802.1X
Protocols security (highest to lowest)
| Protocol | Certificate Required | Mutual Authentication |
|---|---|---|
| EAP-TLS | Server and Client | Yes |
| PEAP | Server | Yes |
| EAP-TTLS | Server | Yes |
| LEAP | No | Yes |
| EAP-MD5 | No | No |
Server certificate
1) For Windows, the challenge response can be done using a domain user account or a computer account depending on the authentication mode. By default both are enabled.
2) In the default configuration of W10 the PEAP properties have the setting Tell user if the server’s identity can’t be verified.
Meaning that the user will be prompted to verify the certificate.
However, if Don’t ask user to authorize new servers or trusted CAs is setup it is not possible to retrieve the challenge response.
It is still possible to avoid the certificate prompt by using a Let’s Encrypt certificate. It uses a CA trusted by Microsoft and it is the default configuration on Windows 10.
However, trusted CA list may be changed on the Windows host.
Client certificate
If the server certificate can be impersonnated, and there is a client certificate, it is possible to patch hostapd in order to not verify the validity of the client certificate.
https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/
Password Spray
eaphammer --eap-spray -I <wlan0> -e <SSID> --user-list <userlist.txt> --password <password>