eaphammer: evil twin attacks against WPA2-Enterprise networks
EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, the focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here’s an example of how to set up and execute a credential-stealing evil twin attack against a WPA2-TTLS network in just two commands:
- Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
- Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
- Perform captive portal attacks
- Built-in Responder integration
- Support for Open networks and WPA-EAP/WPA2-EAP
- No manual configuration necessary for most attacks.
- No manual configuration necessary for installation and setup process
- Leverages latest version of hostapd (2.6)
- Support for evil twin and karma attacks
- Generate timed Powershell payloads for indirect wireless pivots
- Integrated HTTP server for Hostile Portal attacks
- Support for SSID cloaking
EAPHammer now supports attacks against 802.11a and 802.11n networks. This includes the ability to create access points that support the following features:
- Both 2.4 GHz and 5 GHz channel support
- Full MIMO support (multiple inputs, multiple output)
- Frame aggregation
- Support for 40 MHz channel widths using channel bonding
- High Throughput Mode
- Short Guard Interval (Short GI)
- Modulation & coding scheme (MCS)
- HT power management
- Fixed an issue where iptables rules were being saved unnecessarily on startup
- Updated CLI
- Enhancement: granular configuration and AP management options
- New feature: manually specify a config file
- New feature: save config files
- Enhancement: multiple instances of eaphammer can now be run concurrently
- New feature: Added 802.11a and 5GHz support
- New feature: Afeatureof-the-box support for 802.11n
- Temporary files are now written to tmp dir
- Removed the web_delivery server since it’s not currently being used.
- Hostapd is no longer started as a daemon process and controlled by core.services. Instead, it is loaded as a library within eaphammer and run in a separate thread (rather than its own child process).
- Hostapd itself has been modified to ignore BSS conflicts when operating in 802.11n mode, which is necessary in order to successfully perform evil twin attacks in 802.11n mode (patch heavily derived from Mike Kazantsev’s version (github.com/mk-fg)). Future versions will make this a feature that can be enabled or disabled based on user input.
- Added apache2 as a dependency for Kali / Ubuntu / Debian.
- Hostapd no longer user conf_manager. Instead, it is managed using the HostapdConfig class found in core/hostapd_config.py. The HostapdConfig class draws values from both the command line interface and settings/core/hostapd.ini. See README.md for details on how this works.
- The command line interface has been updated to include 802.11n options, as well as both basic and advanced help output.
- Command line interface has also been moved to a dedicated module found in core.cli.py.
- Performed some code refactoring
- Updated README.md
On Kali Linux
x.509 Certificate Generation
Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer’s certificate wizard, just use the command shown below.
Stealing RADIUS Credentials From EAP Networks
To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the –creds flag as shown below.
The flags shown above are self-explanatory. For more granular control over the attack, you can use the –wpa flag to specify WPA vs WPA2 and the –auth flag to specify the EAP type. Note that for cred reaping attacks, you should always specify an auth type manually since the –auth flag defaults to “open” when omitted.
Stealing AD Credentials Using Hostile Portal Attacks
Eaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.
The –hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.
Performing Indirect Wireless Pivots Using Hostile Portal Attacks
The hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use the hostile portal attack to perform an SMB relay attack that places the timed reverse shell on an authorized wireless device. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.
Performing Captive Portal Attacks
To perform a captive portal attack using eaphammer, use the –captive-portal flag as shown below.
This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.
Copyright (C) 2017 s0lst1c3