Open Authentication

Open Authentication without Password

Once we know your ESSID we can connect to the network, for that we create a “free.conf’ file to connect from bash using “wpa_supplicant”.

nano free.conf

network={
	ssid="$ESSID"
	key_mgmt=NONE
	scan_ssid=1
}

sudo wpa_supplicant -Dnl80211 -iwlan2 -c free.conf

wpa_supplicant: A daemon used to manage WPA/WPA2 authentication for Wi-Fi networks.
-Dnl80211: Specifies the wireless driver backend.
- nl80211 is the modern driver used for most Linux wireless devices.
- If nl80211 doesn't work, you might try wext (legacy driver).
-iwlan2: Specifies the wireless interface (wlan2 in this case).
- You should check your actual interface name using iwconfig or ip link show.
-c free.conf: Specifies the configuration file (free.conf) containing network credentials and settings.

In another terminal as root:

sudo dhclient wlan2 -v

sudo: Runs the command with superuser privileges.
dhclient: A DHCP (Dynamic Host Configuration Protocol) client that requests an IP address from a DHCP server.
wlan2: The name of the wireless interface requesting the IP.
-v: Enables verbose mode to display detailed output.

Once connected to the network and get IP with “dhclient” we can access the IP at IP 192.168.16.1 where we see a login where we can test default credentials such as admin/admin, accessing the admin panel where you can find the flag.

admin/admin

Alternate Method to connect

Opportunistic Wireless Encryption

Opportunistic Wireless Encryption (OWE), also known as Enhanced Open provides encryption without requiring a password.

The Key Difference: Look at the airodump-ng output for ENC and AUTH.

Standard Open (Lab 1): Shows ENC: OPN and AUTH: [empty].
OWE (Lab 1.1): Shows ENC: WPA3, CIPHER: CCMP, and AUTH: OWE.
Wireshark View: Open your .pcap file. Unlike Lab 1 where you could see HTTP POST data in plaintext , the OWE traffic will appear as 802.11 QoS Data and will be encrypted, making the data unreadable to the sniffer

Connecting the Client

Next, you simulate a client connecting to this encrypted "open" network.

Start the Client: Use wpa_supplicant to connect an interface (e.g., wlan1) using the OWE configuration

network={
        ssid="SweetB-OWE"
        key_mgmt=OWE
        pairwise=CCMP
}

wpa_supplicant -i wlan1 -c owe.conf

Observe the Handshake: Watch the output for Key negotiation completed. You will notice that while no password was entered, the system negotiates a PMKSA-CACHE and a PTK CCMP (encryption key).

Traffic Sniffing & Analysis

Now, use a 2nd radio to capture the traffic and analyze it.

Enable Monitor Mode:

airmon-ng start wlan2

Locate the Target: Scan all bands to find the channel and BSSID of SweetB-OWE:

airodump-ng --band abg wlan2mon

Capture to PCAP: Once you have the channel (-c) and BSSID (--bssid), start a focused capture:

airodump-ng -c <#> --essid SweetB-OWE --bssid <mac> -w <output.pcap> --output-format pcap

airodump-ng -c 6 --essid SweetB-OWE --bssid CE:9E:05:59:B3:CE -w output_owe --output-format pcap wlan2mon

Key Takeaway

On a standard open network, any attacker can see your HTTP traffic in plaintext. In an OWE environment, even though there is no password, the traffic between the client and the AP is encrypted, protecting users from passive sniffing

PreviousReconnaisance NextWEP

Last updated 5 hours ago

hashtagOpen Authentication without Password

hashtagAlternate Method to connect

hashtagOpportunistic Wireless Encryption

hashtagConnecting the Client

hashtagTraffic Sniffing & Analysis

hashtagKey Takeaway