Enterprise WIFI Hacking with Hostapd-WPE
Recently we have been on Wireless Pentest with end goal to compromise the credentials of the end user and try to escalate rights to compromise Domain Admins account. The customer in my case was running WPA2 Enterprise with PEAP enabled.
Earlier we use to need the specific version of Kali along with freeradius server with WPE (Wireless Pwnage Edition) patch and hostapd. Now couple of months back Kali rolling got the hostapd-wpe as base package. In this you don't need the freeradius server to be downloaded separately. Old method of attack is mentioned here.
Lets start looking at current setup, from hardware perspective we are using TP-LINK TL-WN722N wireless card and Kali rolling 2016.2.
First step here is to update the Kali version, by running below command, once updated install the hostapd-wpe
Connect the TP-link wireless card to machine with Kali running. Also check whether interface is detected by Kali using iwconfig command. Then run airmon-ng along with “check kill”, this will check and kill off processes that might interfere with the aircrack-ng suite.
After this, configure AP properties by editing /etc/hostapd-wpe/hostapd-wpe.conf like updating the AP name which would lure the victims. Then using the hostapd-wpe and respective config file we start the AP which would capture hashes of the users authenticating to our spoofed AP.
Once the victims connects to attacker advertised AP, the challenge and response of the users would be printed on the screen of hostapd-wpe.
But using above setup is enough to capture hashes of victims who are less wifi security aware, because when victim connects to our advertised AP, he is asked to Trust the fake certificate i.e.; "Example Server Certificate" which might raise some concerns.
Editing default certificate details might be pain in order to match the genuine certificate, so to aid us there is python script by name apd_launchpad which convenient way to create a hostapd-wpe configuration file and the associated spoofed certificates.
So, download the python script in hostapd-wpe certs directory.
We can use below mentioned minimum flags to generate the certificate matching our customer (DEMOBANK) certificate and also the configuration file too.
The configuration file and certs are saved in DEMOBANK folder.
Lets run the generated config (DEMOBANK.conf) along using hostapd-wpe.
Now the victims would see the certificate matching to genuine one (less suspicion)
After running this for sometime, we were able to grab hashes of the victims.
Once a challenge and response are obtained, crack them using asleap, together with a password dictionary file.
root@kali:~# zcat rockyou.txt.gz | asleap -C <Challenge> -R <Response> -W -
Cracked credentials can be used to connect to genuine AP and explore the Lateral movement to escalate to Domain Admin group.