tux/wpe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
tux 2025-09-11 11:23:46 +02:00
parent eb167b2201
commit cbb8ca29d6
1 changed files with 26 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
README.md
View File

@ -4,49 +4,55 @@
This setup makes use of Hostapd-WPE (Wireless Pwnage Edition) which is a modified This setup makes use of Hostapd-WPE (Wireless Pwnage Edition) which is a modified
version of the standard hostapd (Host Access Point Daemon) tool. version of the standard hostapd (Host Access Point Daemon) tool.
It enables setting up a rogue access point that mimics legitimate Wi-Fi networks, It allows to set up a rogue access point which mimics legitimate Wi-Fi networks,
tricking clients into connecting and capturing their authentication credentials. tricking clients into connecting with it and allows to capture their
authentication credentials which are sent within the clients connection attempt.
Modern wireless clients (laptops, smartphones, tablets) attempt to maintain Modern wireless clients (laptops, smartphones, tablets) attempt to maintain
seamless connectivity by continuously probing for known Wi-Fi networks in their seamless connectivity by continuously probing for known Wi-Fi networks in their
saved list. This behavior allows them to automatically connect when a familiar saved list.
network is in range, without user intervention.
In combination with a tool like Hostapd-WPE this allows to make clients in range
connect, even if the authentication fails, and to monitor the attempted handshake.
When a device is not connected to Wi-Fi, it will periodically send probe requests When a device is not connected to Wi-Fi, it will periodically send probe requests
asking if any of its previously connected networks are available. asking if any of its previously connected networks are available.
This behavior allows them to automatically connect when a familiar network is in
range, without user intervention.
In combination with a tool like Hostapd-WPE this allows to cause clients in range
to connect and even when the authentication fails from the clients view, it still
allows to monitor the attempted handshake and obtain the contained authentication
credentials.
Hostapd-WPE can be configured to respond to all probe requests with an "available" This works as hostapd-WPE can be configured to respond to all probe requests with
response, effectively making the client think the requested SSID is in range. an "available" response, effectively making the client think the requested SSID
is in range.
Many clients, depending on their security settings, will automatically attempt Many clients, depending on their security settings, will automatically attempt
to connect to the AP, believing it to be the legitimate network. to connect to the AP, believing it to be the legitimate network.
The captured authentication attempts can then be used for offline password cracking. The captured authentication attempts can then be used for offline password cracking.
As prerequisite the host which is used to run this setup needs two Wi-Fi network Note: This method only works on clients which use a lower version than WPA3 as
cards. encryption protocol, like WPA2 or WPA.
As prerequisite the host which is used to run the scripts needs two Wi-Fi network cards.
One is used to run Hostapd-WPE and needs to support AP mode. One is used to run Hostapd-WPE and needs to support AP mode.
The other is used to monitor the connection attempts and recording the authentication The other is used to monitor the connection attempts and to record the authentication
handshakes, requiring monitor mode. handshakes, requiring monitor mode.
The supported modes for a Wi-Fi network card chipset can be checked with the The supported modes for a Wi-Fi network card chipset can be checked with the
command "iw list". command "iw list".
The script "mon" is used to launch the monitoring mode with one of the network
cards, recording all captured connections in a pcap file which can then be used
for cracking the credentials.
The script "wpe" launches Hostapd-WPE in karma mode, making use of the client The script "wpe" launches Hostapd-WPE in karma mode, making use of the client
behaviour explained above. behaviour explained above.
The script "mon" is used to launch the monitoring mode with one of the network
cards, recording all captured connections in a pcap file which can then be used
for extracting the credentials.
## Usage ## Usage
The script **wpe** is used to start the imitating AP on one interface. The script **wpe** is used to start the imitating AP on one interface.
The interface needs to be set as option. The interface needs to be set as option.
```sh ```sh
./wpe -i wlan0 sudo ./wpe -i wlan0
``` ```
The script **mon** can then be started simultaniously while the wpe script is still running. The script **mon** can then be started simultaniously while the wpe script is still running.
@ -54,7 +60,7 @@ It captures connection attempts and writes them to a capture file.
An interface needs to be given as option and it needs to be a different interface used for the wpe script. An interface needs to be given as option and it needs to be a different interface used for the wpe script.
```sh ```sh
./mon -i wlan1 sudo ./mon -i wlan1
``` ```
Both scripts need the configuration file **hostapd-wpe.conf** either in the same directory or the default in /etc/hostapd-wpe/. Both scripts need the configuration file **hostapd-wpe.conf** either in the same directory or the default in /etc/hostapd-wpe/.
@ -64,8 +70,8 @@ Both scripts need the configuration file **hostapd-wpe.conf** either in the same
When monitoring Wi-Fi connections the resulting captured data is saved to a pcap When monitoring Wi-Fi connections the resulting captured data is saved to a pcap
file, numbered by the times the tool was run, so for the first run "wpa-01.cap". file, numbered by the times the tool was run, so for the first run "wpa-01.cap".
Various tools can be used to process the captured data, also making use of Various tools can be used to process the captured data, optionally making use of
various wordlists which, depending on the host system, are available in the various wordlists which, depending on the host system, available in the
directory /usr/share/wordlists. directory /usr/share/wordlists.
Examples: Examples: