Follow the given instructions to get started:
eap.conf
file to ensure that PEAP is enabled:radiusd –s –X
:Monster
as the user name and abcdefghi
as the password:asleap
to crack this using a password list file that contains the password abcdefghi
, and we are able to crack the password! (For the purposes of this demonstration, we simply created a one-line file called list with the password in it):We set up our Honeypot using FreeRADIUS-WPE. The enterprise client is misconfigured to not use certificate validation with PEAP. This allows us to present our own fake certificate to the client, which it gladly accepts. Once this happens, MSCHAP-v2, the inner authentication protocol, kicks in. As the client uses our fake certificate to encrypt the data, we are easily able to recover the username, challenge, and response tuples.
MSCHAP-v2 is prone to dictionary attacks. We use asleap
to crack the challenge and response pair, as it seems to be based on a dictionary word.
PEAP can be misconfigured in multiple ways. Even with certificate validation enabled, if the administrator does not mention the authentic servers in connect to these servers list, the attacker can obtain a real certificate for another domain from any of the listed certifying authorities. This will still be accepted by the client. Other variations of this attack are possible as well.
We will encourage you to explore the different possibilities in this section.