WPA Enterprise is widely used in large corporations as it offers individual and centralized control through a server that authenticate the users (RADIUS server). In this tutorial I will show you how to break the barrier and obtain the user credentials.
Let's have a quick look about what we are talking.
RADIUS is the acronym of Remote Authentication Dial-In User Service. When a user requests a connection to the network using his credentials, the request is redirected to the RADIUS server. It checks the information and if correct, assigns network resources to the client such as a specific IP address.
In some cases the credentials used to connect to the company's network are the same that users use to access the services of the company. This means that if you obtain the credentials, you would be able to enter in the user's mail account, for example. Interesting? I think so.
In large companies network's Access Points are usually distributed in order to offer good WiFi signal to all users. In our scenario, we will be acting as an AP of the network and user's requests will be redirected to our RADIUS server!
What we need to start:
-Kali linux (version 1)
-External network adapter (Atheros chipset)
First of all, we are going to set up a RADIUS server on the attacker's machine to listen for users connecting to the network. To do that, we will use a script that simplifies all the process in order to make it so much easier. This script is easy-creds, and you can download it here.
Open a terminal and navigate to the folder where you placed the tar file (in my case is Downloads). Type:
tar -xzvf easy-creds-3.8-DEV.tar.gz
Change directory to the easy-creds folder and type:
We are using Kali which is a Debian based distribution, so select option 1. You are prompted to enter the path where you want to install easy-creds, I've put it in /opt/.
Now it will install all necessary components. This script can do other things such as set up an Evil Twin, but this tutorial will cover only FreeRadius Attack.
Now that we've finished installing, let's launch our AP and the RADIUS server.
In a terminal type:
When you are greeted with this screen, select option 3: FakeAP Attacks.
At this point, select option 4: FreeRadius Attack (Note: This attack only works on Atheros chipsets, in this tutorial I'm using a TP-LINK TL-WN722N which costs about 12 $ in Amazon and works flawlessly).
You will be prompted to enter the shared secret, you can put anything here, in my case "sharedsecret". Choose the interface you want to use (something like wlanX). Enter the ESSID of the Enterprise network (for example, if the network's name is "CompanyNetwork" you must enter that name). Select a channel and...start capturing!
As the users connect to our AP, the hashes will appear in the credentials screen in challenge/response format. Challenge/response authentication is a family of protocols in which one party presents a question (challenge), and another party must give a valid answer (response) to be authenticated. In this scenario our RADIUS asks for the password (challenge), and the user answers with that information (response).
Our local RADIUS server uses PEAP (Protected Extensible Authentication Protocol ) for authentication, which is based on MSCHAPv2 with NetNTLMv1 digest. Knowing this is essential, because in the next part of the tutorial we will use that info to obtain the passwords.
When you are finished capturing, type 5 and hit enter to exit easy-creds. The data have been saved to a folder with the date of the capture, in our home folder (we are using Kali so our home folder is /root/). Inside that folder there's a file called "freeradius-credsXXXXXXXX.txt", which is the one we need to obtain the plaintext passwords.
Once we have the password hashes, we can crack them with some tools like John the Ripper or Hashcat, this will be explained in part 2. If you are unfamiliar with this tools you can check OTW's series on how to crack passwords (parts 1-5) before going to part 2.
Well this was my first post, I hope you all enjoy it! Feel free to ask any question!