TRAP

TRAP_logo

Installation tested on Kali 2020.3

git clone https://github.com/Piosky/TRAP.git
apt update
apt install nginx dnsmasq

(Optionnal) If you have iptables compatibility issues choose /usr/sbin/iptables-nft

update-alternatives --config iptables

For ARM distributions only

mv scripts/hostapd-eaphammer.arm scripts/hostapd-eaphammer

Please note that the hostapd-eaphammer binaries are dynamically linked. You may have to compile your own version of hostpad-eaphammer.

Check the options

python3 trap -h

Configuration files

All the configuration files are stored in the config folder.

802.1x configuration

Certificates

The certificates used for 802.1x authentication are stored in config/1/eap/certs and config/2/eap/certs depending on the instance number specified.

You can create 802.1x certificate using TRAP.

python3 trap --cert <instance_number>

If you choose to provide your own certificates, please name related files accordingly: ca.pem, server.pem, privkey.pem and dhparam.pem.

Known credentials

If you know valid 802.1x credentials you can put them in the config/eap/known_creds.txt file. It will allow a successful authentication.

Each line must contain the username and the password seperated by a tab.

Captive portal configuration

Captive sites

All web sites that will be spoofed via DNS hijacking are placed in config/captive_sites.txt file.

Rogue web sites

The web root directory is config/captive_portal/nginx/www. You can configure your own phishing scenario by modifying the website and the nginx configuration accordingly.

SSL configuration

You have to create a folder named according to the domain name.

config/captive_portal/nginx/ssl/<domain_name>

This folder has to contain three files named:

802.1x authentication materials loot file

All gathered 802.1x credentials and hashes are stored in config/<instance_number>/loot_eap.txt.

Usage

For all type of rogue access point, the option --captive-portal or -w can be used to enable the captive portal feature and perform phishing attacks based on the user-agent.

Open AP

Create an open rogue access point.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID>

WPA2 PSK AP

Create a WPA2 PSK rogue access point.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> -p <PSK>

802.1x AP

Create a 802.1x rogue access point to steal credentials.

You can perform a GTC downgrade by specifying its mode (full/weakest/balanced) via the option --downgrade.

It uses eaphammer’s methodology as described here : http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --eap [--downgrade balanced]

Management Frame ACL

The files must contain one BSSID or ESSID by line.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --bssid-whitelist </path/to/bssid_whitelist.txt>
python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --bssid-blacklist </path/to/bssid_blacklist.txt>
python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --ssid-whitelist </path/to/ssid_whitelist.txt>
python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --ssid-blacklist </path/to/ssid_blacklist.txt>

MANA

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -m

Known beacon attack

Known ESSIDs are stored in config/<instance_number>/known_ssid.txt.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <BSSID> --mana --known-beacons

Captive Portal

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> -w
SSL domain

The captive portal option must be set when --ssl is used.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --captive-portal --ssl <domain_name>

Channel bonding

It is possible to enable channel bonding to create 40MHz channels using the option --ht.

Cleaning

It cleans all configuration and loot files except for all the files under /captive_portal folder.

python3 trap --clean

Specifications when using two instances of TRAP

It is the first instance that decides if there is a captive portal or not.