Audit Enterprise WiFi Security

Attack WPA/WPA2/WPA3-Enterprise (802.1X / EAP) authentication by capturing credentials or stealing client certificates

Corporate Wi-Fi engagements where 802.1X authentication is used and client cert validation is lax (BYOD, unmanaged devices).

• · Target ESSID, BSSID, channel from prior recon
• · EAP method identification (PEAP-MSCHAPv2, TTLS, TLS, GTC, PWD, FAST)
• · Wi-Fi adapter for rogue RADIUS / evil-twin AP

• · MSCHAPv2 challenge-response hashes for offline cracking (yields domain username + password)
• · Plaintext GTC passwords (if offered)
• · Stolen client certificates (PEM/PKCS12 from cert-storage paths)
• · AD domain credentials for downstream pivots (see offensive-active-directory)

• · eaphammer (rogue RADIUS server + auto evil-twin AP)
• · asleap (MSCHAPv2 crack, rainbow tables)
• · hashcat mode 5500 (NetNTLMv1 cracking)
• · DPAPI master key extraction (Windows domain-joined machines)
• · NDES / SCEP client enrollment tools (sscep)
• · Active Directory CS exploitation (ESC1-class attack for cert theft)

• · EAP method identified (PEAP-MSCHAPv2 is most common and vulnerable)
• · Wi-Fi adapter capable of hosting rogue AP (hostapd support)
• · Target supplicant does NOT validate RADIUS server certificate CN or CA chain (common on BYOD)

• · Supplicant enforces server cert validation + CN pinning (corporate GPO) → evil-twin fails
• · EAP-TLS cannot be cracked from wire (uses certs) — must steal cert from device storage
• · Certificate pinning via SCEP/Intune locks supplicant, evil-twin TLS tunnel fails
• · EAP-PWD / EAP-FAST / EAP-MSCHAPV2 have Dragonblood-class side channels (research only, patched in modern hostapd)

• · Detailed EAP method fingerprinting (table of Type, Inner, and attack vector per method)
• · Evil-twin RADIUS attack fully documented with eaphammer workflow
• · MSCHAPv2 equivalence to NetNTLMv1 explained (enables rainbow-table cracking)
• · Cert theft paths from DPAPI, NDES, AD CS auto-enrollment detailed (ESC1 exploitation)