Saturday, April 5, 2025

How to verify if the wireless network is vulnerable to Key Reinstallation Attack (KRACK)?

How to verify if the wireless network is vulnerable to Key Reinstallation Attack (KRACK)?

Key Reinstallation Attack (KRACK) is a critical flaw in the WPA2 protocol (CVE-2017-13077 to CVE-2017-13088):

1. Understand KRACK Vulnerability

KRACK exploits the WPA2 4-way handshake to force the reinstallation of an already-used encryption key, allowing attackers to:

  • Decrypt network traffic.
  • Inject malicious packets (e.g., ransomware, malware).
  • Hijack client connections.

Affected Devices:

  • All WPA2 networks (Personal and Enterprise).
  • Clients (laptops, smartphones, IoT) and access points (APs) with outdated firmware.

2. Tools Required

  • A wireless NIC supporting monitor mode (e.g., Alfa AWUS036ACH).
  • Linux machine (Kali Linux recommended).
  • Scripts/Tools:
    • krack-test (GitHub)
    • airodump-ng (capture handshakes).
    • Wireshark (analyze packets).
    • scapy (craft custom packets).

3. Testing Steps

A. For WPA2-Personal (PSK) Networks

  1. Capture the 4-Way Handshake:

    • Start monitoring the target network: 
      airodump-ng -c <channel> --bssid <AP_MAC> -w capture wlan0mon
    • Wait for a client to connect (or deauth a client to force reconnection): 
      aireplay-ng -0 1 -a <AP_MAC> -c <Client_MAC> wlan0mon
    • Verify the handshake is captured using aircrack-ng capture.cap.

  2. Test for KRACK Using krack-test:

    • Clone the KRACK test suite: 
      git clone https://github.com/vanhoefm/krackattacks
    • Run the test script against the captured handshake: 
      ./krack-test.py --pcap capture.cap
    • Vulnerability Indicators:
      • Script detects retransmitted Message 3 or Group Key Handshake.
      • Wireshark shows replayed/duplicate handshake messages.

B. For WPA2-Enterprise (802.1X) Networks

  1. Capture the 4-Way Handshake (same as above).

  2. Exploit the Extended Key ID (if supported):

    • Enterprise networks use key separation, but some implementations reuse keys.
    • Use scapy to forge retransmissions of handshake messages: 
      # Example: Replay Message 3 of the 4-way handshake
sendp(radio_tap/ieee80211/dot11_4whs_msg3, iface="wlan0mon", count=10)
    • Monitor if the client re-installs the PTK (Pairwise Transient Key).

  3. Check for Client/AP Patches:

    • Most modern devices (post-2017) are patched.
    • Manually verify firmware versions of APs/clients (e.g., Cisco, Aruba, Windows 10+).

4. Signs of Vulnerability

  • Active Exploitation:

    • Attackers can decrypt traffic using tools like ettercap or wireshark.
    • Clients disconnect or experience instability during testing.

  • Passive Detection:

    • APs/clients accept retransmitted handshake messages.
    • No encryption errors when replaying packets.

5. Remediation

  1. Patch All Devices:

    • Update AP firmware (e.g., Cisco, Ubiquiti, OpenWRT).
    • Ensure client OSes are updated (Windows, iOS, Android, Linux).

  2. Enable WPA3:

    • WPA3 uses Simultaneous Authentication of Equals (SAE) and is immune to KRACK.

  3. Disable Legacy Protocols:

    • Remove support for WPA-TKIP and WEP.

6. Automated Scanners

  • Nessus/Qualys: Use vulnerability scanners to detect unpatched APs/clients.
  • Acrylic Wi-Fi Professional: Scans for KRACK vulnerabilities in networks.

Example of a Vulnerable Network

# Running krack-test.py
[+] Detected retransmitted Message 3 in 4-way handshake.
[!] AP is vulnerable to CVE-2017-13077 (Key Reinstallation).

Note: KRACK primarily exploits client-side vulnerabilities, so even if the AP is patched, unpatched clients remain at risk. Always test both ends of the connection!

Posted by at No comments:
Labels: ,

Thursday, April 3, 2025

How to Check if PMF (Protected Management Frames) is Enabled on a Wi-Fi Network

How to Check if PMF (Protected Management Frames) is Enabled on a Wi-Fi Network

Protected Management Frames (PMF) is a security feature defined in IEEE 802.11w that protects Wi-Fi management frames (e.g., deauthentication, disassociation) from forgery and eavesdropping. This prevents attacks like deauthentication attacks (e.g., using aireplay-ng).

