0

I setup an access point to perform an "evil twin" attack on an existing WPA2 Enterprise network (I have permission to do this).

I am using hostapd-wpe. Within a short period of enabling the access point my devices see the network and attempt authentication and I receive a challenge and reponse.

When I take the challenge and response and attempt to run a dictionary attack on them I am unsuccessful. Even if I connect to the access point with a password of password or manually add a real password to my wordlist.

With jtr I am using the following:

john --wordlist=/usr/share/wordlists/rockyou.txt.gz hash.txt
john --format=netntlm-naive --wordlist=/usr/share/wordlists/rockyou.txt.gz hash.txt

When I try mschapv2 or netntlmv2 in jtr or hashcat it loads 0 hashes. hashcat provides an error regarding salt-length.

hostapd-wpe indicates that the challenge and response is mschapv2.

Looking for a simple answer but any advice is greatly appreciated. Does getting the challenge and response indicate that these machines just sent their credentials to the evil twin AP, and I am just need to keep working on figuring out how to crack mschapv2? Or does getting a challenge and response not necessarily mean success and I may need to continue working on the evil twin AP?

Anders
  • 64,406
  • 24
  • 178
  • 215
Shane Burke
  • 11
  • 1

1 Answers1

1

It seems the answer is yes getting a challenge response indicates the password was sent. My mistake was in cracking the password.

To successfully crack the password I created a new wordlist.txt with a couple of words in it and the actual password. I then used the following in hashcat on a windows OS.

hashcat64 -m 5500 -a 0 DOMAIN\username::::response:challenge wordlist.txt

I believe the mistake was the way in which I added to the word list I had 

used echo password >> rockyou.txt

Which does not generate a new line... very simple mistake that cost me a few hours of banging my head against the wall.

Shane Burke
  • 11
  • 1