WPA Enterprise
WPA/WPA2 Enterprise¶
- Each uses has different keys
- Uses a Radius Server
- Same Key attacks for enterprise
- EAP credentials susceptible to interception
- Can be prevented by TLS
- Should use PIKI to authenticate clients and servers.
Access Point is a intermediary between the client and the authentication server. Handshake is made to both the client and authentication server before passing the credentials. If the credentials are encrypted, I don't believe they are visible by the access point and the supplicant will, if using ssl/tls, see the authentication servers certificate.
There are a considerable number of acronyms which are pertinent to enterprise authentication. The main ones are:
- EAP - An authentication mechanism - commonly username and password
- LEAP - A cisco protocol - aimed at making up deficiencies in WEP.
- PEAP - Protected EAP - Tunnelling it via TLS
- EAP-TTLS - EAP's specific Tunnelling via TLS
RADIUS Impersonation¶
Using hostapd-wpe, LoOtBoOty and KARMA can get credentials from EAP, TTLS
Docker Files
Evil Twin attacks¶
- A users system connects to a rogue access point
- The certificate presented will likely generate an error, although, some clients are automatically configured to silently continue
- If they continue, credentials will be submitted to an adversary
- The credentials are usually in hashed format and can be cracked through brute force password attacks
- Credentials, if found, can then be used against secondary systems or if the WiFI access point does not perform mutual auth, against that access point.
EAPHammer¶
Generate Valid Certificate from LetsEncrypt
1. Get a Fully Qualified Domain Name
2. Download and run Certbot
3. Copy Certificate to $EAPHammer/certs
4. Modify $EAPHammer/conf/hostapd-wpe.conf
5. Set ca_cert=./certs/ca.pem
5. Set server_cert=./certs/server.pem
5. Set private_key=./certs/server.pem
5. Set private_key_passwd=password123
5. Set dh_file=./certs/dh
WPA3 Enterprise¶
WPA3 Enterprise only supports certificates