Evil Twin EAP-TLS

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!

At some point I needed to use the proposed solution by the post bellow but the steps in https://github.com/OpenSecurityResearch/hostapd-wpe wasn't working in modern kali (2019v3) anymore. Anyway, it's easy to make them work. You only need to download the hostapd-2.6 from here: https://w1.fi/releases/ and before compiling again hostapd-wpe install: apt-get install libssl1.0-dev

Analyzing and Exploiting EAP-TLS in Wireless Networks

Background: EAP-TLS in Wireless Networks

EAP-TLS is a security protocol providing mutual authentication between client and server using certificates. The connection is only established if both the client and the server authenticate each other's certificates.

Challenge Encountered

During an assessment, an interesting error was encountered when using the hostapd-wpe tool. The tool rejected the client's connection due to the client's certificate being signed by an unknown Certificate Authority (CA). This indicated that the client did trust the fake server's certificate, pointing to lax security configurations on the client side.

Objective: Setting Up a Man-in-the-Middle (MiTM) Attack

The goal was to modify the tool to accept any client certificate. This would allow the establishment of a connection with the malicious wireless network and enable a MiTM attack, potentially capturing plaintext credentials or other sensitive data.

Solution: Modifying `hostapd-wpe`

Analysis of the source code of hostapd-wpe revealed that the client certificate validation was controlled by a parameter (verify_peer) in the OpenSSL function SSL_set_verify. By changing this parameter's value from 1 (validate) to 0 (do not validate), the tool was made to accept any client certificate.

Execution of the Attack

Environment Check: Use airodump-ng to monitor wireless networks and identify targets.
Set Up Fake AP: Run the modified hostapd-wpe to create a fake Access Point (AP) mimicking the target network.
Captive Portal Customization: Customize the login page of the captive portal to appear legitimate and familiar to the target user.
De-authentication Attack: Optionally, perform a de-auth attack to disconnect the client from the legitimate network and connect them to the fake AP.
Capturing Credentials: Once the client connects to the fake AP and interacts with the captive portal, their credentials are captured.

Observations from the Attack

On Windows machines, the system might automatically connect to the fake AP, presenting the captive portal when web navigation is attempted.
On an iPhone, the user might be prompted to accept a new certificate and then presented with the captive portal.

Conclusion

While EAP-TLS is considered secure, its effectiveness heavily depends on the correct configuration and cautious behavior of end-users. Misconfigured devices or unsuspecting users accepting rogue certificates can undermine the security of an EAP-TLS protected network.

For further details check https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/

References

https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/