Saturday, 11 April 2015

WPA2 Enterprise Credential Capture using Freeradius server


In previous article we configured Fake radius server on Kali Linux which will be used to capture domain credentials of endpoints connected to WPA2 MGT [ WPA2 Enterprise Wi-Fi Access Points ]



Steps :

1. Attacker will setup Freeradius server on Kali Linux.
2. Enumerated clients connected to WPA2 Enterprise Wi-Fi Access point :





















3. De-authenticated  client connected to WPA2 Enterprise Wi-Fi




4. Client connected to nearest WPA2 Enterprise Access point [ Attackers Fake Access Point ] 





















5. Credentials captured while client authenticated with access point using domain credentials

6. Credentials captured are bruteforced using custom made dictionary with the help of asleap tool.



Game Over!....Now you can authenticate with WPA2 Enterprise access point using these credentials.
If MAC address authentication is enabled its very easy to spoof mac using "macchanger" tool.

Ex.
macchanger --mac MACADDRESS wlan0


Hope this is helpful.

Regards,
eXpl0i13r