Robust Security Network
, which includes something called PMKID
PMK
is the same one obtained from a full 4-way handshake, this is all hashcat needs in order to crack the PSK and recover the passphrase!
Description obtained from here.hcxdumptool
also capture handshakes (something like this will appear: MP:M1M2 RC:63258 EAPOLTIME:17091
). You could transform the handshakes to hashcat/john format using cap2hccapx
airodump-ng
appears some handshake information this means that the handshake was captured and you can stop listening:aircrack-ng
:airodump-ng
something like this:airodump-ng
inside a channel and wireshark
in the same interface) and filter the packets byeapol
.
Inside the "Response, Identity" packet, the username of the client will appear.In this example, all users will share the pseudo-user-name “anonymous”. The first hop RADIUS server is an EAP-PEAP or EAP-TTLS server which drives the server end of the PEAP or TTLS protocol. The inner (protected) authentication type will then be either handled locally or proxied to a remote (home) RADIUS server.
In this example, users belonging to different realms hide their own identity but indicate which realm they belong to so that the first hop RADIUS server may proxy the EAP-PEAP or EAP-TTLS requests to RADIUS servers in their home realms which will act as the PEAP or TTLS server. The first hop server acts purely as a RADIUS relay node.Alternatively, the first hop server may act as the EAP-PEAP or EAP-TTLS server and either process the protected authentication method or proxy it to another server. This option may be used to configure different policies for different realms.
eaphammer
:ifconfig -a
check that the wlan interface to create the AP and the interface connected to the Internet are present.Options: 5,6,7,8,9 (inside Evil Twin attack menu).
hostapd-wpe
needs a configuration file to work. To automate the generation if these configurations you could use https://github.com/WJDigby/apd_launchpad (download the python file inside /etc/hostapd-wpe/)--negotiate gtc-downgrade
to use highly efficient GTC downgrade implementation (plaintext passwords)--negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAP
to specify manually the methods offered (offering the same auth methods in the same order as the organisation the attack will be much more difficult to detect).Airgeddon
can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to capture the user and the MD5 of the password. Later, the attacker can try to crack the password.
Airggedon
offers you the possibility of a continuous Evil Twin attack (noisy) or only create the Evil Attack until someone connects (smooth).dh_file=/etc/hostapd-wpe/certs/dh
to #dh_file=/etc/hostapd-wpe/certs/dh
)
This will make hostapd-wpe
to exchange keys using RSA instead of DH, so you will be able to decrypt the traffic later knowing the servers private key.hostapd-wpe
with that modified configuration as usual. Also, start wireshark
in the interface which is performing the Evil Twin attack.Edit --> Preferences --> Protocols --> TLS --> (RSA keys list) Edit...
--loud
to create a Loud MANA + Known beacons attack):airbase-ng -c 6 -e DIRECT-5x-BRAVIA -a BB:BB:BB:BB:BB:BB mon0