MGT Recon

15. What is the domain of the users of the wifi-regional network?

In MGT networks misconfigured users can send their Identity (username) in clear text before performing the TLS tunnel, so with “airodump-ng” we can passively obtain this information. For this we simply use “airodump-ng” on the correct channel and wait for the clients to connect.

airodump-ng wlan0mon -w ~/wifi/scanc44 -c 44 --wps

Then open the CAP with wireshark.

wireshark ~/wifi/scanc44-01.cap

Once we have the capture we can use Wireshark filtered by “eap” and look for packets with “Response, Identity”.

Or use wifi_db

You can use tshark too:

tshark -r ~/wifi/scanc44-01.cap -Y '(eap && wlan.ra == f0:9f:c2:7a:33:28) && (eap.identity)' -T fields -e eap.identity

16. What is the email address of the server certificate on wifi-global?

To create the TLS tunnel between the MGT network and a client the AP sends the certificate to the client in clear text, so anyone can see it. This information can be useful to create a fake certificate with the same fields in a RogueAP attack or to obtain information about the corporate domain, internal mails or other relevant information about the AP.

You can get this information directly from wireshark too:

In Wireshark, just filter by certificates using the AP BBSID as filter.

(wlan.sa == f0:9f:c2:71:22:17) && (tls.handshake.certificate)

17. What is the EAP method supported by the wifi-global AP?

First we need the identities as discussed above.

sudo airodump-ng wlan0mon  -c 44 --wps --bssid F0:9F:C2:71:22:17 -w global

Once we have a valid user we can force each of the EAP authentication methods to verify which methods the AP supports. We can use “EAP_buster ” for this task.

cd /EAP_buster/
bash ./EAP_buster.sh wifi-global 'GLOBAL\GlobalAdmin' wlan1

To DO : I am not getting any valid answers