tux/wpe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Tux a53501b115 readme
2025-02-16 22:41:19 +01:00
hostapd-wpe.conf
fix config
2025-02-16 12:44:02 +01:00
LICENSE
Update LICENSE
2025-02-16 10:42:04 +00:00
mon
added monitoring script
2025-02-16 13:48:29 +01:00
README.md
readme
2025-02-16 22:41:19 +01:00
wpe
added monitoring script
2025-02-16 13:48:29 +01:00

README.md

Wireless Pwnage Edition

What does this do and how does it work?

This setup makes use of Hostapd-WPE (Wireless Pwnage Edition) which is a modified version of the standard hostapd (Host Access Point Daemon) tool. It enables setting up a rogue access point that mimics legitimate Wi-Fi networks, tricking clients into connecting and capturing their authentication credentials.

Modern wireless clients (laptops, smartphones, tablets) attempt to maintain seamless connectivity by continuously probing for known Wi-Fi networks in their saved list. This behavior allows them to automatically connect when a familiar network is in range, without user intervention. In combination with a tool like Hostapd-WPE this allows to make clients in range connect, even if the authentication fails, and to monitor the attempted handshake.

When a device is not connected to Wi-Fi, it will periodically send probe requests asking if any of its previously connected networks are available.

Hostapd-WPE can be configured to respond to all probe requests with an "available" response, effectively making the client think the requested SSID is in range.

Many clients, depending on their security settings, will automatically attempt to connect to the AP, believing it to be the legitimate network.

The captured authentication attempts can then be used for offline password cracking.

As prerequisite the host which is used to run this setup needs two Wi-Fi network cards. One is used to run Hostapd-WPE and needs to support AP mode. The other is used to monitor the connection attempts and recording the authentication handshakes, requiring monitor mode. The supported modes for a Wi-Fi network card chipset can be checked with the command "iw list".

The script "mon" is used to launch the monitoring mode with one of the network cards, recording all captured connections in a pcap file which can then be used for cracking the credentials.

The script "wpe" launches Hostapd-WPE in karma mode, making use of the client behaviour explained above.

Processing a capture file

When monitoring Wi-Fi connections the resulting captured data is saved to a pcap file, numbered by the times the tool was run, so for the first run "wpa-01.cap".

Various tools can be used to process the captured data, also making use of various wordlists which, depending on the host system, are available in the directory /usr/share/wordlists.

Examples:

aircrack-ng with a simple wordlist:

aircrack-ng -w /usr/share/wordlists/wifite.txt wpa-01.cap

Convert the capture for the use with the tool John the Ripper:

aircrack-ng wpa-01.cap -J wpa &&
hccap2john wpa.hccap > wpa.john &&
john -w=/usr/share/wordlists/john.lst -form=wpapsk wpa.john

Convert the capture for the use with the tool Hashcat:

sudo apt -y install hcxtools &&
hcxpcapngtool -o wpa.hccapx wpa-01.cap &&
hashcat -m 22000 -a 0 wpa.hccapx \
/usr/share/wordlists/rockyou.txt.gz
Description
No description provided
Readme 0BSD 39 KiB
Languages
Shell 100%