TL;DR
This guide explains how to steal credentials from a WPA2-Enterprise RADIUS wifi network, allowing you to gain unauthorised access. Warning: This is illegal without explicit permission. Use this information for educational purposes only and on networks you own or have permission to test.
Prerequisites
- A wireless adapter capable of monitor mode (Alfa adapters are popular).
- Kali Linux (or a similar penetration testing distribution).
- Basic understanding of the command line.
- aircrack-ng suite installed.
Steps
- Put your wireless adapter into monitor mode: This allows it to capture all wifi traffic, not just traffic for networks you’re connected to.
sudo airmon-ng start wlan0This will likely create a new interface like wlan0mon. Use this interface in subsequent steps.
- Identify the target network: Use airodump-ng to scan for nearby networks and find your target WPA2-Enterprise network.
sudo airodump-ng wlan0monNote the BSSID (MAC address) of the access point and the channel it’s on.
- Capture handshake: Airodump-ng will automatically capture packets. To speed up the process, you can deauthenticate a connected client.
sudo aireplay-ng -0 1 -a [BSSID] -c [Client MAC Address] wlan0monReplace [BSSID] with the access point’s BSSID and [Client MAC Address] with a connected client’s MAC address. The goal is to capture an EAPOL handshake.
- Crack the handshake: Once you have the handshake file (.cap), use aircrack-ng to attempt cracking it.
sudo aircrack-ng -w /path/to/wordlist.txt [handshake_file].capReplace /path/to/wordlist.txt with the path to your wordlist file (e.g., rockyou.txt) and [handshake_file].cap with the name of your captured handshake file.
- RADIUS Dictionary Attack: WPA2-Enterprise often uses RADIUS authentication. If a standard dictionary attack fails, you may need to target the RADIUS server directly.
- Identify RADIUS Server: Use tools like Wireshark or packet capture analysis during handshake capture to identify the RADIUS server’s IP address and port (typically UDP 1812/1813).
- RADIUS Dictionary Attack Tools: Tools such as Medusa or hydra can be used for brute-force attacks against the RADIUS server. These tools require a username list and password list.
hydra -l [username] -P /path/to/passwordlist.txt [radius_server_ip] radius
- Post-Exploitation: If you successfully crack the password, you can connect to the wifi network using the obtained credentials.
Important Considerations
- Wordlists: The success of this attack heavily relies on having a good wordlist. Use large and relevant wordlists for best results.
- Network Security: Modern WPA2-Enterprise networks often employ additional security measures like stronger encryption (e.g., AES) and RADIUS server lockdown, making cracking more difficult.
- Legal Ramifications: Attempting to gain unauthorised access to a wifi network is illegal in most jurisdictions. This guide is for educational purposes only.