Skip to content

My Hacking Notes

WPA2 (Enterprise)

My Hacking Notes

Home
General
General
OSINT
OSINT
- bbot
- File Scraping
Windows
Windows
- Workstations
  Workstations
  - Privilege Escalation
- Active Directory
  Active Directory
  - Methodology
  - External Password Spraying
    External Password Spraying
    
    Username Enumeration
    
    Entra Token/ROPC
    
    Exchange Endpoints
  - Remote Execution Tools
  - PowerShell Commands
  - CMD Commands
  - Relay & Coercion
    Relay & Coercion
    
    Relay (ntlmrelayx)
    
    RPC Coercion
    
    Responder
    
    mitm6
    
    Insecure Name Resolution Protocols
    
    WPAD
    
    Exchange Coercion (PrivExchange)
  - Discovery & Audit
    Discovery & Audit
    
    SMB & RPC Enumeration
    
    SMB Shares & Data Hunting
    
    LDAP Checks
    
    BloodHound
    
    User Enumeration
    
    Password Spraying
  - Privilege Escalation
    Privilege Escalation
    
    ADCS Discovery
    
    ADCS - ESC 1
    
    ADCS - ESC 8
    
    Shadow Credentials
    
    BadSuccessor (dMSA Abuse)
    
    ZeroLogon
  - Credential Access
    Credential Access
    
    SAM/SECURITY/SYSTEM
    
    DCSync
    
    DPAPI
    
    AutoLogon
    
    GPP/SYSVOL Credential Leaks
  - Delegation
    Delegation
    
    Discovery
    
    Resource Based Constrained Delegation (RBCD)
    
    Unconstrained Delegation (KUD)
    
    Constrained Delegation (KCD)
  - Kerberos
    Kerberos
    
    Authentication Process
    
    S4U2self and S4U2Proxy
    
    Password / Hash -> TGT
    
    AS-REP Roast
    
    Kerberoast
    
    Ticket Forgery
    Ticket Forgery
    
    Golden Ticket
    
    Silver Ticket
- File Transfer
  File Transfer
  - Download to Windows
  - Upload from Windows
WiFi
WiFi
- Security Testing Tools
- Security Types Overview
- WPA
- WPA2 (Personal)
- WPA2 (Enterprise) WPA2 (Enterprise)
  Table of contents
  - Vulnerabilities
    
    Evil-Twin / Credential Theft
    
    EAP Types and credentials to capture:
    
    References:
- Attacks
  Attacks
  - WPA/WPA2 PSK/PMKID Captures
  - WPS (PIN) Weaknesses
Password Cracking
Password Cracking
- Hashcat
- Wordlists
Miscellaneous
Miscellaneous
- Tmux Configuration
CTF Walkthroughs
CTF Walkthroughs
- Proving Grounds
  Proving Grounds
  - Cassios
  - Cobweb
  - Muddy
  - Forward

WPA2-Enterprise¶

Authentication: 802.1X/EAP (e.g., PEAP-MSCHAPv2, EAP-TTLS, prefer EAP-TLS)
Cipher: AES-CCMP

Vulnerabilities¶

Evil-Twin / Credential Theft¶

Attack succeeds primarily when clients fail to validate the RADIUS server certificate (wrong CA, CN/SAN mismatch, or user click-through). Misconfigurations are common.

If PMF is not enabled, spoofed deauth/disassoc frames can force roaming to the evil-twin. PMF blocks this coercion but does not prevent pre-association beacon/probe spoofing.

EAP Types and credentials to capture:¶

PEAP-MSCHAPv2

Weak, crackable password‑based inner method (MSCHAPv2).
Typically consists of AD credentials.

EAP-TTLS (inner PAP/GTC)

The cleartext PAP/GTC token can be captured.
- PAP are immediately usable. Typically AD credentials.
- GTC are typically OTP and should be used immediately.

References:¶

All your Credentials are Belong to Us: On Insecure WPA2-Enterprise Configurations