1

Our team was hired for a red team engagement for a client. A part of the engagement is attempting to crack the WiFi passwords of their office APs. However, we obviously want to stay undetected. What kind of thing should we watch out for? Apart from the obvious things like don't let anyone see you with your laptop running AirCrack.

trallgorm
  • 875
  • 7
  • 19
  • You don't necessarily need to run Aircrack on-premise. You do, however, need to capture the handshake on-premise. This can be done with an antenna in your backpack. If you want to get fancy, you get get dedicated devices which you can place in hidden spots (under a table, behind a flower pot, etc.). –  Nov 09 '20 at 12:11

3 Answers3

1

In order to capture the handshake of the WPE/WPA2 network you generally need a client establishing a connection with the access point.

This can be forced by the attacker by using e.g. a deauthentication attack which then leads to the client sending the hashed password to the access point.

A deauthentication attack can be detected, however, if you wait until a network device get's disconnected, which eventually will happen, there's no way to detect you capturing the handshake.

Once you cracked the passphare, it is obvious that you need to be careful with MAC address, hostnames etc. But that is not a part of cracking a WPA network.

dmuensterer
  • 1,144
  • 4
  • 13
0

It is hard to give you an answer based on your information. Depending on attacks you are carrying out you might have to interact with the WiFi router or not.

If you have to interact with the WiFi router (e.g. you try to bruteforce the WiFi password): It is theoretically possible that WiFi traffic is monitored through e.g. dedicated WiFi-monitoring security hardware actions, or Wifi AP that report actions to a security software that evaluates those actions to find suspicious actions. However, the usage of something like that is quite exotic. Personally I have never seen or heard of anybody using that in practice and I doubt that any company that doesn't have very high security requirements would use that.

If you don't have to interact with the Wifi router (e.g. when you perform well-known attacks against WEP) you obviously don't have to worry about detection.

TLDR; Its rather unlikely that you get detected anyways.

D.O.
  • 600
  • 3
  • 9
  • I believe their endpoints are WPA2, and if I understand it correctly I don't need to keep interacting with the router for that attack, is that right? – trallgorm Feb 12 '20 at 15:52
  • 2
    *However, the usage of something like that is quite exotic.* - Security and reporting features of some sort are almost always included in any major enterprise wireless offering as part of the management platform if not the base system itself. Saying it is quite exotic in a business environment is simply not true. The question is if anyone is actively monitoring the information provided by the system. – YLearn Feb 13 '20 at 05:19
0

A part of the engagement is attempting to crack the WiFi passwords of their office APs. However, we obviously want to stay undetected. What kind of thing should we watch out for?

You don't mention the actual wireless vendor or the security (PSK or 802.1X?) used by the wireless network at the site in question. Knowing the vendor will help indicate what capabilities are available to the client to protect their wireless network and detect any attack (examples are rogue detection and WIPS among others) as well as the likely tools used to monitor/report on the wireless network. Knowing the security will determine what types of attacks may be useful/successful.

Without this information, it is difficult to give anything but generalities.

  • Avoid spoofing a client MAC address for a client currently connected to the wireless network.
  • Avoid multiple failed attempts to connect (especially in a relatively short period of time).
  • Be very careful performing any sort of MitM attack by cloning the target SSID.
  • The more passive you can make your attacking device(s) (i.e. listening/monitoring rather than transmitting), the less likely you are to be detected.
  • When active, try to make sure your devices behave as similar to actual client devices as possible.
YLearn
  • 3,967
  • 1
  • 17
  • 34