Breaking into WPA Enterprise networks with Air-Hammer

Air-Hammer is a new tool I’ve created for performing online, horizontal brute-force attacks against wireless networks secured with WPA Enterprise. This is a completely different attack than the usual “evil twin” attacks against those networks.

Introduction

Online brute-force attacks against WPA Enterprise appear to be overlooked, if not unheard of, in the current literature on wireless network security and in the security community in general. Although WPA Enterprise is often considered “more secure” than WPA-PSK, it also has a much larger attack surface. While WPA-PSK networks have only one valid password, there may be thousands of valid username and password combinations which grant access to a single WPA Enterprise network. Further, passwords used to access WPA Enterprise networks are commonly selected by end users, many of whom select extremely common passwords.

In this post I’ll describe using Air-Hammer to leverage open-source intelligence (OSINT) and perform brute-force attacks against WPA Enterprise networks.

How Air-Hammer Works

Air-Hammer requires a minimum of the following parameters for a given attack:

The wireless interface to be used
The network name (SSID) of the wireless network to be targeted
A list of usernames to be targeted
A password or list of passwords to be tested for each username

root@kali:~# ./air-hammer.py -h
usage: ./air-hammer.py -i interface -e SSID -u USERFILE [-P PASSWORD]
                     [-p PASSFILE] [-s line] [-w OUTFILE] [-1] [-t seconds]
...

Air-Hammer then attempts to authenticate to the target network by trying the given password with each username in the list. If more than one password is provided, every username is attempted with the first password before moving on to the next password. (For more information on the “horizontal brute-force” or “reverse brute-force” technique, see the Wikipedia article here.)

Iterating over the usernames instead of the passwords is advantageous because:

There is a much higher likelihood that we can guess the password of at least one, out of all the users in the organization than the likelihood that we can guess the password of a single, specific user in the organization.
Due to account lockout policies commonly in place, it is possible to make many times as many login attempts within a given timeframe by spreading them across multiple user accounts.

After a valid set of credentials is discovered, the username and password are displayed on screen. Depending on the parameters used, the credentials can optionally be saved to an output file, and the attack can either be terminated on the first success or allowed to continue.

root@kali:~# ./air-hammer.py -i wlan0 -e Test-Network -u usernames.txt -P UserPassword1 -1
[0]  Trying alice:UserPassword1...
[1]  Trying bob:UserPassword1...
[2]  Trying charlotte:UserPassword1...
[3]  Trying dave:UserPassword1...
[4]  Trying wifiuser:UserPassword1...
[!] VALID CREDENTIALS: wifiuser:UserPassword1
DONE!

Air-Hammer can also resume from a cancelled or failed attack by using the “-s” flag to specify the username numer on the left side of the output.

root@kali:~# ./air-hammer.py -i wlan0 -e Test-Network -u usernames.txt -P UserPassword1 -1 -s 3
[3]  Trying dave:UserPassword1...
[4]  Trying wifiuser:UserPassword1...
[!] VALID CREDENTIALS: wifiuser:UserPassword1
DONE!

Typical Attack Chain

The typical attack chain for attacks conducted with Air-Hammer is as follows:

Identify the target network and the authentication mechanism in use.
- The current version of Air-Hammer only supports PEAP/MSCHAPv2. Additional authentication mechanisms will be added in future versions.
Generate a list of usernames for use in the attack.
- Identify the username format used by the organization. Possible sources include:
  - Usernames stored within the metadata of files available on the company website.
  - The first half of corporate email addresses. (The part before the “@”.)
  - Usernames captured during an “evil twin” attack of the target network.
- Make a list of the first and last names of as many of the organization’s employees as you can. Possible sources:
  - The organization’s website or company directory
  - Data.com
  - LinkedIn
- Using the information gained from the steps above, generate a list of potential usernames.
Use Air-Hammer to discover valid credentials.
Use discovered credentials to access the wireless network.
- Since WPA Enterprise credentials are often Domain User credentials, use the discovered credentials to access additional systems on the internal network and begin additional attacks.

Pros and Cons

Listed below are a number of advantages and disadvantages of the online brute-force attack as compared with typical “evil twin” attacks. Given the various pros and cons of each, Air-Hammer aims to serve as an addition to current wireless penetration testing tools rather than a replacement for them.

Advantages

Client-less attacks
- In evil twin attacks, client devices are attacked and must be present and in range of the attacker in order to discover credentials.
- By contrast, during brute-force attacks with Air-Hammer, client devices are never targeted, and the network can be attacked even if clients are not present, out of range, or out of scope. This is ideal for penetration tests conducted after hours, outside the building, or at locations where very few wireless devices are in use.
Potentially larger attack surface
- Because evil twin attacks can only target client devices within range, the attack surface they can target is limited to the user credentials supplied by those devices. This is usually about one set of login credentials per client device.
- Air-Hammer can target as many user accounts as you provide - potentially every account in the organization.
Minimal hardware requirements
- Evil twin attacks usually require either a wireless interface that supports access point mode or an actual wireless access point. Then they also require the configuration of additional tools such as hostapd-wpe.
- Air-Hammer is compatible with any wireless adapter that can be configured by wpa-supplicant. If additional wireless adapters are available during the test but are not being used due to incompatibility with other tools, running a brute-force attack with Air-Hammer is an excellent way they can be put to use.
No hash cracking required
- PEAP/MSCHAPv2 is by far the most common authentication mechanism I have encountered during pentests on WPA Enterprise networks. During evil twin attacks, client devices transmit a hash of the user’s password. This means that even after a client has provided their credentials, those credentials still have to be cracked offline.
- Credentials discovered with Air-Hammer, on the other hand, are immediately available in cleartext. This is especially useful since client crendentials often correspond to Domain User accounts and can be used right away to gain access to other systems inside the network.

Disadvantages

It’s slow
- At present, Air-Hammer takes between one and five seconds per login attempt. This may improve in future versions, but online brute-force attacks will always be extremely slow compared to offline password-cracking attacks.
It’s noisy
- Evil twin attacks are relatively passive and potentially much more difficult to detect by the administrator of the target network. Any detection is most likely to happen on client devices in the event that users receive a prompt when connecting to the attacker’s network.
- The horizontal brute-force attack is an active attack that will generate plenty of “invalid password” errors on the target network. The potential for locking out user accounts is minimized by cycling through usernames before passwords, but if sufficient delays are not set between password attempts on the same user account, that is also a possibility.
A list of usernames is required
- Air-Hammer relies on a list of valid usernames to make the attack work. This can usually be created through the use of various OSINT sources on the Internet.

Conclusion

WPA Enterprise is an excellent solution for granting and revoking users’ access to an organization’s wireless network. However, it’s likely that passwords selected by those users then become the weakest link in the security of your wireless network. At a bare minimum, organizations should enforce a password policy across all user accounts that prevents users from setting weak or common passwords.

Air-Hammer is available on my GitHub page here.

Wh1t3Rh1n0

I will find a way, or I will make one.