As I worked on few Wireless Penetration Testing assignments recently, I thought to post information related to Enterprise Authentication.
As we all are aware WEP is Broken Beyond Repair, and WPA/WPA2 Bruteforce handshakes!
But most of organizations implement WAP/WAP2 Enterprise Authenticataion, containing Domain Authentication, so ideally Wireless Client will authenticate to AP using Domain Credentials!
To capture Authentication Handshakes for Enterprise networks and bruteforce them we need Freeradius-WPE (Wireless Pawn-age Edition)
Basic Structure of Wireless Enterprise Network ( Using Radius Server) :
So attacker can bring Physical Access point which will be connected to Freeradius server hosted in Attacker's Virtual Machine as mentioned below :
Attacker broadcast SSID with similar name as official SSID of Access Point.
When Client connects to attackers rogue AP, It will send Authentication challenges which attacker can bruteforce offline to recover passwords.
This is just a theory on how attacker can work towards breaking Enterprise Level authentication.
In next post I will post about setup and configuration of Freeradius server, and slowly towards hacking enterprise authentications.