Gary Jones
Gary Jones
WPA2-EAPWireless Securityhostapd-wpejohnwpa_supplicantCybersecurity

Exploiting a WPA2-EAP Wireless Network for Secure Access

Exploiting a WPA2-EAP Wireless Network for Secure Access
0 views
3 min read
#WPA2-EAP#Wireless Security#hostapd-wpe#john#wpa_supplicant#Cybersecurity
Table Of Content

Exploiting a WPA2-EAP Wireless Network for Secure Access

Situation:

The goal of this exercise was to exploit a WPA2-EAP wireless network configured with TTLS and MSCHAPv2 protocols. The network artstailor-ddwrt-2 was targeted based on pod assignment, and the mission was to bypass the authentication mechanisms to gain access to a secure webpage hosted at 45.79.141.10.

Obstacles:

  1. Authentication Challenge:
    • The WPA2-EAP network required credentials for TTLS authentication, which had to be intercepted and cracked.
  2. File Configuration:
    • Properly configuring wpa_supplicant.conf with the necessary parameters for network access.
  3. Dynamic Host Configuration Protocol (DHCP):
    • Establishing a valid IP address on the wlan0 interface after successful connection.

Actions Taken:

  1. Wireless Channel Identification:
    • Ran sudo airmon-ng check kill to stop interfering processes.
    • Used sudo airmon-ng start wlan0 to enable monitor mode on the adapter, creating the wlan0mon interface.
    • Executed sudo airodump-ng wlan0mon to identify access points and their associated channels.
  2. SSID Configuration:
    • Edited the hostapd-wpe.conf file to target the SSID artstailor-ddwrt-2.
    • Ran sudo ./hostapd-wpe hostapd-wpe.conf to capture NETNTLM credentials.
  3. Password Cracking:
    • Created a password file and used john to crack the NETNTLM credentials, retrieving Sw0rdf1sh as the password.
  4. Network Connection:
    • Configured wpa_supplicant.conf with the cracked credentials and appropriate authentication settings:
      • SSID: artstailor-ddwrt-2
      • Authentication: MSCHAPv2
    • Connected to the network using sudo wpa_supplicant -iwlan0 -cwpa_supplicant.conf.
  5. DHCP Lease:
    • Obtained a valid IP address by running sudo dhclient wlan0.
    • Verified network connectivity using ip a.
  6. Webpage Access:
    • Navigated to the webpage at http://45.79.141.10.
    • Inspected the source code and followed the hypertext link /Corp/message.txt to retrieve sensitive information.

Results:

  1. Network Access Achieved:
    • Successfully authenticated to the WPA2-EAP network using the cracked credentials.
  2. Data Retrieved:
    • Accessed sensitive information at /Corp/message.txt via the secure webpage.
  3. Critical Vulnerability Identified:
    • Weak password configuration and lack of ca_cert validation exposed the network to unauthorized access.

Tool Purpose Overview:

airmon-ng:

  • Enabled monitor mode on the wireless adapter to capture traffic.

airodump-ng:

  • Identified wireless access points and associated channels.

hostapd-wpe:

  • Captured NETNTLM credentials during the WPA2-EAP handshake.

john:

  • Cracked NETNTLM credentials to retrieve the network password.

wpa_supplicant:

  • Connected to the WPA2-EAP network using the cracked credentials.

Recommendations:

  1. Enforce Stronger Password Policies:
    • Use complex passwords resistant to dictionary and brute-force attacks.
  2. Implement Certificate Validation:
    • Require ca_cert validation in wpa_supplicant.conf to ensure secure authentication.
  3. Monitor and Audit Wireless Networks:
    • Regularly test for vulnerabilities in wireless network configurations.
  4. Enable Advanced Security Protocols:
    • Transition from MSCHAPv2 to a more secure EAP method, such as EAP-TLS.

View PDF Document