Overview
WPA Enterprise authenticates users via 802.1X/RADIUS. Attacks target the authentication exchange itself: lure clients to a rogue AP, capture their MSCHAPv2 hashes or relay the challenge directly, then crack or relay to gain access. Attack flow:Attack 1. Rogue AP (Credential Capture)
Clients that don’t validate the server certificate connect to the rogue AP and expose their MSCHAPv2 challenge/response.Manual (hostapd-mana)
Step 1: Generate FreeRADIUS certificates:/etc/hostapd-mana/mana.eap_user):
network.conf):
/tmp/hostapd.credoutfile.
Tool (eaphammer)
Step 1: Generate self-signed certificate:Deauth (both approaches)
Force clients off the real AP to trigger reconnection to the rogue:Attack 2. Rogue AP with Cloned Certificate
When clients validate the server certificate, the rogue AP must present the real certificate to be trusted. Requires the CA and server cert obtained during recon.Manual (berate_ap)
Convert certs to PEM and generate DH:Tool (eaphammer)
Import the real certificate:Attack 3. Online Brute Force (air-hammer)
When a valid username is known (from recon), brute force their password directly against the live AP. Brute force single user:Attack 4. MSCHAPv2 Relay (wpa_sycophant)
Relay the victim’s MSCHAPv2 challenge/response to the real AP, authenticates as the victim without knowing the password. Step 1: Set rogue AP MAC:phase1:
Cracking Captured Hashes
hashcat (mode 5500: MSCHAPv2):Authenticating with Obtained Credentials
PEAP/MSCHAPv2 (cracked password)
wpa-corp.conf:
EAP-TLS (client certificate from obtained CA)
Generate client certificate using the real CA:wpa-tls.conf: