Attacking Enterprise WPA2

While this may not seem like a massive hack, it could serve a purpose for someone who was in the same boat as me the other day. Rather than say “It’s not possible” I wanted to at least offer something, and I’m proud to say I came from knowing nothing about this, to actually doing something.

So you are on a wireless engagement and you see the usual WPA2 PSK networks and think, great this will be over in a few minutes, I’ll spend either 30 mins cracking a weak password, or 3 weeks cracking a strong one, but either way WPA2 PSK is boring as hell. Along comes a spider though in the form of WPA2 MGT. You airodump and see this!!

I will note that this only works on my TP-LINK TL-WN722N interface card. I might need to do further tests with replacing drivers for the ALFA cards, but Atheros is golden.

My initial thought was to bypass it. It’s radius authentication. People need a username and password to sign into it etc. Move along!, however, what if something was possible? I went in search. A few older blogs came up, then a cool blog on the Kali site about hostapd-wpe.

https://tools.kali.org/wireless-attacks/hostapd-wpe

Create a rogue access point with a username and password prompt. Amazing! Just what I wanted.

The steps

apt update

apt install hostapd-wpe

Edit the hostapd-wpe.conf file located in;

/etc/hostapd-wpe/

You only need to edit the SSID and channel like mine below.

 

It’s worth taking note of the AP you want to clone. You need to copy the ESSID of the victim wifi and the channel too. Pop the details into your configuration and save and close the file.

I was receiving loads of driver issues, however, on further reading you need to kill some processes much in the same way you do before placing your card into monitor mode.

airmon-ng check kill

Now you’re ready to start up the rogue AP. Just run;

hostapd-wpe ./hostapd-wpe

Several steps will configure like setting up the AP, and making sure the interface is up etc. When everything is good you will see;

wlan1: AP-ENABLED

After that, you can have a look at your creation. For me, I just hooked it up on my phone to check and test.

You will note the new SSID ‘SuperFreeWifi’ from the configuration file. All seems to be working. Connect on to it and you’ll get the username and password prompt. Imagine in the background of your fake AP, the CEO of the company or anyone really, is going to login to your fake access point.

They hit enter and think they are submitting credentials to gain access to the wireless network, when in fact they have just sent you their login details.

They receive an “Incorrect Password” for the wireless network, however, in the background in your super cool radius server, you’ve just been the username in the clear and the hashed password.

Amazing how this works. There is a small issue. The user is presented with a fake certificate that they have to accept before you get sent anything. I couldn’t recreate it on the phone as I’ll need to find out where to delete it, however, this is the only part I think needs work. iPhone mentioned it was untrusted, and some users may click on it. Not everyone will.

However, with that small glitch out of the way it’s time to crack the password.

Using ‘asleap’ we can pass the details and use a dictionary attack to crack the password.

asleap -C challenge -R response -W wordlist

Before you know it, we’ve got the password cracked. Obviously it was ‘password123’ to make things simple and to show the process, but who knew that it was that simple. I’ll definitely be adding this attack into my list for next time.

Because it’s using RADIUS authentication, there’s a good chance that it’s being authenticated over LDAP, and could be the creds for the network too. One to think about if you’re doing in infrastructure test.

Off now to see how far I can go with this.