1

I am running an evil twin attack with eaphammer, by default it seems to capture mschapv2 authentication which contains the username and NETNTLM hashes. I have manually created a WiFi connection (on Windows) and manually select not to verify CA and to use PAP authentication. When I connect to this new connection, I am able to grab the cleartext password. This is what I want.

My knowledge on wireless communication is limited, but is it possible to force a client to connect to EAP-TTLS/PAP or is this controlled by the client or through client profiles?

Or a better technical question, how is the authentication type controlled?

Anderson
  • 475
  • 6
  • 12

2 Answers2

1

My knowledge on wireless communication is limited, but is it possible to force a client to connect to EAP-TTLS/PAP or is this controlled by the client or through client profiles?

Or a better technical question, how is the authentication type controlled?

This is initially controlled by the RADIUS server of the wireless network as it will be configured to only allow certain EAP methods.

Once the wireless network is configured on a client, it will have the chosen EAP method configured in the wirless network profile.

So, if you are getting a client to join a network for the first time, you can offer them whatever you want, however this is not useful when trying to establish a MitM situation as you are generally trying to situate yourself between an established connection between a client and existing network.

YLearn
  • 3,967
  • 1
  • 17
  • 34
0

You can define the authentication protocols that the DOT1X supplicant can use, as well as, some of the RADIUS servers offer to agree to authenticate/listen on certain protocols only. Think of the later in terms of SSL, wherein the server can stop listening on SSLv3, and negotiate only TLS.

Abhishek Sha
  • 645
  • 1
  • 5
  • 8