search

Enterprise WIFI Hacking MGT/ EAP-PEAP

hashtag
Introduction

Enterprise networks use centralised authentication. Your goal is to identify user identities and perform an Evil Twin attack to capture credentials.

hashtag
EAP Hammer Automation

hashtag
Phase 1: Task 1 - Reconnaissance

In this phase, you will identify the username, EAP type, and certificate details being used by the target. We need to capture EAP handshake

  • Enable Monitor Mode:

    airmon-ng start wlan0.

  • Locate the Target: Scan for the Enterprise network: airodump-ng --band abg wlan7mon.

  • Capture Traffic: Lock onto the channel and BSSID to save a pcap

  • Analyze in Wireshark: Open the capture and apply these filters to find sensitive data:

    • Filter 1: eap (to see general EAP traffic).

    • Filter 2: eap.type (to confirm it is Protected EAP (EAP-PEAP)). Knowing the supported method dictates your next move. For example, if the server supports PEAP or EAP-TTLS, you can proceed with the Rogue AP (Evil Twin) attacks

    • Filter 3: eap.identity (to find the username, e.g., [email protected]).

  • Filter 4: x509af.subject (to gather information on the server certificate).

We can also use Tshark to extract this information

or to be specific

hashtag
Alternate method to check authentication type

Once we have a valid user we can force each of the EAP authentication methods to verify which methods the AP supports. We can use “EAP_busterarrow-up-right ” for this task.

hashtag
Phase 2: Task 2 - Evil Twin Attack

Now that you have the username and certificate details, you will create a malicious AP to steal the user's password hash.

  1. Stop Collection:

    airmon-ng check kill.

  2. Create a Look-alike Certificate: Use the Eaphammer wizard to generate a certificate that mimics the target:

    • cd /home/rogue1/opt/eaphammer.

    • ./eaphammer --cert-wizard.

  • Launch the Evil Twin: Run the attack to negotiate a connection and capture the MSCHAPv2 hash:

Or we can have our AP without the same MAC (I think better)

  • Capture the Hash: When the client connects, you will see a NETNTLM (MSCHAPv2) hash in the terminal.

Deauthenticate the existing Clients

With “airodump-ng” we detect the MAC of the clients to perform a deauthentication attack. So we do this attack on both clients in parallel. As there are 2 APs we have to perform the attack against the 2 APs, since disconnecting from 1 may connect to the other instead of to our RogueAP.

Option B: Bulk Deauthentication (mdk4) – RECOMMENDED

This is the most efficient method for Enterprise environments as it can target multiple APs simultaneously.

1. Create a Target File If there are multiple APs, save their MAC addresses to a list.

2. Execute the Attack Ensure your interface is in monitor mode and on the correct channel before running the command.

  • Method 1: Using the Target File

    • Note: The -b flag points to your list of BSSIDs.

  • Method 2: Deauth by ESSID (Simpler)

    • Note: This targets all APs broadcasting that specific network name.

hashtag
Phase 3: Cracking the Hash

Once you have the hash (e.g., [email protected]::::...), save it to a file named hashes.txt.

hashtag
Option A: Hashcat:

hashtag
Option B: John the Ripper:

hashtag
Method 2: FreeRADIUS + hostapd-mana

Phase 1: Certificate Configuration

You must modify the FreeRADIUS configuration files to match the target organization's details found during your reconnaissance.

1. Edit CA Configuration

  • Command: sudo nano /etc/freeradius/3.0/certs/ca.cnf

  • Update the [certificate_authority] section:

    • countryName = ES

    • stateOrProvinceName = Madrid

    • localityName = Madrid

    • organizationName = WiFiChallenge

    • emailAddress = [email protected]

    • commonName = "WiFiChallenge CA"

2. Edit Server Configuration

  • Command: sudo nano /etc/freeradius/3.0/certs/server.cnf

  • Update the [server] section:

    • countryName = ES

    • stateOrProvinceName = Madrid

    • localityName = Madrid

    • organizationName = WiFiChallenge

    • emailAddress = [email protected]

    • commonName = "WiFiChallenge Server"

Phase 2: Certificate Generation & User Setup

1. Generate New Certificates Switch to root to refresh the Diffie-Hellman parameters and build the certificates.

2. Create EAP User File This file tells the Rogue AP which authentication protocols to negotiate with victims.

Phase 3: Launching the Attack

1. Create the hostapd-mana Config Save this as /tmp/network.conf. Ensure the ssid matches your target variable.

2. Execution Reset your interface and start the Rogue AP.

3. Deauthenticate Targets In a new terminal, kick clients off the real APs to force them toward your Rogue AP.

  • By ESSID (Recommended): sudo mdk4 wlan1 d -c ${channel} -E ${essid}

  • Targeted: sudo aireplay-ng -0 0 -e ${essid} -a ${bssid} wlan1

Phase 4: Cracking the Hash

Once a client connects, hostapd-mana will display a hash in the format: user::::challenge:response.

  1. Save the hash: echo 'user::::challenge:response' > /tmp/hash.txt

  2. Crack with Hashcat:

    Bash

    Note: Mode -m 5500 is for NetNTLMv1 / MSCHAPv2.

Phase 5: Final Connection

After cracking the password, use wpa_supplicant with a client.conf file (specifying key_mgmt=WPA-EAP and phase2="auth=MSCHAPV2") to connect and retrieve the flag from 192.168.1.1.

Use this after you have cracked the domain credentials from your Rogue AP.

Sample Config File (/tmp/client.conf):

Connection Instructions:

  1. Connect: Run sudo wpa_supplicant -i wlan0 -c /tmp/client.conf.

  2. Get IP: Run sudo dhclient wlan0 -v.

  3. Get Flag: Run curl http://192.168.1.1/proof.txt.

PreviousWPA3NextWIFI-SO-SERIOUS

Last updated