The vulnerability that killed FreeWifi_Secure

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/
• Blog Title: The vulnerability that killed FreeWifi_Secure
• Suggested Section: Pentesting Wifi -> EAP-SIM/EAP-AKA Attacks (IMSI exposure via EAP-Response/Identity), with a cross-link to Pentesting Network -> Telecom Network Exploitation

🎯 Content Summary

What broke and why
Free’s carrier Wi‑Fi SSID FreeWifi_secure (also seen as FreeWifi_Secure) authenticated Free Mobile subscribers using EAP‑SIM (RFC 4186) over 802.1X. During the unauthenticated identity phase, client devices replied to EAP-Request/Identity with a permanent identifier in cleartext: the subscriber’s IMSI encoded as a 3GPP NAI, e.g., 20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org. No protected identity (3...

🔧 Technical Details

Passive IMSI harvesting on EAP‑SIM networks lacking identity privacy: On SIM‑based Wi‑Fi where EAP-Response/Identity carries the permanent IMSI, capture the first EAP identity exchange and read the NAI (e.g., 20815XXXXXXXXXX@wlan.mnc015.mcc208.3gppnetwork.org). Steps: enable monitor mode (airmon-ng start <iface>), capture with Wireshark/Kismet/tcpdump, and filter for identity frames (eap.code == 2 && eap.type == 1). The leak occurs before any TLS tunnel, so the IMSI appears as ASCII. This generalizes to any EAP‑SIM/AKA deployment that omits pseudonyms or tunneling.

Abusing the identifier downstream: Use the captured IMSI for cross‑site device correlation and, where access exists, SS7/Diameter lookups for location, call/SMS interception, and MFA theft. The Wi‑Fi capture is only the bootstrap; the real power comes from telecom signaling abuse once the IMSI is known.

🤖 Agent Actions

I explored the repository structure, reviewed relevant content, and implemented an update to cover the EAP-SIM/EAP-AKA IMSI exposure technique described in the blog.

What I checked (at least 5 files):

• src/generic-methodologies-and-resources/pentesting-wifi/README.md
• src/generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md
• src/generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.md
• src/generic-methodologies-and-resources/pentesting-network/README.md
• src/generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.md

Rationale for placement:

• The technique is an 802.1X/EAP identity privacy issue in Wi‑Fi (WPA-Enterprise class), specifically for SIM-based methods (EAP-SIM/EAP-AKA).
• There was no existing EAP-SIM/Aka coverage in the Wi‑Fi page; while the Wi‑Fi page had EAP identity and enterprise content, it didn’t cover IMSI exposure via EAP-Response/Identity for SIM-based auth.
• I added a focused section under the WPA Enterprise (MGT) area of the Wi‑Fi page and cross-linked to the telecom exploitation page, where IMSI/SUPI downstream abuse is already documented.

Changes made:

1. Added new section to Pentesting WiFi README

• File: src/generic-methodologies-and-resources/pentesting-wifi/README.md
• Inserted a new technical section:
  • Title: SIM-based EAP (EAP-SIM/EAP-AKA) identity leakage (IMSI exposure)
  • Content:
    • Protocol flow and where the leak occurs (EAP-Response/Identity pre-protection)
    • NAI format example (IMSI@wlan.mncXXX.mccYYY.3gppnetwork.org)
    • Passive capture steps with commands and Wireshark filters
    • Impact and mitigations (pseudonyms/protected identities, use of tunnels like EAP-TTLS/PEAP)
    • A cross-link to Telecom Network Exploitation (via {{#ref}} ../pentesting-network/telecom-network-exploitation.md {{#endref}})
  • The PoC code section (longer than 15 lines) was wrapped in an expandable
    as required.

2. Updated References of the WiFi page

• Added references relevant to the update at the end of the file:
  • The vulnerability that killed FreeWifi_Secure (blog URL)
  • RFC 4186 – EAP-SIM
  • 3GPP TS 33.402 – Non-3GPP access security (identity privacy guidance for EAP-SIM/AKA)

Tool actions performed:

• modify_file on src/generic-methodologies-and-resources/pentesting-wifi/README.md:
  • Inserted the new EAP-SIM/EAP-AKA IMSI leakage section right before “EAP-Bruteforce (password spray)”
  • Wrapped the long code block in an expandable details section
  • Appended new references by replacing the last reference bullet with itself plus the new items

Why this is useful:

• It abstracts the blog’s technique into a general, reusable Wi‑Fi attack pattern: passive IMSI harvesting on SIM-based EAP networks that don’t protect the identity exchange.
• It gives reproducible steps (monitor mode, capture filters, expected NAI) and ties the outcome (IMSI) to telecom-layer abuses, with a cross-link to existing telecom exploitation content.

No new files were created; the update fits well into the existing Wi‑Fi methodology page and maintains HackTricks structure and style.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 896
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://7h30th3r0n3.fr/the-vulnerability-that-killed-freewifi_secure/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Wifi -> EAP-SIM/EAP-AKA Attacks (IMSI exposure via EAP-Response/Identity), with a cross-link to Pentesting Network -> Telecom Network Exploitation".

Repository Maintenance:

• MD Files Formatting: 896 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0