Hiding passwords in wpa_supplicant.conf with WPA-EAP and MSCHAP-v2

Question

My wpa_supplicant.conf looks like this:

network={
  ssid="Some name"
  scan_ssid=1
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="my-user-id"
  password="(clear text password here)"
  ca_cert="/usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt"
  phase2="auth=MSCHAPV2"
}

With this specific combination of WPA-EAP and MSCHAP-v2, is there a way to not include my password in clear in this configuration file?

The ChangeLog seems to claim that this is feasible (since 2005!):

* added support for storing EAP user password as NtPasswordHash instead
  of plaintext password when using MSCHAP or MSCHAPv2 for
  authentication (hash:<16-octet hex value>); added nt_password_hash
  tool for hashing password to generate NtPasswordHash

Some notes:

Using a different password is not an option, as I have no control over this network (this is a corporate network, and a single username/password is used to access all services, including connecting to the Wifi).
A word about duplicates:
- 40: use-wpa-supplicant-without-plain-text-passwords is about pre-shared keys
- 74500: wpa-supplicant-store-password-as-hash-wpa-eap-with-phase2-auth-pap uses PAP as phase-2 authentication (not MSCHAP-v2).
- 85757: store-password-as-hash-in-wpa-supplicant-conf is very similar to this question, but was (incorrectly) closed as a duplicate of 74500; unfortunately, the answers given to the purported duplicate are specific to PAP, and do not apply to the MSCHAP-v2 case. 85757 itself has an answer claiming that it's essentially impossible regardless of the protocol, but the justification is invalid¹

¹ That anser claims that using a hashed password means that the hash becomes the password. This is technically true, but at least the hash is a wifi-only password, which is significant progress over leaking a shared password granting access to multiple services.

score 36 · Answer 1 · answered Apr 25 '16 at 15:39

36

Open terminal and type :

wpa_passphrase YOUR_SSID YOUR_PASSWORD

Sample output:

network={
    ssid="YOUR_SSID"
    #psk="YOUR_PASSWORD"
    psk=6a24edf1592aec4465271b7dcd204601b6e78df3186ce1a62a31f40ae9630702
}

Open the wpa_supplicant.conf file and add the following line:

psk=6a24edf1592aec4465271b7dcd204601b6e78df3186ce1a62a31f40ae9630702

answered Apr 25 '16 at 15:39

GAD3R

63,407
31
131
192

3

A WPA PSK (which is a hashed combination of SSID and password) is not the same as a NTLM hash/NtPasswordHash (which is a 16-bit MD4 hash of the password only). – Guido Apr 25 '16 at 16:02
7

The OP asked about WPA-EAP, not WPA-PSK. – Guido Apr 25 '16 at 16:18
3

Sorry if the post didn't make it clear: this is exactly the solution in the first non-duplicate that I listed. There is no pre-shared key in the configuration that I'm asking about. – Clément Apr 25 '16 at 22:22
3

this may not be the specific question being asked for, but it helped me solved my problem. Thank you. – daparic May 31 '18 at 00:44

score 28 · Answer 2 · edited Jun 14 '19 at 20:09

28

You can generate the NtPasswordHash (aka NTLM password hash) yourself as follows:

echo -n plaintext_password_here | iconv -t utf16le | openssl md4

Prefix it with "hash:" in the wpa_supplicant.conf file, i.e.

password=hash:6602f435f01b9173889a8d3b9bdcfd0b

On macOS the iconv code is UTF-16LE

echo -n plaintext_password_here | iconv -t UTF-16LE | openssl md4

Note that you don't gain much security. If an attacker finds the file with the hash, then they can trivially join the network (the same way your computer does), so having hashed the password doesn't help at all. If the password is used anywhere else, then the attacker would have to use brute force to find the original password (i.e. try the most likely passwords and calculate their hash until they find a match). Since you can calculate about 1 billion hashes per second on an ordinary PC, that's not a big hurdle, and attackers can easily use precomputed tables since the hash is unsalted. NT is really horrible as a password hashing algorithm.

edited Jun 14 '19 at 20:09

Dessa Simpson

509
3
28

answered Apr 25 '16 at 14:58

Guido

4,014
13
22

Thanks! This looks promising, but it's not working for me; looking at the `-d` trace of wpa_supplicant, I get different `EAP-PEAP: Derived Session-Id`, `EAP-PEAP: Decrypted Phase 2 EAP`, `MSCHAPV2: auth_challenge - hexdump(len=16):`, and `MSCHAPV2: password hash - hexdump(len=...)` outputs, and finally two messages saying `EAP-TLV: TLV Result - Failure` and `EAPOL authentication completed - result=FAILURE` – Clément Apr 25 '16 at 23:42
Just to clarify: I do get a `MSCHAPV2: password hash - hexdump` line in the failing debug trace, which is encouraging (the non-encrypted one has a `MSCHAPV2: password - hexdump_ascii` line instead), but connection fails – Clément Apr 25 '16 at 23:50
1

@Clément Just to make sure the right hash is being generated: the above command executed on your system does calculate the same hash as [this online calculator](https://www.browserling.com/tools/ntlm-hash), right? – Guido Apr 26 '16 at 11:45
Right, it generates the same hash (except for case: that site prints everything uppercase) – Clément Apr 26 '16 at 15:59
How expensive would it be to reverse such a hash? – Alden Oct 16 '17 at 08:44
1

This doesn't work if the password is longer than 14 characters. – tjohnson Nov 27 '17 at 19:23
1

@Alden Very cheap. There's no way to go back directly from the hash to the input, but you can try a lot of possible passwords and calculate their hashes until you find the matching one. MD4 is very fast, [1 billion in 2 seconds with a 6-year old GPU](https://thehackernews.com/2012/04/extreme-gpu-bruteforcer-crack-passwords.html). – Gilles 'SO- stop being evil' May 31 '18 at 06:24
It seems that openssl on linux has dropped support for old and unsafe hashes.. Have a look on how to re-enable deprecated and unsafe hashes here: https://stackoverflow.com/a/72807264/4864088 – Mini Fridge Apr 05 '23 at 14:16

Hiding passwords in wpa_supplicant.conf with WPA-EAP and MSCHAP-v2

2 Answers2

Linked