Continuing from my previous tutorial, we will be exploring Evil twin attacks in WPE in this article. WPE stands for WPA-Enterprise and large companies or organizations typically use it. The biggest difference between enterprise and personal WiFi networks is that most Enterprise networks use username and password login systems while personal networks use passwords only. Adding usernames increases the network’s security as it helps mitigate brute force attacks. However, WPE can be more vulnerable than regular networks if implemented incorrectly.
Disclaimer: I’m not responsible for what you do with this information.
Quick Overview
Feel free to skip this section if you‘re only interested in performing the attack. WPE works by authenticating user credentials to a RADIUS server. There are different methods of authentication but the most common way is PEAP. With PEAP clients are required to accept and use a certificate issued by the network to form a TLS layer. This protects the credentials from being captured in plaintext. Most methods also include some form of password hashing (ex MSCHAPv2). The one exception is GTC which can be quickly be converted into plaintext. The attack works by generating a fake WPE network with the same name. Unless the real certificate is known, the fake network will have to use its own. When the victim connects to the fake network they will be prompted to accept the new certificate. This is usually where the attack is discovered as tech-savvy people will likely notice something is wrong. Once the certificate is accepted we can use a GTC downgrade attack to gain the credentials in plaintext.
Equipment
Computer — should run Linux
WiFi Adapter — should be capable of monitor mode
Tools
Eaphammer — a great tool by s0lst1c3 to attack WPE networks
Eaphammer
Eaphammer is the tool we will be using to perform the attack. To install, clone the github repo or install through the package manager (kali and parrot only). If you are using the github repo enter the folder and run one of the setup files. We will be using the github version in this tutorial. Start by generating a new certificate. The certificate information should be similar or the same as the target network. You can usually find it by trying to connect to the target network and being prompted to trust a certificate. In the terminal run:
sudo python3 eaphammer --cert-wizard
or
sudo python3 eaphammer --cert-wizard interactive
Once you have generated the certificate you can start the Evil twin. Make sure your adapter is in managed mode. In the terminal type:
sudo python3 eaphammer --auth wpa-eap --interface (adapter name here) --creds --essid (wifi name here) --negotiate gtc-downgrade
Example:
sudo python3 eaphammer --auth wpa-eap --interface wlan0 --creds --essid testnet --negotiate gtc-downgrade
Once eaphammer is running, all that’s left is to wait for connections.
On the victim’s side, they will see a network with the same name as the one used by their organization.
If everything is done correctly the victim will be prompted to trust the fake certificate.
If the victim falls for this and trusts the certificate, you will gain the credentials and the victim will be kicked off the network.
Mitigations
Wireless intrusion prevention systems or WIPS are a possible method for preventing Evil Twin attacks. The systems look for rouge APs and prevent clients from connecting to them. Another way is to educate people on how to detect such attacks although it will be difficult.
Conclusion
WPE Evil twins are unfortunately much more effective than their regular counterparts. This is a serious security flaw especially since there is little preventing the victim from giving away their credentials. The victim only needs to press a single button to trust the fake certificate before their device willingly gives out their username and password. Better alternatives and patches will likely be made and implemented but until then, WPE is still a weak option for security.
Happy Hacking~!
Leave a Reply
You must be logged in to post a comment.