802.1X

Protocols security (highest to lowest)

Protocol Certificate Required Mutual Authentication
EAP-TLS Server and Client Yes
PEAP Server Yes
EAP-TTLS Server Yes
LEAP No Yes
EAP-MD5 No No

Server certificate

1) For Windows, the challenge response can be done using a domain user account or a computer account depending on the authentication mode. By default both are enabled.

2) In the default configuration of W10 the PEAP properties have the setting Tell user if the server’s identity can’t be verified.

Meaning that the user will be prompted to verify the certificate.

However, if Don’t ask user to authorize new servers or trusted CAs is setup it is not possible to retrieve the challenge response.

It is still possible to avoid the certificate prompt by using a Let’s Encrypt certificate. It uses a CA trusted by Microsoft and it is the default configuration on Windows 10.

However, trusted CA list may be changed on the Windows host.

Client certificate

If the server certificate can be impersonnated, and there is a client certificate, it is possible to patch hostapd in order to not verify the validity of the client certificate.

https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/

Password Spray

eaphammer --eap-spray -I <wlan0> -e <SSID> --user-list <userlist.txt> --password <password>