After gaining physical access to a client location on a recent red team engagement, I found a BitLocker-encrypted laptop along with a PIN and domain credentials necessary to boot Windows and login. While I wanted to leave the laptop in place on site to provide us with a backdoor into the network, I also wanted to clone its hard drive so I could examine the installed software more closely off site.
One of the topics I teach in Coalfire’s Adaptive Penetration Testing course, given most recently at Black Hat 2017, is manual privilege escalation on Linux- and Unix-based systems. I also talk about how common it is to gain an initial foothold in an environment by leveraging default or easily guessable login credentials. During a recent red team engagement, I leveraged both of these techniques – not only to fully compromise the organization’s Active Directory environment, but also to discover and exploit a previously unknown vulnerability in the Replibit Linux distribution installed on a server on their network.
Air-Hammer is a new tool I’ve created for performing online, horizontal brute-force attacks against wireless networks secured with WPA Enterprise. This is a completely different attack than the usual “evil twin” attacks against those networks.
Introduction
Online brute-force attacks against WPA Enterprise appear to be overlooked, if not unheard of, in the current literature on wireless network security and in the security community in general. Although WPA Enterprise is often considered “more secure” than WPA-PSK, it also has a much larger attack surface. While WPA-PSK networks have only one valid password, there may be thousands of valid username and password combinations which grant access to a single WPA Enterprise network. Further, passwords used to access WPA Enterprise networks are commonly selected by end users, many of whom select extremely common passwords.
In this post I’ll describe using Air-Hammer to leverage open-source intelligence (OSINT) and perform brute-force attacks against WPA Enterprise networks.
I’m happy to announce the newest version of WoNDer-List is now available for download! This version adds approximately 1.22 million more valid default WPA keys for the Netgear WNDR series of wireless routers.
You can download the newest version from the WoNDeR-List folder in my Dropbox, here.
For my original write-up that explains WoNDeR-List, check out this article.
TLDR: Wordlist of Netgear default WPA keys. Download link is at the bottom.
What is WoNDeR-List?
WoNDeR-List is the wordlist I created to crack the default WPA keys of several models of Netgear wireless routers.
How does it work?
Some Netgear WNDR series routers (including the N900, N750, and N600) come with a factory-set default WPA key in the form of: adjectivenoun###. For example, quietunicorn604 (bold added for clarity). After seeing a few of these I was able to make a few assumptions: