Evil Twin EAP-TLS

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

At some point I needed to use the proposed solution by the post bellow but the steps in https://github.com/OpenSecurityResearch/hostapd-wpe wasn't working in modern kali (2019v3) anymore. Anyway, it's easy to make them work. You only need to download the hostapd-2.6 from here: https://w1.fi/releases/ and before compiling again hostapd-wpe install: apt-get install libssl1.0-dev

Analyzing and Exploiting EAP-TLS in Wireless Networks

Background: EAP-TLS in Wireless Networks

EAP-TLS is a security protocol providing mutual authentication between client and server using certificates. The connection is only established if both the client and the server authenticate each other's certificates.

Challenge Encountered

During an assessment, an interesting error was encountered when using the hostapd-wpe tool. The tool rejected the client's connection due to the client's certificate being signed by an unknown Certificate Authority (CA). This indicated that the client did trust the fake server's certificate, pointing to lax security configurations on the client side.

Objective: Setting Up a Man-in-the-Middle (MiTM) Attack

The goal was to modify the tool to accept any client certificate. This would allow the establishment of a connection with the malicious wireless network and enable a MiTM attack, potentially capturing plaintext credentials or other sensitive data.

Solution: Modifying hostapd-wpe

Analysis of the source code of hostapd-wpe revealed that the client certificate validation was controlled by a parameter (verify_peer) in the OpenSSL function SSL_set_verify. By changing this parameter's value from 1 (validate) to 0 (do not validate), the tool was made to accept any client certificate.

Execution of the Attack

  1. Environment Check: Use airodump-ng to monitor wireless networks and identify targets.

  2. Set Up Fake AP: Run the modified hostapd-wpe to create a fake Access Point (AP) mimicking the target network.

  3. Captive Portal Customization: Customize the login page of the captive portal to appear legitimate and familiar to the target user.

  4. De-authentication Attack: Optionally, perform a de-auth attack to disconnect the client from the legitimate network and connect them to the fake AP.

  5. Capturing Credentials: Once the client connects to the fake AP and interacts with the captive portal, their credentials are captured.

Observations from the Attack

  • On Windows machines, the system might automatically connect to the fake AP, presenting the captive portal when web navigation is attempted.

  • On an iPhone, the user might be prompted to accept a new certificate and then presented with the captive portal.


While EAP-TLS is considered secure, its effectiveness heavily depends on the correct configuration and cautious behavior of end-users. Misconfigured devices or unsuspecting users accepting rogue certificates can undermine the security of an EAP-TLS protected network.

For further details check https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/


Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated