Evil Twin EAP-TLS
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
At some point I needed to use the proposed solution by the post bellow but the steps in https://github.com/OpenSecurityResearch/hostapd-wpe wasn't working in modern kali (2019v3) anymore.
Anyway, it's easy to make them work.
You only need to download the hostapd-2.6 from here: https://w1.fi/releases/ and before compiling again hostapd-wpe install: apt-get install libssl1.0-dev
EAP-TLS is a security protocol providing mutual authentication between client and server using certificates. The connection is only established if both the client and the server authenticate each other's certificates.
During an assessment, an interesting error was encountered when using the hostapd-wpe tool. The tool rejected the client's connection due to the client's certificate being signed by an unknown Certificate Authority (CA). This indicated that the client did trust the fake server's certificate, pointing to lax security configurations on the client side.
The goal was to modify the tool to accept any client certificate. This would allow the establishment of a connection with the malicious wireless network and enable a MiTM attack, potentially capturing plaintext credentials or other sensitive data.
hostapd-wpeAnalysis of the source code of hostapd-wpe revealed that the client certificate validation was controlled by a parameter (verify_peer) in the OpenSSL function SSL_set_verify. By changing this parameter's value from 1 (validate) to 0 (do not validate), the tool was made to accept any client certificate.
Environment Check: Use airodump-ng to monitor wireless networks and identify targets.
Set Up Fake AP: Run the modified hostapd-wpe to create a fake Access Point (AP) mimicking the target network.
Captive Portal Customization: Customize the login page of the captive portal to appear legitimate and familiar to the target user.
De-authentication Attack: Optionally, perform a de-auth attack to disconnect the client from the legitimate network and connect them to the fake AP.
Capturing Credentials: Once the client connects to the fake AP and interacts with the captive portal, their credentials are captured.
On Windows machines, the system might automatically connect to the fake AP, presenting the captive portal when web navigation is attempted.
On an iPhone, the user might be prompted to accept a new certificate and then presented with the captive portal.
While EAP-TLS is considered secure, its effectiveness heavily depends on the correct configuration and cautious behavior of end-users. Misconfigured devices or unsuspecting users accepting rogue certificates can undermine the security of an EAP-TLS protected network.
For further details check https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
