Overview
wpa_sycophant exploits a fundamental weakness in MSCHAPv2: the challenge and response can be relayed. When a victim connects to a rogue AP (run by berate_ap), wpa_sycophant forwards the AP’s challenge to the victim and relays their response to the real AP, authenticating as the victim without cracking the password. Works when the victim does not validate the server certificate.Install
Usage
Config File
bssid_blacklist must be set to the rogue AP’s MAC to prevent wpa_sycophant from connecting back to itself.
If the relay fails, try: