Antisyphon KB

Enterprise Network Attacks

Nov 04, 20244 min read

When WPA2-Enterprise authentication is used, access to the target network is obtained using the user’s Active Directory credentials. Comparing enterprise authentication to PSK, enterprise authentication provides the benefit of non-repudiation and pinpoint isolation should a compromise occur. Attacks against WPA2-Enterprise networks often exploit mis-configurations that allow a client to connect to any network sharing the same SSID as the legitimate infrastructure. When the client connects to a malicious access point, the credentials for the user account can be harvested or relayed to the legitimate infrastructure to gain authenticated access to the wireless network.

WPA2-Enterprise authentication is often employed to authenticate users to the organization’s corporate network. It is not uncommon for the corporate network to be properly configured, minimizing the possibility for successful attack. However, some organizations use WPA2-Enterprise authentication on other networks (like BYOD), allowing employees to use their credentials to join personal devices to the wireless network. While the network may not have corporate network access, valid corporate credentials can be useful for other activities. With attackers in close proximity to the organization’s facilities, device theft is a possible follow-on attack.

It can be difficult to obtain associations in the presence of legitimate network infrastructure (competing signal strength, deauthentication floods, etc). As a result, it can be useful to perform out-of-band attacks. These attacks can be executed outside of the building, in parking structures, or local establishments (restaurants, coffee shops, etc) where employees may loiter while using wireless devices.

Procedure

Credential Capture

  • Gather Certificate Details from the authentication server associated with the legitimate wireless network.

  • Generate a certificate for your selected evil twin tool (Eaphammer, Hostapd-mana and wpa_sycophant, etc) using the developer’s recommended method.

  • Execute an evil twin credential capture attack, targeting an in-scope network, using a default MAC address.

  • Monitor for credentials and deauthentication attacks from the legitimate infrastructure.

  • Execute an evil twin credential capture attack, targeting an in-scope network, using a near clone of a legitimate access point MAC address (change last byte to something unused).

  • Monitor for credentials and deauthentication attacks from the legitimate infrastructure.

  • Execute out-of-band evil twin credential capture attacks.

  • Repeat the above steps, for each WPA2-Enterprise network, trying different locations, wireless channels, and authentication bindings.

  • Attempt to crack any successfully captured credentials.

    Tool-specific instructions for evil twin credential capture can be found in Eaphammer and Hostapd-mana and wpa_sycophant.

Credential Relay

  • Gather Certificate Details from the authentication server associated with the legitimate wireless network.

  • Generate a certificate for Hostapd-mana and wpa_sycophant.

  • Connect the relay network adapter to your virtual machine and positively identify the adapter name.

  • Connect the evil twin network adapter to your virtual machine and positively identify the adapter name.

  • Execute an evil twin credential relay attack, targeting an in-scope network, using a default MAC address.

  • Monitor for credentials, established connections, and deauthentication attacks from the legitimate infrastructure.

  • Execute an evil twin credential relay attack, targeting an in-scope network, using a near clone of a legitimate access point MAC address (change last byte to something unused).

  • Monitor for credentials, established connections, and deauthentication attacks from the legitimate infrastructure.

  • Repeat the above steps, for each WPA2-Enterprise network, trying different locations, wireless channels, and authentication bindings.

  • Attempt to crack any successfully captured credentials. (Optional)

    Tool-specific instruction for evil twin credential relay can be found in Hostapd-mana and wpa_sycophant.

Password Spraying

  • Request POC approval for password spraying activity

  • Deconflict password spraying with other concurrent test types (internal/pivot)

  • Obtain password policy to ensure account lockout is avoided

  • Generate a candidate username list using OSINT, breach data, or other resources.

  • Password spray the WPA2-Enterprise network using xxx

    Tool-specific instruction for EAP password spraying can be found in xxx

Graph View

Backlinks