Methods to Check PMF Status

1. Using Wireshark (Packet Capture Analysis)

  • Capture Wi-Fi traffic in monitor mode (e.g., using airodump-ng or Wireshark).
  • Look for Beacon frames or Association Response frames:
    • PMF Capable (802.11w): Indicates support.
    • PMF Required: Forces clients to use PMF (stronger security).

Steps:

  1. Start capturing on the target Wi-Fi channel: 
    airodump-ng -c <channel> --bssid <AP_MAC> -w pmf_check wlan0mon
  2. Open the .pcap file in Wireshark.
  3. Filter for wlan.fc.type_subtype == 0x08 (Beacon frames).
  4. Check the RSN (Robust Security Network) Information Element:
    • If "Management Frame Protection Capable" is present → PMF is supported.
    • If "Management Frame Protection Required" is present → PMF is enforced.

2. Using iw Command (Linux)

If you are connected to the network (or have access to a Linux machine with Wi-Fi): 

iw dev wlan0 scan | grep -A 10 "SSID Name" | grep "RSN" -A 5
  • Look for Management Frame Protection: Yes or MFPC (Capable) / MFPR (Required).

Example Output: 

RSN:     * Version: 1
     * Group cipher: CCMP
     * Pairwise ciphers: CCMP
     * Authentication suites: PSK
     * Capabilities: MFPC (PMF capable), MFPR (PMF required)
  • MFPC (Capable) → PMF is optional (clients can connect without it).
  • MFPR (Required) → PMF is mandatory (more secure).

3. Using Windows (netsh Command)

If connected to the network:

  1. Open Command Prompt as Administrator.
  2. Run: 
    netsh wlan show networks mode=bssid
  3. Look for your target SSID and check the "Security settings" section.
    • If "Management Frame Protection Supported" appears → PMF is enabled.

4. Using Android (Wi-Fi Analyzer Apps)

  • Apps like Wi-Fi Analyzer or NetX may show 802.11w or PMF status in AP details.

Interpretation of Results

Status Security Implication
PMF Disabled Vulnerable to deauth attacks (aireplay-ng -0).
PMF Capable (MFPC) Optional (some clients may not use it).
PMF Required (MFPR) Best security (blocks deauth attacks).

5. Use wpa_cli (Linux)

For WPA2-Personal:

  1. Run: 
    wpa_cli -i wlan0
  2. In the CLI, type scan_results and note the BSSID.
  3. Type bssid <BSSID> and check the RSN flags:
    • [MFPC] → PMF Capable.
    • [MFPR] → PMF Required.

6. Check RADIUS Server Settings (White-Box)

  • If you have insider access, verify if the RADIUS server (e.g., FreeRADIUS, NPS) enforces PMF:
    • Look for ieee80211w = 1 (PMF optional) or ieee80211w = 2 (PMF required) in the RADIUS client configuration.

7. Checking Access Point Configuration (White Box):

If you have been provided with access to the configuration interface of the wireless access point (as part of the white box testing), you can directly check the PMF settings.

  • Steps:

    1. Log in to the access point's web interface or command-line interface.
    2. Navigate to the wireless settings for the specific SSID you are testing.
    3. Look for options related to security, WPA2/WPA3, and advanced settings.
    4. You should find a setting labeled something like:
      • Protected Management Frames (PMF)
      • Management Frame Protection (MFP)
      • 802.11w
      • Secure Management Frames
    5. The setting will likely have options like "Enabled," "Disabled," "Optional," or "Required."

  • Interpreting the Results:

    • Enabled/Required: PMF is actively enforced. Clients that don't support PMF might not be able to connect.
    • Optional: PMF is supported, and clients that support it will use it, but clients that don't can still connect without it. This is less secure than "Enabled/Required."
    • Disabled: PMF is not enabled on the network

Key Notes for Both Networks

  • WPA2 + PMF: PMF is optional in WPA2 (defined in 802.11w) but mandatory in WPA3.
  • WPA3 Networks: PMF is always required, so this check is irrelevant for WPA3.

Example Scenarios

Scenario 1: PMF Disabled (Vulnerable)

  • Attackers can use aireplay-ng to deauth clients: 
    aireplay-ng -0 10 -a <AP_MAC> -c <Client_MAC> wlan0mon
  • Clients will disconnect and may reveal handshakes for cracking (WPA2-Personal).

Scenario 2: PMF Enabled (Secure)

  • Deauth attacks fail. You’ll see errors like: 
    aireplay-ng: Got a deauth/disassoc packet. Is PMF enabled on the AP?

Recommendations

  1. Enable PMF in "Required" mode for both WPA2-Enterprise and WPA2-Personal.
  2. Migrate to WPA3 (PMF is enforced by default).
Posted by at No comments:
Labels: , ,

Thursday, September 7, 2023

Issue of Outlook for Mac on copy/paste meeting

 

Environment:

1.     MacBook Pro 2021 M1

2.     MacOS: Ventura 13.5.1

3.     Microsoft Outlook for Mac, version 16.76.2

 

Symptoms:

 

Currently there is no way to copy/paste Outlook Calendar items (schedules and meetings) on Microsoft Outlook for Mac.

 

Solution (Workaround):

1.     Use outlook web instead.

2.     Login to outlook.office.com

3.     Click “Calendar” icon on the left panel.

4.     Right click on the meeting that you want to copy.

5.     Select “Duplicate event”

6.     Change Date and Time.

 



Posted by at No comments:
Labels: , , ,

Wednesday, April 19, 2023

Fix Activity Monitor column issue on MacOS

 

(Just for my references)

Environment:

1.     MacBook Pro 2019 Intel

2.     MacOS: Ventura 13.0

3.     Activity Monitor

 

Symptoms

When opening the Activity Monitor, the “Process name” column was too width, and it is very hard to see other columns.





Solution

1.     Open terminal

2.     Run command: rm -f ~/Library/Preferences/com.apple.ActivityMonitor.plist

Posted by at No comments:
Labels: , ,

Thursday, November 3, 2022

Disable Citrix Autorun on MacOS

(Just for my references)

Environment:

1.     MacBook Pro 2019 Intel

2.     MacOS: Ventura 13.0

3.     Citrix Workspace: version 22.10.0.44(2210)

 

Symptoms

Citrix Workspace always automatically run and pop up the login window during every reboot. And there is no option on the GUI to disable it.

 

This is ridiculous because user won’t use it all the time.

 

Solution

1.     Go to folder /Library/LaunchAgents: cd /Library/LaunchAgents

2.     List the Citrix plist files: ls -l com.citrix.*

3.     To be on the safe side, copy these plist files to a backup location: cp ./com.citrix.* ~/Downloads/citrix_backup

 

4.     Delete 1 file: sudo rm -f com.citrix.ReceiverHelper.plist

5.     Edit com.citrix.safariadapter.plist : sudo vi com.citrix.safariadapter.plist

6.     Find the value “RunAtLoad”, change it to “false”



7.     Reboot and the pop up window should be gone.

Posted by at No comments:
Labels: , , , ,

Wednesday, November 2, 2022

Simple way to hide files in Windows

Test Environment

1.     Windows 11 Pro 21H2

 

Here will discuss 3 topics:

1.     Create a hidden text file

2.     Create an embedded hidden executable file

3.      Run the hidden executable file

 

Create a hidden text file

Below command create a normal text file

C:\temp>echo This is Normal Text. > normal.txt

 

C:\temp>type normal.txt

This is Normal Text.

 

 Below command create hidden text using stream

C:\temp>echo This is hidden text. > normal.txt:hidden.txt

 

C:\temp>type normal.txt

This is Normal Text.

 

Type command cannot show the hidden text

C:\temp>type normal.txt:hidden.txt

The filename, directory name, or volume label syntax is incorrect.

 

Dir command won’t show the hidden file

C:\temp>dir

 Volume in drive C has no label.

 Volume Serial Number is 64AD-2FC5

 

 Directory of C:\temp

 

10/18/2022  02:14 PM    <DIR>          .

10/18/2022  02:14 PM                23 normal.txt

               1 File(s)             23 bytes

               1 Dir(s)  56,873,701,376 bytes free

 

Use “dir /R” to show the hidden file

/R          Display alternate data streams of the file.

C:\temp>dir /R

 Volume in drive C has no label.

 Volume Serial Number is 64AD-2FC5

 

 Directory of C:\temp

 

10/18/2022  02:14 PM    <DIR>          .

10/18/2022  02:14 PM                23 normal.txt

                                                      23 normal.txt:hidden.txt:$DATA

               1 File(s)             23 bytes

               1 Dir(s)  56,873,701,376 bytes free

 


 

Use notepad to show the hidden text

C:\temp>notepad normal.txt:hidden.txt


 

 

Delete the normal.txt will delete the hidden file

C:\temp>dir /R

 Volume in drive C has no label.

 Volume Serial Number is 64AD-2FC5

 

 Directory of C:\temp

 

10/18/2022  02:14 PM    <DIR>          .

10/18/2022  02:14 PM                23 normal.txt

                                    23 normal.txt:hidden.txt:$DATA

               1 File(s)             23 bytes

               1 Dir(s)  56,873,533,440 bytes free

 

C:\temp>del normal.txt

 

C:\temp>dir /R

 Volume in drive C has no label.

 Volume Serial Number is 64AD-2FC5

 

 Directory of C:\temp

 

10/18/2022  02:17 PM    <DIR>          .

               0 File(s)              0 bytes

               1 Dir(s)  56,873,533,440 bytes free

 


 

Hide Calculator

Create a normal text fle

C:\temp>echo This is Normal Text. > normal.txt

 

Find the location of the Calculator app

C:\temp>where calc.exe

C:\Windows\System32\calc.exe

 Hide the Calculator App into the normal text file

C:\temp>type C:\Windows\System32\calc.exe > normal.txt:calc.exe

 

“dir” comman won’t show the embedded file

C:\temp>dir

 Volume in drive C has no label.

 Volume Serial Number is 64AD-2FC5

 

 Directory of C:\temp

 

10/18/2022  02:21 PM    <DIR>          .

10/18/2022  02:23 PM                23 normal.txt

               1 File(s)             23 bytes

               1 Dir(s)  56,876,064,768 bytes free

 

Use “dir /R” to show the file

C:\temp>dir /R

 Volume in drive C has no label.

 Volume Serial Number is 64AD-2FC5

 

 Directory of C:\temp

 

10/18/2022  02:21 PM    <DIR>          .

10/18/2022  02:23 PM                23 normal.txt

                                                     27,648 normal.txt:calc.exe:$DATA

               1 File(s)             23 bytes

               1 Dir(s)  56,877,633,536 bytes free



Run the embedded Calculator App

For old windows like XP, win 7, use “start” command.

C:\temp>start normal.txt:calc.exe

In Windows 10 and 11, using “start” command will pop up the “Look for app” window

 

The correct command to run the embedded file is “forfiles”

C:\temp>forfiles /P c:\Windows\System32 /m notepad.exe /c "c:\temp\normal.txt:calc.exe"



Posted by at No comments:
Labels: ,

Two Free Temporary Virtual Machine

 Scenario

Sometimes you want to use a computer that is outside of your network to test firewall rule, or you might just want to run some tests.

For example, if you are in a school, you want to play browser games, you can use these Virtual Machines to bypass the firewall restriction.

Microsoft Learn provide some temporary virtual machines in their labs. The purpose of these virtual machines was used to practice the lab exercises, but you can use for others.

Requirement:

  1.  A Microsoft free account: @outlook.com, @live.com, @hotmail.com etc.
  2. Edge or Chrome Browser.
  3. https://github.com/kmille36/Windows-11-VPS

First Virtual Machine

  1. Open Microsoft Edge Browser, login with your Microsoft free account.
  2.  Open Url: https://learn.microsoft.com/en-us/training/modules/implement-common-integration-features-finance-ops/10-exercise-1 
  3. (You might need to agree to an announcement)

  4. Click “Launch VM Mode” button.
  5. Wait for a few minutes, the VM will be ready to use.
  6. On the right panel, click “Resources” tab, you can see the username and the password. It also shows how many hours remaining. Typically, you can use it for 2 hours.
  7.  Enter the password and login to the machine.
  8. The flash icon on the up-left screen provides some keyboard function.
  9. You can make it full screen by click the screen icon beside the flash icon.
  10. After you finish the testing, you can shut down the VM, click the “Instruction” tab on the right panel. Click “Done” button at the down-right of the screen. 
 

 

Second Virtual Machine

  1.  For this VM, you will need to run some Azure Cloud Shell commands to create it. Fortunately, https://github.com/kmille36/Windows-11-VPS has some scripts to make it very simple.
  2. Open Microsoft Edge Browser, login with your Microsoft free account.
  3. Open Url: https://learn.microsoft.com/en-ca/training/modules/monitor-azure-vm-using-diagnostic-data/3-exercise-create-virtual-machine
  4. Click on “Activate Sandbox” button. 
  5. You might be asked for the permissions, just accept all the required permissions.

  6. Wait for a few minutes until the Azure shell window ready.
  7. Enter command: curl -skLO is.gd/azurewinvmplus ; chmod +x azurewinvmplus ; ./azurewinvmplus

  8.  Follow the instruction to create the VM that suitable for you.
  9. Once you see “…is READY TO USE !!!” message, you can use Remote Desktop tools to connect to this VM. The IP, username and password can be found on the screen.

     

    Use Cases:
    1. Run NMAP to scan public IPs.



     

    References:

    1.    https://docs.microsoft.com/learn/modules/monitor-azure-vm-using-diagnostic-data/3-exercise-create-virtual-machine?activate-azure-sandbox=true

    2.    https://learn.microsoft.com/en-us/training/modules/implement-common-integration-features-finance-ops/10-exercise-1

    3.    https://learn.microsoft.com/en-ca/training/modules/monitor-azure-vm-using-diagnostic-data/3-exercise-create-virtual-machine

    4.    https://github.com/kmille36/Windows-11-VPS

     

Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)