Extracting a CA Certificate from an Enterprise WiFi (EAP) Network
Clash Royale CLAN TAG#URR8PPP
I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.
Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?
EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]
I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:
wifi ssl wpa2-eap
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
add a comment |
I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.
Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?
EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]
I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:
wifi ssl wpa2-eap
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
1
Which certificate? You are talking about PEAP, not ttls
– Rui F Ribeiro
Feb 8 at 19:07
Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.
– Naftuli Kay
Feb 8 at 19:24
Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).
– Hermann
Feb 8 at 19:30
Is there a way for me to determine this from a client perspective?
– Naftuli Kay
Feb 8 at 20:49
Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.
– Philip Couling
Feb 8 at 22:32
add a comment |
I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.
Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?
EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]
I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:
wifi ssl wpa2-eap
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.
Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?
EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]
I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:
wifi ssl wpa2-eap
wifi ssl wpa2-eap
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
edited Feb 8 at 19:23
Naftuli Kay
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
asked Feb 8 at 18:44
Naftuli KayNaftuli Kay
12.5k56159256
12.5k56159256
1
Which certificate? You are talking about PEAP, not ttls
– Rui F Ribeiro
Feb 8 at 19:07
Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.
– Naftuli Kay
Feb 8 at 19:24
Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).
– Hermann
Feb 8 at 19:30
Is there a way for me to determine this from a client perspective?
– Naftuli Kay
Feb 8 at 20:49
Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.
– Philip Couling
Feb 8 at 22:32
add a comment |
1
Which certificate? You are talking about PEAP, not ttls
– Rui F Ribeiro
Feb 8 at 19:07
Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.
– Naftuli Kay
Feb 8 at 19:24
Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).
– Hermann
Feb 8 at 19:30
Is there a way for me to determine this from a client perspective?
– Naftuli Kay
Feb 8 at 20:49
Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.
– Philip Couling
Feb 8 at 22:32
1
1
Which certificate? You are talking about PEAP, not ttls
– Rui F Ribeiro
Feb 8 at 19:07
Which certificate? You are talking about PEAP, not ttls
– Rui F Ribeiro
Feb 8 at 19:07
Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.
– Naftuli Kay
Feb 8 at 19:24
Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.
– Naftuli Kay
Feb 8 at 19:24
Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).
– Hermann
Feb 8 at 19:30
Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).
– Hermann
Feb 8 at 19:30
Is there a way for me to determine this from a client perspective?
– Naftuli Kay
Feb 8 at 20:49
Is there a way for me to determine this from a client perspective?
– Naftuli Kay
Feb 8 at 20:49
Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.
– Philip Couling
Feb 8 at 22:32
Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.
– Philip Couling
Feb 8 at 22:32
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499528%2fextracting-a-ca-certificate-from-an-enterprise-wifi-eap-network%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499528%2fextracting-a-ca-certificate-from-an-enterprise-wifi-eap-network%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Which certificate? You are talking about PEAP, not ttls
– Rui F Ribeiro
Feb 8 at 19:07
Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.
– Naftuli Kay
Feb 8 at 19:24
Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).
– Hermann
Feb 8 at 19:30
Is there a way for me to determine this from a client perspective?
– Naftuli Kay
Feb 8 at 20:49
Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.
– Philip Couling
Feb 8 at 22:32