Cybersecurity blog header

Enterprise WiFi network security audit from openwrt

- Oscar Mallo

The main difficulties found when performing a security audit of Enterprise WiFi network by a security analyst in ethical hacking are the following:

  • WPA Enterprise networks impersonation.
  • Client’s devices and mobile terminals attacks.
  • WiFi WPA Enterprise password cracking.

Hostapt-WPE (Wireless Pwnage Edition) is a WiFi attack tool which replaces part of the problem creating a fake access point with a modified radius service responsible for clients’ usernames and passwords compilation. Nevertheless, we have learned from experience that big problems emerge when using this software in distribution such as in Kali Linux. Actually, the following problems were not present since years ago:

  • Low transmission speeds, unsatisfactory for client’s association.
  • WiFi card and chipsets incompatibility with 5Ghz band.
  • WiFi security audit performance difficulty.

A client’s device prefers 5Ghz Enterprise networks or 802.11n networks in 2.4Ghz. Among other parameters, facilitating client’s roaming to other access point (in this case our fake AP), WiFi enterprise network transmission speed and signal level are key factors. This is not provided by a conventional WiFi card and this also motivates the failure of our impersonation attacks in modern engineering. Anti deauth with MPF (Management Protected Frame) control measures implementation is included already by a large part of the latest update of WiFi 802.11w manufacturers. And this also constitutes a disadvantage for us.

WiFi enterprise pentesting

Using openwrt and hostapd-wpe in order to attack WiFi enterprise networks.

Apart from having WiFi analysis software in order to facilitate the WiFi enterprise security analysis work, it is also recommended to be supported by autonomous devices from where carrying out these attacks. These devices are usually WiFi routers such as TP-Link Archer C5 AC1200 provided with more powerful antennas and cards than a dongle usb. Since WiFi pineapple was very small for our work and offered a quite low performance, our Tarlogic colleagues have been working on modifying the hostapd 2.2 version in openwrt platform in order to include the hostapd-wpd pad natively, generating then packages for every hardware version.

Therefore, using an openwrt router, hostapd-wpe can be installed and carry out WiFi attacks with a high success percentage rate.

In this case, in order to perform a WiFi network security audit a router TP-LINK has been connected to a high capacity battery to carry the device hidden in a bag while passwords are extracted.

Please, consult all the information regarding hostapd-wpd project for openwrt included in Acrylic WiFi webpage and download corresponding source code and compiled packages.

Besides, please find also available OpenWRT WPE for OpenWRT in our OpenWRT WPE for OpenWRT – GitHub.

Give it a try and leave your comments.

Discover our work and cybersecurity services at www.tarlogic.com