WPA Enterprise

WPA Enterprise uses Extensible Authentication Protocol (EAP), EAP is a framework for authentication which allows a number of different authentication schemes or methods.

Authentication is done using a Remote Authentication Dial-In User Service (RADIUS), the client authenticates using a number of EAP frames depending on the agreed upon the authentication scheme, which are relayed by the AP to the RADIUS server, if the result is successful, the result is then used as Pairwise Master Key (PMK) for the 4-way handshake.

Authentication to the RADIUS server with most common EAP methods will require the use of certificate on the server side at least, some older deprecated EAP methods don't require certificate.

Extensible Authentication Protocol Transport Layer Security (EAP TLS) is one of the most secure authentication methods as it uses certificates on the server side and the client side instead of login with password, so the client and server mutually authenticate each other.

Extensible Authentication Protocol Tunnel Transport Layer Security (EAP TTLS), as opposed to the one before, it does not necessarily need client certificate, it creates a tunnel then exchange the credentials using one of the possible different inner methods (This is also called phase 2):

• Challenge-Handshake Authentication Protocol (CHAP)

• Password Authentication Protocol (PAP)

• Microsoft CHAP (MS-CHAP)

• Microsoft CHAP v2 (MS-CHAPv2)

• Protected Extensible Authentication Protocol (PEAP)

---

Attack

We will be creating a Rogue AP to match the settings as much as possible, check Rogue Access Point.

We will be needing FreeRADIUS, not for the RADIUS capabilities, but it contains scripts that will help us generate a certificate for hostapd-mana.

We will exploit either (or both):

1. Misconfiguration of security settings on client devices

2. Lack of proper certificate setup on the RADIUS server

Once we got a handshake, we will need to extract the certificate which is provided before the handshake, so we need to open the capture in the Wireshark and apply the following filters:

wlan.bssid = "<target>" && eap && tls.handshake.certificate

Using this filter, we will get all the frames that match the exchanging of the certificate from the target AP, now to get the certificate of the frame go to this:

Extinsible Authentication Protocol -> Transport Layer Security -> Certificate -> Handshake Protocol: Certificate -> Certificates

Now right-click on the Certificates and click Export Packet Bytes to save the certificate in a file with the .der extension.

Also we need to get specific information about the certificate, we can do this using openssl , see the command below:

openssl x509 -inform der -in <Extracted Cert> -text

The details we need are in the Issuer and the Subject sections, now we just need to edit the configuration of our FreeRADIUS server which is usually located in /etc/freeradius/<set your version>/certs/ca.cnf , now just edit the certificate_authority section to have the same data as in the Isuuer section in the certificate we captured.

Now we need to edit the server file to meet the values of the subject section of the captured certificate, the server file is usually located in /etc/freeradius/<set your version>/certs/server.cnf in the section named server .

It is time to build the certificates, but we need to regenerate the diffie-helman parameters with a 20-48 bit key, first we will delete the current one which is located in the dh file located in /etc/freeradius/<set your version>/certs then just enter make in the same directory to start generating the new certificate