Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Before attacking a WPA Enterprise network, passive capture reveals critical information: domain names from EAP identity frames, server certificate details for cloning, and supported EAP methods. Steps 1–3 are entirely passive. Step 4 (EAP method enumeration) sends active probes and requires a valid username.

1. Capture Enterprise Traffic

Focus airodump-ng on the target AP channel: 
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon -w ~/wifi/enterprise -c <CHANNEL> --wps

2. Harvest EAP Identities

Misconfigured clients send their identity (username + domain) in plaintext before the TLS tunnel is established. Extract with tshark: 
tshark -r ~/wifi/enterprise-01.cap \
  -Y '(eap && wlan.ra == <BSSID>) && (eap.identity)' \
  -T fields -e eap.identity
Filter in Wireshark: 
eap && eap.identity
Look for Response, Identity packets, they contain DOMAIN\username or username@domain.

3. Extract Server Certificate

The RADIUS server sends its TLS certificate in cleartext during the handshake. Useful for:
  • Identifying the organisation and domain
  • Cloning the certificate for a trusted rogue AP attack
Extract all IA5String fields (CN, email, org): 
tshark -r ~/wifi/enterprise-01.cap \
  -Y "wlan.bssid == <BSSID> && x509sat.IA5String" \
  -T fields -e x509sat.IA5String
Full certificate dump: 
tshark -r ~/wifi/enterprise-01.cap \
  -Y "wlan.bssid == <BSSID> && ssl.handshake.type == 11" -V
Wireshark filter: 
(wlan.sa == <BSSID>) && (tls.handshake.certificate)
Display a saved DER certificate: 
openssl x509 -inform der -in <CERTIFICATE_FILE> -text

4. Enumerate EAP Methods (EAP_buster)

With a valid username from step 2, probe the AP to discover which EAP methods it supports: 
cd ~/tools/EAP_buster/
bash ./EAP_buster.sh <SSID> 'DOMAIN\username' wlan1
Common methods to look for: PEAP, TTLS, TLS, FAST.

5. Organise Captures (wifi_db)

wifi_db imports all captures into a SQLite database for easy querying of identities, certificates, and network metadata: 
cd ~/tools/wifi_db
python3 wifi_db.py -d wifichallenge.sqlite ~/wifi/
sqlitebrowser wifichallenge.sqlite

Summary: What to Collect

DataSourceTool
Domain nameEAP identity framestshark / Wireshark
UsernamesEAP identity framestshark / wifi_db
Certificate CN / emailTLS handshaketshark
Supported EAP methodsActive probeEAP_buster