Add content from: The vulnerability that killed FreeWifi_Secure

2025-10-10 18:36:50 +00:00 · 2025-10-01 15:51:32 +00:00 · 2025-10-01 15:51:32 +00:00 · 685550063a
commit 685550063a
parent 3b40ab6ab7
2 changed files with 61 additions and 2 deletions
--- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md
+++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md
@ -452,6 +452,62 @@ Regardless of the protocol chosen, the PEAP/TTLS server obtains knowledge of the
 For more info check [https://www.interlinknetworks.com/app_notes/eap-peap.htm](https://www.interlinknetworks.com/app_notes/eap-peap.htm)
 ### SIM-based EAP (EAP-SIM/EAP-AKA) identity leakage (IMSI exposure)
 SIM-based Wi‑Fi authentication using EAP‑SIM/EAP‑AKA over 802.1X can leak the permanent subscriber identifier (IMSI) in cleartext during the unauthenticated identity phase if the deployment doesn’t implement pseudonyms/protected identities or a TLS tunnel around the inner EAP.
 Where the leak happens (high level):
 - 802.11 association completes to the SSID (often carrier offload SSIDs like FreeWifi_secure, eduroam-like operator realms, etc.).
 - Authenticator sends EAP-Request/Identity.
 - Vulnerable clients answer EAP-Response/Identity with their permanent identity = IMSI encoded as a 3GPP NAI, prior to any protection.
  - Example NAI: 20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org
 - Anyone passively listening to RF can read that frame. No 4-way handshake or TLS keying is needed.
 Quick PoC: passive IMSI harvesting on EAP‑SIM/AKA networks lacking identity privacy
 <details>
 <summary>Click to expand</summary>
 ```bash
 # 1) Enable monitor mode
 airmon-ng start wlan0
 # 2) Optional: lock channel to the target BSS
 airodump-ng wlan0mon --essid <SSID>
 # 3) Capture 802.1X/EAP frames
 # Wireshark display filters:
 #   eap || eapol
 #   (identity specifically): eap.code == 2 && eap.type == 1
 # Kismet: add source wlan0mon; enable 802.1X/EAP views
 # tcpdump (pcap capture):
 #   tcpdump -i wlan0mon -s 0 -w eapsim_identity.pcap
 # 4) Wait for a device to auto-connect to the SSID
 # 5) Inspect the first EAP-Response/Identity frame
 # Expected: ASCII NAI containing IMSI, e.g.
 #   20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org
 ```
 </details>
 Notes:
 - Works before any TLS tunnel if the deployment uses bare EAP‑SIM/AKA without protected identity/pseudonyms.
 - The exposed value is a permanent identifier tied to the subscriber’s SIM; harvesting enables long‑term tracking and downstream telecom abuses.
 Impact
 - Privacy: persistent user/device tracking from passive Wi‑Fi captures in public places.
 - Telecom abuse bootstrap: with the IMSI, an attacker with SS7/Diameter access can query location or attempt call/SMS interception and MFA theft.
 Mitigations / what to look for
 - Verify that clients use anonymous outer identities (pseudonyms) for EAP‑SIM/AKA as per 3GPP guidance (e.g., 3GPP TS 33.402).
 - Prefer tunneling the identity phase (e.g., EAP‑TTLS/PEAP carrying inner EAP‑SIM/AKA) so the IMSI is never sent in clear.
 - Packet captures of association/auth should never reveal a raw IMSI in EAP-Response/Identity.
 Related: Telecom signalling exploitation with captured mobile identifiers
 {{#ref}}
 ../pentesting-network/telecom-network-exploitation.md
 {{#endref}}
 ### EAP-Bruteforce (password spray)
 If the client is expected to use a **username and password** (notice that **EAP-TLS won't be valid** in this case), then you could try to get a **list** a **usernames** (see next part) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
@ -792,6 +848,10 @@ These methods, particularly PIN entry, are susceptible to the same vulnerabiliti
 - [https://medium.com/hacking-info-sec/ataque-clientless-a-wpa-wpa2-usando-pmkid-1147d72f464d](https://medium.com/hacking-info-sec/ataque-clientless-a-wpa-wpa2-usando-pmkid-1147d72f464d)
 - [https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)](<https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)>)
 - [https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/](https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/)
 - [The vulnerability that killed FreeWifi_Secure](https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/)
 - [RFC 4186 – EAP-SIM Authentication](https://datatracker.ietf.org/doc/html/rfc4186)
 - [3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses](https://www.3gpp.org/ftp/Specs/archive/33_series/33.402/)
 TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)
--- a/src/welcome/hacktricks-values-and-faq.md
+++ b/src/welcome/hacktricks-values-and-faq.md
@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
+> - **How can I  a page of HackTricks?**
 As long as the link **of** the page(s) where you took the information from appears it's enough.\
 If you need a bibtex you can use something like:
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
 {{#include ../banners/hacktricks-training.md}}