Pwning WPA Enterprise with Hostapd on Kali Linux

Monday, August 31, 2015

Hey guys, welcome to another WiFi tutorial! Our last WiFi tutorial showed how to manually setup and configure an evil twin using a wireless router, but this time we'll be shifting gears into automating most of that process with hostapd. Hostapd is a powerful script which allows one to create an access point from an 802.11 card along with a RADIUS server. We'll be using hostapd-wpe, wpe for wireless pwnage edition.

In this tutorial, we'll cover how to properly setup an evil twin using hostapd, troubleshoot common issues and go over some ways you can protect against this attack vector. Before getting started, let's ensure we have what we need: VM or system running Linux, a wireless card (preferably Alfa cards) and some luck (see clip art above).


PEAP and EAP-TTLS are the most common EAP-types on wireless enterprise networks today. Both provide security through a TLS tunnel to ensure credentials can't be eavesdropped on like other EAP types (e.g., EAP-MD5, LEAP). Due to the TLS tunnel that's involved, an assessor would want to configure an access point with the same SSID as the access point s/he is impersonating (i.e., an evil twin). With similar configurations and a stronger signal one can hopefully lure clients to connect to their access point to obtain some credentials. Note: This won't work if clients on the network have been properly configured to validate certificates, but luckily, network administrators forget to do this more often than not.

Installing and Configuring Hostapd on Kali Linux

1. Let's download any dependancies that might be required using the code snippet below:

2. Now that we have the dependencies installed we need to download hostapd and hostapd-wpe. We also need to compile, apply the patch and create certificates for our access point. I made a small bash script to simplify this process:

3. Next plug your wireless card into your Kali system. I'm using an Alfa AWUS036NHA. Once this is done run the following command to see what interface your wireless device is, mine was wlan0:

If you're not seeing your device run the 'lsusb' command to ensure it is being detected by the operating system and troubleshoot from there. With the interface name in hand, we will make some modifications to Kali's network-manager. We will not allow network-manager to initialize the wireless card automatically because hostapd will need to initialize the device itself. Follow the code below to resolve this:

Optional: If you want to customize the certificates that will be presented go into the hostapd-wpe/certs directory and modify the files with the .cnf extension. Once you have modified the certificates use the bootstrap script once more to apply the changes.

4. Let's open up the configuration file in hostapd-2.2/hostapd/hostapd-wpe.conf and make some modifications. We will set the interface to the appropriate interface name, comment out the driver line, set the SSID, hw_mode, channel and wpa version. I've included the changes I made below:

Testing Our Installation

Time to start it up it! Go to the hostapd-2.2/hostapd directory and use the following syntax:

Awesome! We have our evil twin running. Let's test it out.

I also went ahead and customized the certificate to trick myself into authenticating since it looks soooo legit.
After I accepted the certification, we should see hostapd capture the credentials. Let's go check.
Awesome, we caught the creds! After you've captured the credentials use asleap to crack them. The following syntax can be used where the -C is the challenge, -R is the response and -W is your dictionary file:

That's it! You should now have a great understanding of how to use hostapd to create evil twin access points. Have fun!

Troubleshooting hostapd

Using Kali 2.0+?

G0tmi1k recently posted a great thread in Kali forums about troubleshooting Aircrack issues on Kali 2.0+. The biggest thing is to ensure one runs "airmon-ng check kill" prior to plugging in your card. For more information, check out the post here:

Hostapd having issues initializing the wireless card?

Ensure that the card is not initialized when plugged into the system. As I previously mentioned, change the network-manager settings to manual mode for the wireless card. Here's the syntax again:

Driver Nightmares?

If you're here you did not have the luck of the Irish. No worries! Neither did I. To paraphrase Joshua and Johnny, authors of Hacking Exposed Wireless Edition: "The tools you use are only as good as the hardware they are running on, but the best wireless card and chipset in the world are useless if the driver controlling it has no idea how to make it do what you want." I highly recommend that book, it's a great read.

In any case, I had many issues when I first started doing wireless testing. My wireless card was unreliable as it would constantly disconnect from the Kali VM. If you are using a virtual machine, I highly recommend making a snapshot prior to downloading and installing new drivers.

Alright, so let's get started. Find out what driver you need for your card. For example, I turned my card over and saw Atheros AR9271.
Bingo! I needed an Atheros driver so I went with ath9k_htc which supports several USB Atheros chipsets. I downloaded my drivers from following site, they have most of the wireless drivers you would need:

I went ahead and chose the compact-wireless driver. The website should eventually present you with a directory listing containing Linux Kernel versions. Use the following command to obtain your kernel version:

Next you'd want to click on the link with your kernel version and download the file ending in tar.gz. Once its done downloading use the following commands to install the new wireless drivers.

Preventing Evil Twin Attacks

Alright! We showed off how this attack is possible but let's see how to prevent it. First off, if your organization is using anything else but PEAP, EAP-TLS, or EAP-TTLS then switch over to those as soon as possible. PEAP, EAP-TLS, and EAP-TTLS ensure credentials can't be sniffed by transmitting them within an encrypted tunnel (hence the protocol name).

If your organization is already on PEAP, EAP-TLS, or EAP-TTLS then great! The next step would be to ensure clients are validating certificates. Clients should never be allowed to connect to an access point if certificate validation has failed. In order to make this happen an organization would have to have a certificate authority (CA) installed or issued by a known CA (this could be expensive). Additionally, do not prompt users to authorize new servers or certificate authorities.

Additional Reading

Hope you guys learned something new! If you have any questions or comments be sure to sound off in the comments below!

No comments :

Post a Comment