> For the complete documentation index, see [llms.txt](https://reaper.gitbook.io/my-penetration-test-guide/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://reaper.gitbook.io/my-penetration-test-guide/wireless-attacks/wpa-enterprise.md). # WPA Enterprise **WPA** Enterprise uses **E**xtensible **A**uthentication **P**rotocol (**EAP**), **EAP** is a framework for authentication which allows a number of different authentication schemes or methods. Authentication is done using a **R**emote **A**uthentication **D**ial-**I**n **U**ser **S**ervice (**RADIUS**), the client authenticates using a number of **EAP** frames depending on the agreed upon the authentication scheme, which are relayed by the AP to the **RADIUS** server, if the result is successful, the result is then used as **P**airwise **M**aster **K**ey (**PMK**) for the 4-way handshake. Authentication to the **RADIUS** server with most common **EAP** methods will require the use of certificate on the server side at least, some older deprecated **EAP** methods don't require certificate. **E**xtensible **A**uthentication **P**rotocol **T**ransport **L**ayer **S**ecurity (**EAP TLS**) is one of the most secure authentication methods as it uses certificates on the server side and the client side instead of login with password, so the client and server mutually authenticate each other. **E**xtensible **A**uthentication **P**rotocol **T**unnel **T**ransport **L**ayer **S**ecurity (**EAP TTLS**), as opposed to the one before, it does not necessarily need client certificate, it creates a tunnel then exchange the credentials using one of the possible different inner methods (This is also called ***phase 2***): * **C**hallenge-**H**andshake **A**uthentication **P**rotocol (**CHAP**) * **P**assword **A**uthentication **P**rotocol (**PAP**) * **M**icro**s**oft **CHAP** (**MS-CHAP**) * **M**icro**s**oft **CHAP v2** (**MS-CHAPv2**) * **P**rotected **E**xtensible **A**uthentication **P**rotocol (**PEAP**) *** ## Attack We will be creating a **Rogue AP** to match the settings as much as possible, check [Rogue Access Point](/my-penetration-test-guide/wireless-attacks/rogue-access-point.md). We will be needing **FreeRADIUS,** not for the **RADIUS** capabilities, but it contains scripts that will help us generate a certificate for hostapd-mana. We will exploit either (or both): 1. Misconfiguration of security settings on client devices 2. Lack of proper certificate setup on the RADIUS server Once we got a handshake, we will need to extract the certificate which is provided before the handshake, so we need to open the capture in the Wireshark and apply the following filters: ``` wlan.bssid = "" && eap && tls.handshake.certificate ``` Using this filter, we will get all the frames that match the exchanging of the certificate from the target AP, now to get the certificate of the frame go to this: {% code overflow="wrap" %} ``` Extinsible Authentication Protocol -> Transport Layer Security -> Certificate -> Handshake Protocol: Certificate -> Certificates ``` {% endcode %} Now right-click on the Certificates and click `Export Packet Bytes` to save the certificate in a file with the `.der` extension. Also we need to get specific information about the certificate, we can do this using `openssl` , see the command below: ```bash openssl x509 -inform der -in -text ``` The details we need are in the `Issuer` and the `Subject` sections, now we just need to edit the configuration of our **FreeRADIUS** server which is usually located in `/etc/freeradius//certs/ca.cnf` , now just edit the `certificate_authority` section to have the same data as in the `Isuuer` section in the certificate we captured. Now we need to edit the server file to meet the values of the `subject` section of the captured certificate, the server file is usually located in `/etc/freeradius//certs/server.cnf` in the section named `server` . It is time to build the certificates, but we need to regenerate the diffie-helman parameters with a 20-48 bit key, first we will delete the current one which is located in the `dh` file located in `/etc/freeradius//certs` then just enter `make` in the same directory to start generating the new certificate --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://reaper.gitbook.io/my-penetration-test-guide/wireless-attacks/wpa-enterprise.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.