The Evil Twin Attack has been around for some time. In the past, when we’ve run across WPA/2 Enterprise Wireless networks while on assessments, we’d break out a separate router and sit in a parking lot or lunch room waiting for victims to pass. The attack was simple, but the setup was overly complicated and left us tied to a power outlet. Fortunately, all that is in the past. A few months ago, we discovered the hostapd-wpe tool released by OpenSecurityResearch. It is a self-contained replacement for the FreeRADIUS/wireless AP solution.
How the Evil Twin Attack Works
Before going into how to setup the attack, we should briefly cover our objective. The purpose is not to set up a man-in-the-middle attack. Rather, the goal is to trick client devices into authenticating to our fake access point. If the process completes successfully, the end result is a username and hashed password which can be cracked using either asleap or John the Ripper. In order for the attack to work, users must either have configured their devices to accept invalid server certificates or manually accept the Evil Twin’s invalid certificate. Previously, this could only be accomplished using a physical access point which limits the application to scenarios involving power plugs. Fortunately, hostapd-wpe allows you to execute the attack from a standalone system making it significantly more useful.
Hostapd-wpe currently supports the following impersonation options for attacking EAP:
1. EAP-FAST/MSCHAPv2 (Phase 0)
Setting Up Hostapd-wpe
The following steps have been adapted from OpenSecurityResearch’s hostapd-wpe Github page.
1. Clone OpenSecurityResearch’s repository:
2. Make sure to install a pair of misc dependencies as well.
apt-get install libssl-dev libnl-dev
Note for Kali 2 users:
The required libnl1 and libnl-dev packages are not in the repositories for Kali 2 as a result of the new version of Debian it is based on. You will need to download and install the packages manually.
64-bit Kali 2:
sudo dpkg -i libnl1_1.1-7_amd64.deb
sudo dpkg -i libnl-dev_1.1-7_amd64.deb
32-bit Kali 2:
sudo dpkg -i libnl1_1.1-7_i386.deb
sudo dpkg -i libnl-dev_1.1-7_i386.deb
If you need to download these packages for other architectures or want to use a different mirror, use the following links:
3. Download and apply the hostapd-wpe patch:
tar -zxf hostapd-2.2.tar.gz
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch
4. OpenSecurityResearch copied the necessary certificates and scripts from FreeRADIUS in order to minimize the pain in transitioning to the new tool:
5. In order to run hostapd, simply point it at the appropriate configuration file. Be sure to edit the file before you use it!
sudo ./hostapd-wpe hostapd-wpe.conf
Edit the Config File
There are a few important lines to edit in hostapd-wpe.conf before the tool will work correctly. First, make sure the appropriate interface is listed and comment out the wired driver line. No need for monitor mode or anything fancy with this tool. Uncomment the ssid, hw_mode, and channel lines and set ssid and channel to the appropriate, spoofed values. Leave the hw_mode line alone. Save your finished config and you should be ready to go.
I’ve run into a few hardware compatibility issues with various alpha cards. I’ve had the most success with the AWUS036NH.
Use the following commands to deal with the pesky “hostapd error “nl80211: Could not configure driver mode” issue if hostapd-wpe throws a fit.
sudo nmcli nm wifi off
sudo rfkill unblock wlan
airmon-ng check kill
If the problem persists, try a new card.
Success and Capture
While hostapd-wpe is running, keep an eye on the console output for username/challenge/response combinations. Alternatively, you can tail the log file in the same directory. In both cases, the output will resemble the following:
The challenge and response can be fed to Asleap for speedy, wordlist-based cracking. Additionally, MSCHAPv2 creds are also output in the NetNTLM format which can be used with John the Ripper.
asleap -C ac:57:6b:4a:27:99:9c:51 -R 2e:01:41:5c:g6:76:0b:dc:25:3a:0e:96:a8:fb:f1:fd:a2:14:8a:02:10:02:6c:ff -W <Dictionary_File>
asleap 2.2 – actively recover LEAP/PPTP passwords. <email@example.com>
hash bytes: b1cd
NT hash: a4f49c406510bdcab6824ee7c30fd852
If all goes well, you’ll be rewarded with the captured user’s plaintext password.
Now that you have hostapd-wpe up and running and clients connecting, why not explore some methods for connecting them to the internet and man-in-the-middling their traffic? Check out our related post here.