MGT Recon
15. What is the domain of the users of the wifi-regional network?
In MGT networks misconfigured users can send their Identity (username) in clear text before performing the TLS tunnel, so with “airodump-ng” we can passively obtain this information. For this we simply use “airodump-ng” on the correct channel and wait for the clients to connect.
airodump-ng wlan0mon -w ~/wifi/scanc44 -c 44 --wps
Then open the CAP with wireshark.
wireshark ~/wifi/scanc44-01.cap
Once we have the capture we can use Wireshark filtered by “eap” and look for packets with “Response, Identity”.
Or use wifi_db
You can use tshark too:
tshark -r ~/wifi/scanc44-01.cap -Y '(eap && wlan.ra == f0:9f:c2:7a:33:28) && (eap.identity)' -T fields -e eap.identity16. What is the email address of the server certificate on wifi-global?
To create the TLS tunnel between the MGT network and a client the AP sends the certificate to the client in clear text, so anyone can see it. This information can be useful to create a fake certificate with the same fields in a RogueAP attack or to obtain information about the corporate domain, internal mails or other relevant information about the AP.
You can get this information directly from wireshark too:
In Wireshark, just filter by certificates using the AP BBSID as filter.
(wlan.sa == f0:9f:c2:71:22:17) && (tls.handshake.certificate)
17. What is the EAP method supported by the wifi-global AP?
First we need the identities as discussed above.
sudo airodump-ng wlan0mon -c 44 --wps --bssid F0:9F:C2:71:22:17 -w global
Once we have a valid user we can force each of the EAP authentication methods to verify which methods the AP supports. We can use “EAP_buster ” for this task.
cd /EAP_buster/
bash ./EAP_buster.sh wifi-global 'GLOBAL\GlobalAdmin' wlan1
To DO : I am not getting any valid answers
Last updated