Skip to content

EAP Attacks

EAP (Extensible Authentication Protocol) attacks target enterprise wireless networks using 802.1X authentication. Unlike PSK networks, EAP networks authenticate individual users against a RADIUS server. Crackable output requires capturing the inner authentication exchange.

Rogue AP Concept

A rogue AP (evil twin) impersonates a legitimate enterprise network by broadcasting the same SSID. When a client connects and initiates EAP authentication, the rogue AP captures the credential exchange.

sequenceDiagram
    participant STA as STA (Client)
    participant RAP as Rogue AP

    Note over STA,RAP: STA sees known SSID, connects
    STA->>RAP: EAP-Response/Identity (username)
    RAP->>STA: EAP-Request (challenge or TLS ServerHello)
    Note over STA,RAP: For PEAP/EAP-TTLS: attacker presents self-signed cert
    Note over STA,RAP: Client may ignore cert warning (misconfiguration)
    STA->>RAP: MSCHAPv2 challenge response (NT-Response)
    Note over RAP: Logs NT-Response + challenges
    RAP->>STA: EAP-Failure (attacker doesn't know password)
    Note over RAP: Extract hash → offline crack

For PEAP/EAP-TTLS: clients must validate the server certificate. Misconfigured clients that accept any certificate are the primary target. Correctly configured clients will fail at the certificate validation step and not expose credentials.

For LEAP and EAP-MD5: no TLS tunnel; credentials are captured by passive sniffing or MitM.

EAP Type Taxonomy

Commonly Deployed (attack-relevant)

EAP type Code Inner method Crackable? hashcat mode Capture method
PEAP 25 MSCHAPv2 Yes (if cert ignored) 5500 Rogue AP
EAP-TTLS 21 MSCHAPv2 Yes (if cert ignored) 5500 Rogue AP
EAP-TTLS 21 PAP No hash N/A Rogue AP (plaintext)
EAP-MD5 4 MD5-Challenge Yes 4800 Passive capture
LEAP 17 MS-CHAPv1 Yes 5500 Passive capture
EAP-TLS 13 Certificate No N/A No password
EAP-FAST 43 MSCHAPv2 Conditional 5500 PAC provisioning attack

Other Registered Types

Other IANA-registered EAP types

Types rarely encountered in wireless deployments:

Code Name Notes
6 GTC Generic Token Card; rarely used without OTP hardware
32 POTP Protected OTP; niche
38 EAP-TLV Container type, not an auth method
18 EAP-SIM SIM-based; carrier WiFi
23 EAP-AKA USIM-based; common in carrier WiFi
50 EAP-AKA' Updated AKA with channel binding
56 EAP-NOOB Nimble OOB; IoT enrollment

Which Methods Produce Crackable Output

Only methods that transmit a password-derived challenge/response (either in cleartext or inside a TLS tunnel that the attacker controls) yield crackable material:

Method Why crackable hashcat mode
MSCHAPv2 (in PEAP/EAP-TTLS) NT hash challenge/response captured from TLS tunnel 5500
EAP-MD5 MD5(ID || password || challenge) transmitted in cleartext 4800
LEAP (MS-CHAPv1) DES-based response transmitted in cleartext 5500

EAP-TLS exposes only certificates; no shared secret or password hash is transmitted. An attacker can observe that authentication succeeded but gains nothing crackable.

Tool Chain

Step Tool Output
Capture (PEAP/EAP-TTLS) hostapd-mana (rogue AP) mschapv2.hashes
Capture (EAP-MD5, LEAP) hcxpcapngtool --eapmd5 / --eapleap hash files
Crack MSCHAPv2 / LEAP hashcat -m 5500 NT hash or plaintext
Crack EAP-MD5 hashcat -m 4800 plaintext password