Skip to content

My Hacking Notes

WPA

My Hacking Notes

Home
General
General
OSINT
OSINT
- bbot
- File Scraping
Windows
Windows
- Workstations
  Workstations
  - Privilege Escalation
- Active Directory
  Active Directory
  - Methodology
  - External Password Spraying
    External Password Spraying
    
    Username Enumeration
    
    Entra Token/ROPC
    
    Exchange Endpoints
  - Remote Execution Tools
  - PowerShell Commands
  - CMD Commands
  - Relay & Coercion
    Relay & Coercion
    
    Relay (ntlmrelayx)
    
    RPC Coercion
    
    Responder
    
    mitm6
    
    Insecure Name Resolution Protocols
    
    WPAD
    
    Exchange Coercion (PrivExchange)
  - Discovery & Audit
    Discovery & Audit
    
    SMB & RPC Enumeration
    
    SMB Shares & Data Hunting
    
    LDAP Checks
    
    BloodHound
    
    User Enumeration
    
    Password Spraying
  - Privilege Escalation
    Privilege Escalation
    
    ADCS Discovery
    
    ADCS - ESC 1
    
    ADCS - ESC 8
    
    Shadow Credentials
    
    BadSuccessor (dMSA Abuse)
    
    ZeroLogon
  - Credential Access
    Credential Access
    
    SAM/SECURITY/SYSTEM
    
    DCSync
    
    DPAPI
    
    AutoLogon
    
    GPP/SYSVOL Credential Leaks
  - Delegation
    Delegation
    
    Discovery
    
    Resource Based Constrained Delegation (RBCD)
    
    Unconstrained Delegation (KUD)
    
    Constrained Delegation (KCD)
  - Kerberos
    Kerberos
    
    Authentication Process
    
    S4U2self and S4U2Proxy
    
    Password / Hash -> TGT
    
    AS-REP Roast
    
    Kerberoast
    
    Ticket Forgery
    Ticket Forgery
    
    Golden Ticket
    
    Silver Ticket
- File Transfer
  File Transfer
  - Download to Windows
  - Upload from Windows
WiFi
WiFi
- Security Testing Tools
- Security Types Overview
- WPA WPA
  Table of contents
  - Vulnerabilities
    
    4-Way Handshake Capture
    
    Clientless PMKID Capture
    
    Reference
    
    WPS Weaknesses
- WPA2 (Personal)
- WPA2 (Enterprise)
- Attacks
  Attacks
  - WPA/WPA2 PSK/PMKID Captures
  - WPS (PIN) Weaknesses
Password Cracking
Password Cracking
- Hashcat
- Wordlists
Miscellaneous
Miscellaneous
- Tmux Configuration
CTF Walkthroughs
CTF Walkthroughs
- Proving Grounds
  Proving Grounds
  - Cassios
  - Cobweb
  - Muddy
  - Forward

WPA¶

Authentication: PSK
Cipher: TKIP/RC4

Vulnerabilities¶

4-Way Handshake Capture¶

Listen for clients to connect to the WiFi AP and capture the 4-way handshake to decrypt it and recover the AP's PSK.
Exploitation:
- Automated Attack
- 4-Way Handshake Capture

Clientless PMKID Capture¶

Vulnerable routers will include the PMKID in the first EAPOL frame it sends an associating client. The PMKID can be cracked to discover the PSK

Exploitation:
- Automated Attack
- Clientless PMKID Capture

Reference¶

New attack on WPA/WPA2 using PMKID - https://hashcat.net/forum/thread-7717.html

WPS Weaknesses¶

Online PIN bruteforce
- Requires weak lockouts on PIN attempts.
"Pixie Dust" - Offline PIN recovery
- Capture WPS M1/M2/M3 exchange packets and crack offline.
- Exploitation: See "Pixie Dust" - Offline PIN recovery
Weak/default PIN algorithms
- Some vendors use predictable PIN algorithms.