a discussion and also a demo if time allows.
The instructor will have some extra wireless cards that meet the requirements for the workshop in case there is a issue with someone’s wireless card.
Presentation:
1.Theory and TTPs
The class will start by defining what a Rogue Access Point is and why they work. Then we will cover TTPs and employing Rogues APs in a client environment.
2. Open APs
First, we will examine a Wireshark capture for the target network. The participants of the workshop will not capture the packets, packets will be presented in the slide show, and we will look at the important information to set up a Rogue AP.
Next, we will create a default hostapd file that we can use with HOSTAPD-MANA. Also in this section, we will run OPEN Rogue APs with HOSTAPD-MANA, EAPHAMMER, and AIRBASE-NG. We will discuss when to employ an OPEN Rogue AP and what is the expected value of setting one up in a client environment for example Captive Portals, Man-in-the-Middle, and testing user training.
Lastly, we will discuss Opportunistic Wireless Encryption(OWE) APs and which tools we can use to set up an OWE Rogue AP.
3. Captive-Portals
Using what we gathered above for the open network, we will set up a Captive-Portal using WIFIPHISHER. We will see the example of the captive portal used by the client network, which is a default WIFIPHISHER page. For time we won't be using HOSTAPD-MANA.
In this section, we will run a captive portal using WIFIPHISHER. Participants will harvest credentials. Then instructors will demonstrate de-auth using WIFIPHISHER.
Next, we will copy a webpage for the assessment. We will use a non-internet connected Wi-Fi network in the workshop and let the participants copy a page we are hosting for the workshop.
Lastly, we will set up a captive portal with EAPHAMMER using the webpage we just scrapped.
4. WPA2-PSK
We will start with EAPHAMMER against a WPA2-PSK network client.
Next, we will update the hostapd.conf from the OPEN Rogue AP attack to work against WPA2 networks, using HOSTAPD-MANA.
Participants will then use airbase-ng and airodump-ng to set up another version of Rogue AP.
We will discuss attacking WPA3-SAE transition mode using EAPHAMMER.
Lastly, in this section we will crack the collected hashes to retrieve the passwords (the passwords will be from rockyou.txt).
5. EAP-PEAP
This section starts by extracting a certificate from a PCAP and then creating a EAP certificate. We will quickly demonstrate the Wireshark filters needed to find the certificate, how to extract it, and what information we need to recreate the certificate for our Rogue AP. We will use the EAPHAMMER cert wizard to create the certificates for this section. (Depending on time, the participants may not go through the extraction process. We will have all the required information in the slides.)
Next, we will discuss phase 1 and phase 2 of 802.1x and we will go over the eap.user file as well. We will then use EAPHAMMER and the "--negotiate" function to set up our Rogue AP.
HOSTPAD-MANA will be the next tool we use for our Rogue AP. (We will have a completed hostapd.conf file for the participants on the VM, so they will not have to create it. We will discuss the file setup briefly.)
Finally in this section we will crack the collected hashes using ASLEAP (the passwords will be from rockyou.txt).