The vulnerability that killed FreeWifi_Secure

src/generic-methodologies-and-resources/pentesting-wifi/README.md

@@ -452,6 +452,62 @@ Regardless of the protocol chosen, the PEAP/TTLS server obtains knowledge of the
 
 For more info check [https://www.interlinknetworks.com/app_notes/eap-peap.htm](https://www.interlinknetworks.com/app_notes/eap-peap.htm)
 
+### SIM-based EAP (EAP-SIM/EAP-AKA) identity leakage (IMSI exposure)
+
+SIM-based Wi‑Fi authentication using EAP‑SIM/EAP‑AKA over 802.1X can leak the permanent subscriber identifier (IMSI) in cleartext during the unauthenticated identity phase if the deployment doesn’t implement pseudonyms/protected identities or a TLS tunnel around the inner EAP.
+
+Where the leak happens (high level):
+- 802.11 association completes to the SSID (often carrier offload SSIDs like FreeWifi_secure, eduroam-like operator realms, etc.).
+- Authenticator sends EAP-Request/Identity.
+- Vulnerable clients answer EAP-Response/Identity with their permanent identity = IMSI encoded as a 3GPP NAI, prior to any protection.
+  - Example NAI: [email protected]
+- Anyone passively listening to RF can read that frame. No 4-way handshake or TLS keying is needed.
+
+Quick PoC: passive IMSI harvesting on EAP‑SIM/AKA networks lacking identity privacy
+<details>
+<summary>Click to expand</summary>
+
+```bash
+# 1) Enable monitor mode
+airmon-ng start wlan0
+
+# 2) Optional: lock channel to the target BSS
+airodump-ng wlan0mon --essid <SSID>
+
+# 3) Capture 802.1X/EAP frames
+# Wireshark display filters:
+#   eap || eapol
+#   (identity specifically): eap.code == 2 && eap.type == 1
+# Kismet: add source wlan0mon; enable 802.1X/EAP views
+# tcpdump (pcap capture):
+#   tcpdump -i wlan0mon -s 0 -w eapsim_identity.pcap
+
+# 4) Wait for a device to auto-connect to the SSID
+# 5) Inspect the first EAP-Response/Identity frame
+# Expected: ASCII NAI containing IMSI, e.g.
+#   [email protected]
+```
+
+</details>
+
+Notes:
+- Works before any TLS tunnel if the deployment uses bare EAP‑SIM/AKA without protected identity/pseudonyms.
+- The exposed value is a permanent identifier tied to the subscriber’s SIM; harvesting enables long‑term tracking and downstream telecom abuses.
+
+Impact
+- Privacy: persistent user/device tracking from passive Wi‑Fi captures in public places.
+- Telecom abuse bootstrap: with the IMSI, an attacker with SS7/Diameter access can query location or attempt call/SMS interception and MFA theft.
+
+Mitigations / what to look for
+- Verify that clients use anonymous outer identities (pseudonyms) for EAP‑SIM/AKA as per 3GPP guidance (e.g., 3GPP TS 33.402).
+- Prefer tunneling the identity phase (e.g., EAP‑TTLS/PEAP carrying inner EAP‑SIM/AKA) so the IMSI is never sent in clear.
+- Packet captures of association/auth should never reveal a raw IMSI in EAP-Response/Identity.
+
+Related: Telecom signalling exploitation with captured mobile identifiers
+{{#ref}}
+../pentesting-network/telecom-network-exploitation.md
+{{#endref}}
+
 ### EAP-Bruteforce (password spray)
 
 If the client is expected to use a **username and password** (notice that **EAP-TLS won't be valid** in this case), then you could try to get a **list** a **usernames** (see next part) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
@@ -792,6 +848,10 @@ These methods, particularly PIN entry, are susceptible to the same vulnerabiliti
 - [https://medium.com/hacking-info-sec/ataque-clientless-a-wpa-wpa2-usando-pmkid-1147d72f464d](https://medium.com/hacking-info-sec/ataque-clientless-a-wpa-wpa2-usando-pmkid-1147d72f464d)
 - [https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)](<https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)>)
 - [https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/](https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/)
+- [The vulnerability that killed FreeWifi_Secure](https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/)
+- [RFC 4186 – EAP-SIM Authentication](https://datatracker.ietf.org/doc/html/rfc4186)
+- [3GPP TS 33.402 – 3GPP system architecture evolution (SAE); Security aspects of non-3GPP accesses](https://www.3gpp.org/ftp/Specs/archive/33_series/33.402/)
+
 
 TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals)