This document summarizes an advanced Wi-Fi pentesting presentation by Yunfei Yang from PegasusTeam and 360 Security Technology. It begins with background on PegasusTeam focusing on wireless and IoT security and 360 Security Technology as an Internet security company. The outline then covers the basics of Wi-Fi connection establishment and common wireless attacks. More advanced topics discussed include attacking WPA2-Enterprise, rogue access points, and password sharing apps. The document concludes with summaries of PegasusTeam's wireless security research including a wireless intrusion prevention system, drone detector, Wi-Fi miner detector, and GhostTunnel for covert data exfiltration across air gaps using Wi-Fi frames.

1. Advanced Wi-Fi Pentesting
Yunfei Yang(@qingxp9)
PegasusTeam, 360 Security Technology

2. About us
PegasusTeam was founded in 2015. We focus on wireless
and IoT security.
360 Security Technology is a leading Internet security
company in Asia. Our core products are anti-virus security
software for PC and cellphones.

3. About me
Yunfei Yang(@qingxp9)
• wireless security researcher, 360 Security
Technology
• member of PegasusTeam
• Wi-Fi attacks and defends
• previous speaker for KCON, HITCON, FIT,
DEFCON Group 010, Overdrive

4. Outline
• Wi-Fi Connection Establishment Procedure
• Basic Wireless Attacks
• DoS Attacks, Weak Encryption and Authentication, Captive Portal
• Advanced Wireless Attacks against Enterprise Network
• WPA2-Enterprise, Rogue AP, Password Sharing APP
• PegasusTeam's Wireless Security Researches
• WIPS, Drone Detector, Wi-Fi Miner Detector, GhostTunnel

5. Wi-Fi Connection Establishment
Procedure
1.Scanning
2.Authentication
3.Association

6. Passive Scanning
Beacon Frames
• Used by the WLAN network
to advertise its presence.

7. Active Scanning
Probe Request and Probe
Response Frames
• Used by WLAN clients to
find their networks.

8. Authentication
❖Open-system
No authentication is actually
done
✤Pre-Shared-Key
WEP, WPA/WPA2
Home or small office WLAN

9. Association
Establishes the data link between the
client and the AP.
A client can only associate with one
AP at a time.
If a client roams from one AP to
another within the network, the
association is called a re-association.

10. Basic Wireless
Attacks
• Physical Properties
• DoS Attacks
• Weak Encryption and Authentication
• Captive Portal

11. Physical Properties
Image source: https://pt.slideshare.net/MdSohailAhmad/rogue-ap
• Do not need any physical connection
• RF signal spillage may expose the network to unauthorized users.

12. Dos Attacks
• Beacon Flood
• Authentication Flood
• Association Flood
• Deauthentication Flood
• Disassociation Flood
• …
MDK3
b Beacon Flood Mode
- show many fake APs at clients.
d Deauth/Disassoc Amok Mode
- kick all clients from AP.

13. aireplay-ng

14. 802.11W

15. Weak Encryption and Authentication
• WEP
• WPA/WPA2-PSK
• WPS

16. Wired Equivalent Privacy (WEP)
WEP has been dead since 2001, it can be cracked very easily.

17. Attacking WEP using wifite

18. WPA/WPA2-PSK(Pre-shared Key)

19. aircrack

20. Wi-Fi Protected Setup(WPS)
• Introduced by Wi-Fi Alliance in 2006, it allows user to add new
devices to a wireless network without entering long passphrases.

21. Push Button Mode

22. PIN Mode
10^4 + 10^3 = 11000

23. WPS Cracking with Reaver

24. Pixie Dust attack - pixiewps
The attack focuses on a lack of randomization when generating
the E-S1 and E-S2 secret nonces.
Knowing these two nonces, the PIN can be recovered within a
couple of minutes.
It works only for several wireless chip makers: Ralink, MediaTek,
Realtek and Broadcom

25. Attacking WPA using wifite

27. CPU Vs GPU WPA2 Password Cracking

28. Captive Portal

29. Data unencrypted

30. Attack Portal Web Server
Brute force with default password

31. User and Password in the request are not encrypted

32. Many portal service had
remote-code
execution vulnerabilities
in the Struts 2

33. MAC Spoofing

34. FakeAP attack
If you had connected a same name open WiFi link before, your device will
automatically connect to the FakeAP!
Then, Using a fake login page to steal your accounts.

