IV. Indirect Wireless Pivots

Note: you will need to generate a certificate in order to perform this attack against most EAP networks. Please refer to I. x.509 Certificate Generation for instructions on how to do this.

Note: you will need RADIUS creds in order to perform this attack against EAP implementations that use mutual authentication protocols such as MS-CHAPv2 for inner authentication. Please refer to VIII.1 - Considerations When Attacking WPA2-EAP Networks for additional information.

An Indirect Wireless Pivot is a technique for bypassing port-based access control mechanisms using rogue access point attacks. The attack requires the attacker to use two wireless network interfaces. The first network interface is used to obtain an IP address on the target network. Presumably, this first network interface is placed in quarantine by the NAC when this occurs. The attacker then uses a rogue AP attack to coerce a victim into connecting to the attacker's second wireless interface. The attacker then exploits the victim in some way, allowing the attacker to place a timed payload on the victim's device. The attacker then shuts down the rogue access point, allowing the victim to reassociate with the target network. The attacker then waits for the timed payload to execute and send a reverse shell back to the first interface, allowing the attacker to escape the quarantine.

EAPHammer can be used to perform Indirect Wireless Pivots, as described in the following sections.

IV.1 Performing Indirect Wireless Pivots Using Hostile Portal Attacks

Before you begin the attack, make sure you have the following:

1. RADIUS creds for a number of victim devices (see VIII.1 - Considerations When Attacking WPA2-EAP Networks)
2. Two network interfaces: we will call these Interface A and Interface B.

Step 1 - Connect to the target network using Interface A

Step 2 - Use a tool of your choice to generate a timed payload to execute on the victim. If your payload is a reverse shell, make sure to configure it so that it connects back to Interface A.

# example only
./payload_generator --delay DELAY_IN_SECONDS \
    --command COMMAND \
    --args ARGS

Step 3 - Execute a Hostile Portal Attack using EAPHammer, making sure to add the --pivot flag as shown below. Make sure to use Interface B to execute the attack.

./eaphammer -i wlan0 \
    --essid EvilCorp \
    --channel 3 \
    --hostile-portal \
    --pivot

Step 4 - After at least two victims have connected to your rogue access point, start your SMB Relay server as shown below. The following example uses impacket's smbrelayx script, but you can realistically use any SMB Relay server you want. MultiRelay (which is part of Responder) and snarf.js are both solid choices. The SMB Relay server should be configured to listen on Interface B and to execute the timed payload you created in Step 2 when the attack succeeds. The target of the attack should be the IP address of one of the devices that are connected to your rogue access point.

smbrelayx.py -h TARGET_IP -c TIMED_PAYLOAD

Step 5 - When your SMB Relay script executes, shutdown EAPHammer by pressing the Enter key on your keyboard.

Step 6 - Wait for the timed payload to execute and send a reverse shell back to Interface A.

IV.2 - Indirect Wireless Pivots - A Generalized Strategy

Be creative. The specific details of this attack aren't important, and the steps provided in the previous section are merely one example of how to perform an Indirect Wireless Pivot. As long as you use the following general steps, the attack should work:

1. Connect to the target network using your first network interface
2. Use a rogue access point attack to force an authorized device to connect to your second network interface
3. Exploit the connected device in some way to place an implant or timed payload on the device
4. Allow the connected device to reassociate with the target network
5. Wait for your payload to execute

The takeaway here is that you are removing an authorized device from its protected environment, exploiting it in some way, then allowing it to reassociate with the target network.