With the demands of a mobile workforce, wireless networks in enterprise environments are quite common. Typically, enterprise wireless networks employ WPA-Enterprise security features, which removes the need for preshared keys (WPA2-PSK) that float around between employees creating security concerns of sharing or unauthorized access upon termination, etc.

These WPA-Enterprise (802.1x) wireless networks often make use of protocols known as Extensible Authentication Protocol (EAP) types. Here is a quick breakdown of commonly seen EAP types including some pros/cons:

EAP-LEAP - Cisco proprietary using MS-CHAP, considered weak.

EAP-MD5 - Usernames sent in clear, weak MD5 Challenge/Response prone to cracking.

EAP-PEAP - Most common EAP type, identity sent in clear, handshake secured via TLS.

EAP-TLS - End-to-end encryption, secure, administrative burden. Client certificates.

Knowing that a large percentage of enterprise wireless networks deploy EAP types other than EAP-TLS (due to the administrative burden of managing client certificates), we can leverage known weaknesses in EAP types to harvest valuable information. This information can include usernames, certificates, and weak challenge/response hash functions that can be cracked. While these EAP weaknesses are nothing new, I struggled to find a tool to help penetration testers quickly identify EAP types and weaknesses. This is where the idea for crEAP came from.

Introducing crEAP

There are plenty of wireless assessment utilities that exist such as Kismet, Wifite, etc. These all do a great job of identifying WPA-Enterprise mode networks and authentication protocols such as TKIP/CCMP, but do not give details regarding the EAP type. In the past, a tester would have to obtain PCAPs for each network and sift through them to extract useful information. This was a burden on engagements with multiple networks within scope. We sought a utility to help automate identifying WPA EAP types and insecurities. This lead us to the development of crEAP.