Skip to content

EAP Relay with Sycophant

Michael Kruger edited this page Aug 3, 2020 · 4 revisions

EAP Relay with Sycophant

Table of Contents

[@_cablethief](https://twitter.com/_cablethief) figured out it’s possible to relay inner MSCHAPv2 to get connected to PEAP networks without having to crack the credentials. This attack requires an appropriately configured hostapd-mana and the wpa_sycophant tool.

hostapd-mana

To enable this attack, you need the following config options in your hostapd-mana config:

enable_sycophant=1
sycophant_dir=/tmp/

This will enable sycophant attacks, and store state files used for transferring data between the modified supplicant and hostapd-mana.

Warning
Keep the directory set to /tmp/ for now. The corresponding option is not on the supplicant yet.

wpa_sycophant

Check the wpa_sycophant README for information on running wpa_sycophant.