Saturday, 31 May 2014

Wireless Enterprise Authentication


As I worked on few Wireless Penetration Testing assignments recently, I thought to post information related to Enterprise Authentication.
As we all are aware WEP is Broken Beyond Repair, and WPA/WPA2 Bruteforce handshakes!

But most of organizations implement WAP/WAP2 Enterprise Authenticataion, containing Domain Authentication, so ideally Wireless Client will authenticate to AP using Domain Credentials!

To capture Authentication Handshakes for Enterprise networks and bruteforce them we need Freeradius-WPE (Wireless Pawn-age Edition)

Basic Structure of Wireless Enterprise Network ( Using Radius Server) :

Tutorial - Geier E - 1051 - Figure 1.png

So attacker can bring Physical Access point which will be connected to Freeradius server hosted in Attacker's Virtual Machine as mentioned below :

Attacker broadcast SSID with similar name as official SSID of Access Point.
When Client connects to attackers rogue AP, It will send Authentication challenges which attacker can bruteforce offline to recover passwords.

This is just a theory on how attacker can work towards breaking Enterprise Level authentication.
In next post I will post about setup and configuration of Freeradius server, and slowly towards hacking enterprise authentications.



  1. Hey, It really is incredibly fantastic and informative website. Good to discover your site Very well article! I’m simply in love with it.
    vSan 6 Enterprise for 1 processor

  2. Wow! This is the perfect blog I am looking this type of blog its awesome blog here , share great information about this topic. This informative blog helps many readers with their decision-making regarding the situation. Great articles and will look forward for more!
    Veeam Backup & Replication for Vmware