WPA/WPA2 PEAP (Enterprise)
In networks with WPA2 PEAP which means Enterprise don't use a pre shared key, the users authenticate with the LDAP credentials. As the router or AP doesn't know if the credentials are correct or not, it delegate to a RADIUS server. The handshake can't not be capture because the authentication is not completed by the server so instead of capturing the handshake we will create a EvilTwin
but in this case with authentication (Which we are interesting to capture, remember that there are LDAP credentials).
EvilTwin
To carry out this task, we are going to use hostapd-wpe
software.
Configuring Certificates
First we need to aclare that when the user will authenticate to our fake AP, some information about the certificate will be displayed, in order to cheat our vΓctims, the certificate will seems as much real as posible.
So we need to modify the following files:
/etc/hostapd-wpe/certs/server.cnf
/etc/hostapd-wpe/certs/client.cnf
/etc/hostapd-wpe/certs/ca.cnf
Finally, we just need to create it with bootstrap
.
Configuring te Fake AP
Onced configured and created the certificates, the final step is to configure our FAKE AP. We need to create a backup of the default hostapd config file and modify it.
Launch & wait for s3crets
Finally, just launch the hostapd-wpe
indicating the modified configuration file.
When the victim falls into our trap, we can obtain their NETLM hash.
Last updated