Extracting a CA Certificate from an Enterprise WiFi (EAP) Network

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.



Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?




EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:




A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]




I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:



enter image description here










share|improve this question



















  • 1





    Which certificate? You are talking about PEAP, not ttls

    – Rui F Ribeiro
    Feb 8 at 19:07












  • Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.

    – Naftuli Kay
    Feb 8 at 19:24











  • Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).

    – Hermann
    Feb 8 at 19:30











  • Is there a way for me to determine this from a client perspective?

    – Naftuli Kay
    Feb 8 at 20:49











  • Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.

    – Philip Couling
    Feb 8 at 22:32















0















I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.



Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?




EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:




A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]




I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:



enter image description here










share|improve this question



















  • 1





    Which certificate? You are talking about PEAP, not ttls

    – Rui F Ribeiro
    Feb 8 at 19:07












  • Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.

    – Naftuli Kay
    Feb 8 at 19:24











  • Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).

    – Hermann
    Feb 8 at 19:30











  • Is there a way for me to determine this from a client perspective?

    – Naftuli Kay
    Feb 8 at 20:49











  • Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.

    – Philip Couling
    Feb 8 at 22:32













0












0








0


1






I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.



Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?




EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:




A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]




I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:



enter image description here










share|improve this question
















I have a work network which is an EAP enterprise WiFi network using PEAP and MSCHAPv2. I unfortunately don't have the CA certificate for the network, which presumably makes it trivial to harvest my credentials by spoofing the network.



Is there a way for me to fetch the CA presented by the WiFi network so I can set it as the CA certificate to prevent spoofing?




EDIT: According to Wikipedia on PEAP, the WiFi server uses a CA for signing its server-side certificate for trust:




A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[9]




I need to get this CA certificate somehow from the server, as I'm sure it issues a certificate chain with the server public key certificate and the CA public key certificate. Presently it is configured without a CA certificate, allowing arbitrary spoofing:



enter image description here







wifi ssl wpa2-eap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 8 at 19:23







Naftuli Kay

















asked Feb 8 at 18:44









Naftuli KayNaftuli Kay

12.5k56159256




12.5k56159256







  • 1





    Which certificate? You are talking about PEAP, not ttls

    – Rui F Ribeiro
    Feb 8 at 19:07












  • Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.

    – Naftuli Kay
    Feb 8 at 19:24











  • Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).

    – Hermann
    Feb 8 at 19:30











  • Is there a way for me to determine this from a client perspective?

    – Naftuli Kay
    Feb 8 at 20:49











  • Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.

    – Philip Couling
    Feb 8 at 22:32












  • 1





    Which certificate? You are talking about PEAP, not ttls

    – Rui F Ribeiro
    Feb 8 at 19:07












  • Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.

    – Naftuli Kay
    Feb 8 at 19:24











  • Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).

    – Hermann
    Feb 8 at 19:30











  • Is there a way for me to determine this from a client perspective?

    – Naftuli Kay
    Feb 8 at 20:49











  • Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.

    – Philip Couling
    Feb 8 at 22:32







1




1





Which certificate? You are talking about PEAP, not ttls

– Rui F Ribeiro
Feb 8 at 19:07






Which certificate? You are talking about PEAP, not ttls

– Rui F Ribeiro
Feb 8 at 19:07














Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.

– Naftuli Kay
Feb 8 at 19:24





Please see my edits above. According to Wikipedia on PEAP, server-side certificates are still used and they're signed by a common CA. I'd like to get that CA certificate somehow so I can make sure I'm not victim to spoofing.

– Naftuli Kay
Feb 8 at 19:24













Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).

– Hermann
Feb 8 at 19:30





Are you sure the server uses a certificate signed by a common CA? It is not uncommon to use self-signed certificates (the presented certificate is the CA certificate in this case only).

– Hermann
Feb 8 at 19:30













Is there a way for me to determine this from a client perspective?

– Naftuli Kay
Feb 8 at 20:49





Is there a way for me to determine this from a client perspective?

– Naftuli Kay
Feb 8 at 20:49













Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.

– Philip Couling
Feb 8 at 22:32





Rather than searching for a way to get the CA certificate, look for a way to get the server's certificate. If you inspect the server's certificate it should state who (which CA if any) signed it.

– Philip Couling
Feb 8 at 22:32










0






active

oldest

votes











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499528%2fextracting-a-ca-certificate-from-an-enterprise-wifi-eap-network%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f499528%2fextracting-a-ca-certificate-from-an-enterprise-wifi-eap-network%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?