35. Tool: 3vilTwinAttacker

36. Advanced Wireless
Attacks against
Enterprise Network
• WPA2-Enterprise(802.1X)
• Rogue AP(Unauthorized AP)
• Password Sharing APP

37. WPA/WPA2-Enterprise(802.1X)
EAP Support
• Windows XP(sp3+)
• EAP-TLS
• PEAP
• Android/iOS
• EAP-SIM
• EAP-TLS
• PEAP
• LEAP
• EAP-FAST
• ...
PEAP is a product of Cisco, Microsoft and RSA
Security, and has been shipped with major
operating systems.

38. PEAP Weakness
•Deployment using untrusted certificate.
•Users make the decision to trust/reject
network.
•Anyone can impersonate the RADIUS server

39. PEAP Attacks(hostapd-wpe)
•Fake AP + RADIUS Server
•Always Return EAP-Success
•Logs authentication credentials (challenge/response, password, username)
•Credential cracking with fixed challenge

40. Attacking PEAP using hostapd-wpe

41. Image source: http://www.cs.ucf.edu/~czou/CNT4704-15/DSCI_Seminar.pdf
“WPA2 is Essential, But Not Enough”

42. Rogue AP
Some unauthorized APs attached to enterprise network, installed with a wireless router or
a soft AP(USB Wi-Fi adapter). It may configured with poor security.

43. A supercomputer was invaded through a Rogue AP

44. Wi-Fi Password Sharing APP

46. /data/misc/wifi/wpa_supplicant.conf

47. PegasusTeam's
Wireless Security
Researches
• WIPS
• Drone Detector
• Wi-Fi Miner Detector
• GhostTunnel

48. 360 Skyscan
Wireless Intrusion Prevention System
!Three Components
• Sensors — Scan for wireless packets
• Server — Analyzes packets
• Console — User interface

49. !Discover
• Access Points (BSSID、ESSID、PWR、OUI )
• Wireless Clients（MAC、PWR、OUI）
!Attack Identification
• MAC Spoofing
• Evil-Twin Attack
• DoS Attack
✴MDK3
✴Aircrack-NG
Image source: http://www.cs.ucf.edu/~czou/CNT4704-15/DSCI_Seminar.pdf

50. !Locate
• APs
• Clients
• Attackers
!Block
• Rogue AP Block
• Blocked APs cannot work properly.
• Client Block
• Blocked clients are unable to connect with APs.

51. Dashboard

53. Drone detector
"Low-Cost Anti-Drone System DIY" KCON 2017

54. Consumer-grade drones mostly use Wi-Fi to transmit
control, picture between aircraft and cellphones.

55. 802.11 Beacon Frame from a drone's AP
OUI SSID Drone Model
60:60:1f PHANTOM3_xxxxxx PHANTOM3
60:60:1f Mavic-xxxxxx MAVIC
e4:12:18 XPLORER_xxxxxx XPLORER
KONGYING-xxxxxx KONGYING
MiRC-xxxxxx XiaoMi
OUI, SSID and Drone Model Mapping Table

57. Wi-Fi Miner Detector
A tool for detecting Wi-Fi miner.
Based on analyzing the Unencrypted 802.11
Data Frame to detect mining code keywords.

58. Unencrypted 802.11 Data Frame

59. Ghost Tunnel
"GhostTunnel: Covert Data Exfiltration Channel to Circumvent Air Gapping"
-- HITBSecConf AMS 2018

60. • Considered to be the most secure
• Considered to be the most secure
Air-Gapped Network

61. Implant malware
•USB HID attack
•BashBunny
Setup C&C tunnel
•Via 802.11 beacon and
probe request &
response
Exfiltrate data
•Execute Command
Ghost Tunnel
• Nothing is impossible
• Attack Vectors
• Malicious USB
• Employee's laptop

62. Advantages
• Covert
• HID device only release the payload, then can be removed.
• No normal network connections
• Bypass firewalls
• Cross-Platform support
• Transmission distance up to 50 meters

63. The Usual Wi-Fi Connection Process

64. Ghost Tunnel – No WiFi Connection

65. • A covert WiFi channel using Beacon, Probe Request, Probe
Response
• A special SSID as the identifier
Ghost Tunnel – No WiFi Connection

67. Ghost Tunnel also got
accepted
at BlackHat USA Arsenal

68. qingxp9@PegasusTeam
Thanks