Skip to content →

Category: Wireless

War Never Changes: Attacks Against WPA3’s “Enhanced Open” — Part 3: OWE Nearly Indistinguishable From Open Wireless In Terms of Risk

In this third and final part of this series, we provide our conclusions about OWE’s ability to address the current wireless threat model, as well as our proof-of-concept attacks against the protocol.

Leave a Comment

War Never Changes: Attacks Against WPA3’s Enhanced Open — Part 2: Understanding OWE

In this second part of the series, we’ll provide an overview of how OWE works. There are already some good write-ups that provide this info at a high level, so this will be more of a hands-on technical deep device.

Leave a Comment

War Never Changes: Attacks Against WPA3’s “Enhanced Open” — Part 1: How We Got Here

In early 2019, myself and fellow Denver-based researcher Steve Darracott (@theDarracott) set out to answer the question — “is Opportunistic Wireless Encryption (OWE) susceptible to abuse and attack, and if so, how?”. Ultimately, we succeeded in implementing multiple working proof of concept attacks, which we demonstrated at the DEF CON Wireless Village last summer. This series of blog posts documents our research efforts and conclusions, and discusses how OWE fits into the current wireless threat model.

Leave a Comment

Modern Wireless Tradecraft Pt IV — Tradecraft and Defensive Strategy

We’ve gone over a lot of information in the last three sections of this writeup. Now it’s time to make sense of it all, and talk about how each of the techniques we described fits into our toolkit from an operational perspective.

Leave a Comment

Modern Wireless Tradecraft Pt III — Management Frame Access Control Lists (MFACLs)

In this next section, we will discuss how to use Management Frame ACLs (MFACLs) in EAPHammer to exert granular probe-level control over the offensive techniques we have described in previous sections (see: https://github.com/s0lst1c3/eaphammer). We’ll also discuss how these attacks work at an algorithmic level, and provide insight into how using MFACLs affects EAPHammer’s runtime efficiency.

Leave a Comment

Modern Wireless Tradecraft Pt II — MANA and Known Beacon Attacks

In this next section of the series, we will describe how improvements in client device security have made karma attacks much less effective. We’ll then discuss three offensive techniques developed by Dominic White (@singe), Ian de Villiers, and George Chatzisofroniou (@sophron) that can be used to circumvent some of these improvements [1][2].

Leave a Comment

Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks

This is a four part series of blog posts intended to provide a detailed roadmap of rogue AP fundamentals aimed at people who are interested in learning more about modern wireless security at both an operational and technical level. In this series, we’ll go over nearly all of the ways that an adversary can abuse 802.11 to initiate a Person-In-the-Middle (PITM) attack. Additionally, we’ll discuss why these techniques were developed, tracing the history of both rogue AP attacks and corresponding mitigations from the early 2000s to the present day. Finally, this series will provide operational guidance for both offensive and defensive practitioners.

Leave a Comment

EAPHammer Version 0.5.0 – Legacy Crypto Support

EAPHammer now relies on its own local build of OpenSSL that exists independently of the build used by the operating system. This local OpenSSL build is linked to EAPHammer during the initial setup process, and is compiled with support for SSLv2/3 along with an array of weaker cipher suites that may be needed to communicate with legacy clients. Additionally, EAPHammer’s version of hostapd has been patched to allow SSLv2/3 support.

Leave a Comment