Update README.md
This commit is contained in:
parent
eb167b2201
commit
cbb8ca29d6
46
README.md
46
README.md
@ -4,49 +4,55 @@
|
||||
|
||||
This setup makes use of Hostapd-WPE (Wireless Pwnage Edition) which is a modified
|
||||
version of the standard hostapd (Host Access Point Daemon) tool.
|
||||
It enables setting up a rogue access point that mimics legitimate Wi-Fi networks,
|
||||
tricking clients into connecting and capturing their authentication credentials.
|
||||
It allows to set up a rogue access point which mimics legitimate Wi-Fi networks,
|
||||
tricking clients into connecting with it and allows to capture their
|
||||
authentication credentials which are sent within the clients connection attempt.
|
||||
|
||||
Modern wireless clients (laptops, smartphones, tablets) attempt to maintain
|
||||
seamless connectivity by continuously probing for known Wi-Fi networks in their
|
||||
saved list. This behavior allows them to automatically connect when a familiar
|
||||
network is in range, without user intervention.
|
||||
In combination with a tool like Hostapd-WPE this allows to make clients in range
|
||||
connect, even if the authentication fails, and to monitor the attempted handshake.
|
||||
|
||||
saved list.
|
||||
When a device is not connected to Wi-Fi, it will periodically send probe requests
|
||||
asking if any of its previously connected networks are available.
|
||||
This behavior allows them to automatically connect when a familiar network is in
|
||||
range, without user intervention.
|
||||
In combination with a tool like Hostapd-WPE this allows to cause clients in range
|
||||
to connect and even when the authentication fails from the clients view, it still
|
||||
allows to monitor the attempted handshake and obtain the contained authentication
|
||||
credentials.
|
||||
|
||||
Hostapd-WPE can be configured to respond to all probe requests with an "available"
|
||||
response, effectively making the client think the requested SSID is in range.
|
||||
This works as hostapd-WPE can be configured to respond to all probe requests with
|
||||
an "available" response, effectively making the client think the requested SSID
|
||||
is in range.
|
||||
|
||||
Many clients, depending on their security settings, will automatically attempt
|
||||
to connect to the AP, believing it to be the legitimate network.
|
||||
|
||||
The captured authentication attempts can then be used for offline password cracking.
|
||||
|
||||
As prerequisite the host which is used to run this setup needs two Wi-Fi network
|
||||
cards.
|
||||
Note: This method only works on clients which use a lower version than WPA3 as
|
||||
encryption protocol, like WPA2 or WPA.
|
||||
|
||||
As prerequisite the host which is used to run the scripts needs two Wi-Fi network cards.
|
||||
One is used to run Hostapd-WPE and needs to support AP mode.
|
||||
The other is used to monitor the connection attempts and recording the authentication
|
||||
The other is used to monitor the connection attempts and to record the authentication
|
||||
handshakes, requiring monitor mode.
|
||||
The supported modes for a Wi-Fi network card chipset can be checked with the
|
||||
command "iw list".
|
||||
|
||||
The script "mon" is used to launch the monitoring mode with one of the network
|
||||
cards, recording all captured connections in a pcap file which can then be used
|
||||
for cracking the credentials.
|
||||
|
||||
The script "wpe" launches Hostapd-WPE in karma mode, making use of the client
|
||||
behaviour explained above.
|
||||
|
||||
The script "mon" is used to launch the monitoring mode with one of the network
|
||||
cards, recording all captured connections in a pcap file which can then be used
|
||||
for extracting the credentials.
|
||||
|
||||
## Usage
|
||||
|
||||
The script **wpe** is used to start the imitating AP on one interface.
|
||||
The interface needs to be set as option.
|
||||
|
||||
```sh
|
||||
./wpe -i wlan0
|
||||
sudo ./wpe -i wlan0
|
||||
```
|
||||
|
||||
The script **mon** can then be started simultaniously while the wpe script is still running.
|
||||
@ -54,7 +60,7 @@ It captures connection attempts and writes them to a capture file.
|
||||
An interface needs to be given as option and it needs to be a different interface used for the wpe script.
|
||||
|
||||
```sh
|
||||
./mon -i wlan1
|
||||
sudo ./mon -i wlan1
|
||||
```
|
||||
|
||||
Both scripts need the configuration file **hostapd-wpe.conf** either in the same directory or the default in /etc/hostapd-wpe/.
|
||||
@ -64,8 +70,8 @@ Both scripts need the configuration file **hostapd-wpe.conf** either in the same
|
||||
When monitoring Wi-Fi connections the resulting captured data is saved to a pcap
|
||||
file, numbered by the times the tool was run, so for the first run "wpa-01.cap".
|
||||
|
||||
Various tools can be used to process the captured data, also making use of
|
||||
various wordlists which, depending on the host system, are available in the
|
||||
Various tools can be used to process the captured data, optionally making use of
|
||||
various wordlists which, depending on the host system, available in the
|
||||
directory /usr/share/wordlists.
|
||||
|
||||
Examples:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user