> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WPA Enterprise: Recon

> Passive reconnaissance against WPA Enterprise networks: harvest EAP identities, extract server certificates, and enumerate supported EAP methods before attacking.

## Overview

Before attacking a WPA Enterprise network, passive capture reveals critical information: domain names from EAP identity frames, server certificate details for cloning, and supported EAP methods. Steps 1–3 are entirely passive. Step 4 (EAP method enumeration) sends active probes and requires a valid username.

***

## 1. Capture Enterprise Traffic

Focus airodump-ng on the target AP channel:

```bash theme={"dark"}
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon -w ~/wifi/enterprise -c <CHANNEL> --wps
```

***

## 2. Harvest EAP Identities

Misconfigured clients send their identity (username + domain) in plaintext before the TLS tunnel is established.

Extract with tshark:

```bash theme={"dark"}
tshark -r ~/wifi/enterprise-01.cap \
  -Y '(eap && wlan.ra == <BSSID>) && (eap.identity)' \
  -T fields -e eap.identity
```

Filter in Wireshark:

```
eap && eap.identity
```

Look for `Response, Identity` packets, they contain `DOMAIN\username` or `username@domain`.

***

## 3. Extract Server Certificate

The RADIUS server sends its TLS certificate in cleartext during the handshake. Useful for:

* Identifying the organisation and domain
* Cloning the certificate for a trusted rogue AP attack

Extract all IA5String fields (CN, email, org):

```bash theme={"dark"}
tshark -r ~/wifi/enterprise-01.cap \
  -Y "wlan.bssid == <BSSID> && x509sat.IA5String" \
  -T fields -e x509sat.IA5String
```

Full certificate dump:

```bash theme={"dark"}
tshark -r ~/wifi/enterprise-01.cap \
  -Y "wlan.bssid == <BSSID> && ssl.handshake.type == 11" -V
```

Wireshark filter:

```
(wlan.sa == <BSSID>) && (tls.handshake.certificate)
```

Display a saved DER certificate:

```bash theme={"dark"}
openssl x509 -inform der -in <CERTIFICATE_FILE> -text
```

***

## 4. Enumerate EAP Methods (EAP\_buster)

With a valid username from step 2, probe the AP to discover which EAP methods it supports:

```bash theme={"dark"}
cd ~/tools/EAP_buster/
bash ./EAP_buster.sh <SSID> 'DOMAIN\username' wlan1
```

Common methods to look for: `PEAP`, `TTLS`, `TLS`, `FAST`.

***

## 5. Organise Captures (wifi\_db)

`wifi_db` imports all captures into a SQLite database for easy querying of identities, certificates, and network metadata:

```bash theme={"dark"}
cd ~/tools/wifi_db
python3 wifi_db.py -d wifichallenge.sqlite ~/wifi/
sqlitebrowser wifichallenge.sqlite
```

***

## Summary: What to Collect

| Data                   | Source              | Tool               |
| ---------------------- | ------------------- | ------------------ |
| Domain name            | EAP identity frames | tshark / Wireshark |
| Usernames              | EAP identity frames | tshark / wifi\_db  |
| Certificate CN / email | TLS handshake       | tshark             |
| Supported EAP methods  | Active probe        | EAP\_buster        |
