Pre-Shared Key (PSK) networks use a shared password for authentication. As a consequence, user activity may be difficult to track given the nature of shared authentication. In addition, when the password is compromised, credentials must be changed on every device that connects to the network, which can be cumbersome. The PSK can be compromised through technical and non-technical means, described below.
Procedure
- While performing passive analysis, check for PSKs posted throughout the the facility. Common areas to check include training rooms, conference rooms, reception areas, and the employee workspace within the facility.
- If unlocked workstation interaction is deemed to be in scope (explicitly ask the customer first), use a Rubber Ducky, Bash Bunny, other malicious HID device, or manually interact with the console to compromise the PSK. This can be accomplished using the following commands:
The first command is used to list wlan profiles present on the system. The second command is used to expose the PSK for the targeted profile.netsh wlan show profiles netsh wlan show profile [profile name] key=clear - Attempt PSK handshake and PMKID capture. This can be accomplished using a passive analysis tool like Kismet, hcxdumptool from the Hcxtools suite, or airodump-ng from the Aircrack-ng Suite. Successful capture may not require any active traffic generation. However, handshake generation can potentially be expedited by executing Deauthentication Attacks with aireplay-ng from the Aircrack-ng Suite.
- Attempt to crack any successfully captured PSK handshakes or PMKIDs.