8-bit video game blocks with pixel art of the Learn One and Learn Enterprise logos

Level up your training with limited-time offers - Discounts for Individuals and Enterprise

Blog

Penetration Testing

Nov 21, 2016

Hacking WPA Enterprise with Kali Linux

Admittedly, somewhat of a click-bait blog post title – but bear with us, it’s for a good reason. Lots of work goes on behind the scenes of Kali Linux, tools get updated every day and interesting new features are added constantly. Most of these tool updates and feature additions go unannounced, and are then discovered by inquisitive users – however this time, we had to make an exception.

3 min read

[vc_row][vc_column][vc_column_text]

Admittedly, that’s somewhat of a click-bait blog post title but bear with us, it’s for a good reason. Lots of work goes on behind the scenes of Kali Linux: tools get updated every day and interesting new features are added constantly. Most of these tool updates and feature additions go unannounced, receive little fanfare, and are eventually discovered by inquisitive users – however, this time we felt that we needed to make an exception.

A few weeks ago, the author of the Aircrack-ng suite, Thomas d’Otroppe, took upon himself to maintain a set of patches for hostapd and freeradius, which allows an attacker to facilitate WPA Enterprise AP impersonation attacks. This is exciting news as traditionally, these patches were created and updated on an ad-hoc basis, quickly leaving these specific toolsets outdated, lacking features, and worse, vulnerable to attack. Thomas has updated the hostapd-wpe and freeradius-wpe patches to the latest version of their respective software and these patches have already been incorporated into Kali Linux. We think this is great news so we’re taking this opportunity to show you how to use these toolsets to attack WPA Enterprise authentication schemes.

[/vc_column_text][vc_column_text]

hostapd-wpe

[/vc_column_text][vc_column_text]

Using the hostapd-wpe toolset is the easiest way to run an attack against WPA Enterprise implementations as everything is already built-in. The attack requires a compatible wireless card. The hostapd-wpe version has been updated from 2.1/2.2 to 2.6, which now allows for 802.11n/ac traffic as long as it’s supported by your card. For more details on HostAPd updates, please refer to its changelog.

[/vc_column_text][vc_column_text]

hostapd-wpe Patch Changes

[/vc_column_text][vc_column_text]

  • The certificate directory that had to be downloaded is now part of the patch, which makes it easier to distribute.
  • HostAPd WPE configuration file has been updated to HostAPd v2.6 configuration.
  • The configuration files now go into /etc/hostapd-wpe and installation is part of the Makefile.
  • Certificate creation tools will be in /etc/hostapd-wpe/certs and a Makefile allows users to easily deploy created certificates.
  • Both WPE and non-WPE hostAPd can cohabitate on the same system.

[/vc_column_text][vc_column_text]

Freeradius-wpe

[/vc_column_text][vc_column_text]

The freeradius-wpe toolset requires an Access Point to work and the set-up is somewhat more complex than HostAPd. The reason why you might prefer this toolset over HostAPd is its reliability and scalability – allowing the different components to do one job, and do it well. Freeradius is very good at being a Radius server and a dedicated AP is very good at being an access point – and neither are dependent on the distributions wireless drivers. Freeradius in the wpe toolset has been updated from 2.1.x (which is EOL) to 3.0.x, its changelog can be found here.

[/vc_column_text][vc_column_text]

Attacking WPE Enterprise with hostapd-wpe in Kali

[/vc_column_text][vc_column_text]

We promised, so we’ll deliver, whether it’s clickbait or not. Here’s a short video showing you how to install and use hostapd-wpe in Kali Linux. We also encourage you to check out the Kali Tools hostapd-wpe page for additional information.

[/vc_column_text][vc_video link=”https://vimeo.com/192497350″ video_title=”1″][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row]