How To: Hack WPA/WPA2-Enterprise Part 1

Hack WPA/WPA2-Enterprise Part 1

WPA Enterprise is widely used in large corporations as it offers individual and centralized control through a server that authenticate the users (RADIUS server). In this tutorial I will show you how to break the barrier and obtain the user credentials.

How It Works?

Let's have a quick look about what we are talking.

RADIUS is the acronym of Remote Authentication Dial-In User Service. When a user requests a connection to the network using his credentials, the request is redirected to the RADIUS server. It checks the information and if correct, assigns network resources to the client such as a specific IP address.

In some cases the credentials used to connect to the company's network are the same that users use to access the services of the company. This means that if you obtain the credentials, you would be able to enter in the user's mail account, for example. Interesting? I think so.

In large companies network's Access Points are usually distributed in order to offer good WiFi signal to all users. In our scenario, we will be acting as an AP of the network and user's requests will be redirected to our RADIUS server!

Step 1: Prerequisites

What we need to start:

-Kali linux (version 1)
-External network adapter (Atheros chipset)

First of all, we are going to set up a RADIUS server on the attacker's machine to listen for users connecting to the network. To do that, we will use a script that simplifies all the process in order to make it so much easier. This script is easy-creds, and you can download it here.

Open a terminal and navigate to the folder where you placed the tar file (in my case is Downloads). Type:

tar -xzvf easy-creds-3.8-DEV.tar.gz

Change directory to the easy-creds folder and type:

./installer.sh

We are using Kali which is a Debian based distribution, so select option 1. You are prompted to enter the path where you want to install easy-creds, I've put it in /opt/.

Now it will install all necessary components. This script can do other things such as set up an Evil Twin, but this tutorial will cover only FreeRadius Attack.

Step 2: Capturing the Hashes

Now that we've finished installing, let's launch our AP and the RADIUS server.
In a terminal type:

easy-creds

When you are greeted with this screen, select option 3: FakeAP Attacks.

At this point, select option 4: FreeRadius Attack (Note: This attack only works on Atheros chipsets, in this tutorial I'm using a TP-LINK TL-WN722N which costs about 12 $ in Amazon and works flawlessly).

You will be prompted to enter the shared secret, you can put anything here, in my case "sharedsecret". Choose the interface you want to use (something like wlanX). Enter the ESSID of the Enterprise network (for example, if the network's name is "CompanyNetwork" you must enter that name). Select a channel and...start capturing!

As the users connect to our AP, the hashes will appear in the credentials screen in challenge/response format. Challenge/response authentication is a family of protocols in which one party presents a question (challenge), and another party must give a valid answer (response) to be authenticated. In this scenario our RADIUS asks for the password (challenge), and the user answers with that information (response).

Our local RADIUS server uses PEAP (Protected Extensible Authentication Protocol ) for authentication, which is based on MSCHAPv2 with NetNTLMv1 digest. Knowing this is essential, because in the next part of the tutorial we will use that info to obtain the passwords.

When you are finished capturing, type 5 and hit enter to exit easy-creds. The data have been saved to a folder with the date of the capture, in our home folder (we are using Kali so our home folder is /root/). Inside that folder there's a file called "freeradius-credsXXXXXXXX.txt", which is the one we need to obtain the plaintext passwords.

Step 3: Crack the Hashes!

Once we have the password hashes, we can crack them with some tools like John the Ripper or Hashcat, this will be explained in part 2. If you are unfamiliar with this tools you can check OTW's series on how to crack passwords (parts 1-5) before going to part 2.

Well this was my first post, I hope you all enjoy it! Feel free to ask any question!

16 Comments

Really great tutorial, something that I haven't seen before. A very high quality article!

Cheers,
Washu

near my favourite tea lounge, i can detect a free wifi network provided by a cellular carrier in my country...i could successfully login to it by providing my phone number and a password i received via sms. i'm wondering if that network is the same as the one you're talking about? i'm asking because the first thing that came to my mind right from the moment i picked the wifi signal of that network was how to hack the users connected to it :)

Hi HXR ROFO, I don't know if the password that you're talking about is the same for all users, in that case it can be a WPA/WPA2 personal.

Try to sniff some packets from the network with Wireshark, and tell me what do you see. If it's really a WPA Enterprise network you may only see ARP requests and 802.11 frames.

Good article. Welcome to Null-Byte!

Thank you Phoenix! I'm glad that you liked.

Well im just interesting in learning new things

First of all, thank you for the perfect article. It was really understandable even to people who don't know about this kind of things. I have a question. What if there are 200 different username and password, we need just 1 of those 200, but we know the ones username, We just need the password. Is this doable ?

Sorry I don't understand your question, what do you mean?

I am giving an example. Think about a place that contains 200 people in it. All 200 people have their seperate username and password for Wpa-enterprise network, but I need just one person's username out of 200 and I know the person's username. Now what do I do ?

You must be closer to that user (or set higher the TX-power in your adapter) in order to capture his challenge/response hash. This is similar to an evil twin attack, if your transmission power is higher than the original AP, users will connect to your AP instead of the original.

I see, thank you for the information :)

I got a problem. When I start everything and select the channel, it want to open a small terminal with hostapd but at first it complained that it didnt found it so i installed it version 2.2 but now it complains that i dont have permission... What should i do?

Is there any tutorial on how to install hostapd?

I fixed it. I simply had to update the source list so i could use apt-get install properly again and then i just typed, apt-get install hostapd and it worked.

Doesnt Aircrack-NG does the exact same as this with just abit more power?

I have a intel ac 7260 wireless adapter, will this work with easy cred? or do i have to get an Atheros adapter?

hey, really great tutorial. I need a little help though. easy-creds doesn't really work on kali v2, so I tried to boot kali 1.0.6 or something like that from a usb to install it alongside my other OSs, but I got this error about my network not using the dhcp protocol. It didn't seem to recognize any of my wifi cards, not the alfa plugged in nor the atheros inside. Im pretty new to linux, networking, hacking in general so I'm not quite sure what to do about that.

Finally, I tried install backtrack 5 because I saw a youtube video of someone using easy-creds on backtrack but each time I tried to boot from the USB (tried 2 different USBs, used 2 different usb iso writer programs) the kernel panicked and I had to hard shut down.

Right now Im downloading the 1.1.0a iso, hoping that will work but it might not. Keep in mind that I successfully have parrot and kali v2 running on my computer, using the same methods of loading the iso on the usb so I doubt that's the issue.

Sorry for this long comment, but what would you suggest I try? thanks a lot, this tutorial is phenomenal, really easy for noobs like myself to understand!

Share Your Thoughts

  • Hot
  • Latest