[suggestion] hostapd-wpe front end

[thesle3p]

So often times on a pen test Mana is less useful as a targeted evil twin attack (we only care about impersonating one network) and we often only need to capture WPA-enterprise credentials, usually that means using hostapd-wpe. Would it be possible to add hostapd-wpe to the Nethunter repository and add to the nethunter app a front end to hostapd-wpe (GUI based config and tail of hostapd-wpe's credential log)?

[binkybear]

I looked into this and it seems pretty doable. Here is the install script I used for testing:

cd /tmp
git clone https://github.com/OpenSecurityResearch/hostapd-wpe
wget http://w1.fi/releases/hostapd-2.2.tar.gz
tar -zxf hostapd-2.2.tar.gz
cd hostapd-2.2
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch 
cd hostapd
sed -i 's/#CONFIG_LIBNL32=y/CONFIG_LIBNL32=y/g' .config
make
chmod 755 hostapd-wpe
cp hostapd-wpe /usr/bin/hostapd-wpe
mkdir -p /usr/share/hostapd-wpe/certs
cp hostapd.eap_user /usr/share/hostapd-wpe/hostapd.eap_user
cd /tmp/hostapd-wpe/
cp -rf certs /usr/share/hostapd-wpe
chmod 755 /usr/share/hostapd-wpe/certs/bootstrap
#cd /usr/share/hostapd-wpe/certs/
#./bootstrap

The configuration file I moved to Nethunter application configuration files and pointed it to the certificates and user file to where we copied it.

Adding the above to the chroot build would be easy (just copy and paste). The Nethunter app changes shouldn't be terribly difficult either since it uses nearly the same file as hostapd-mana. Just needs some slight changes to regex/ui.

I think the biggest challenge would be making sure the certificates get generated by bootstrap along with how to run it smoothly.

[thesle3p]

Nice, any idea how soon this could be implemented?
On Apr 6, 2016 6:31 PM, "binkybear" [email protected] wrote:

I looked into this and it seems pretty doable. Here is the install script
I used for testing:

cd /tmp
git clone https://github.com/OpenSecurityResearch/hostapd-wpe
wget http://w1.fi/releases/hostapd-2.2.tar.gz
tar -zxf hostapd-2.2.tar.gzcd hostapd-2.2
patch -p1 < ../hostapd-wpe/hostapd-wpe.patch cd hostapd
sed -i 's/#CONFIG_LIBNL32=y/CONFIG_LIBNL32=y/g' .config
make
chmod 755 hostapd-wpe
cp hostapd-wpe /usr/bin/hostapd-wpe
cp hostapd-wpe.eap_user /usr/share/hostapd-wpe/hostapd-wpe.eap_usercd /tmp/hostapd-wpe/
mkdir -p /usr/share/hostapd-wpe/certs
cp -rf certs /usr/share/hostapd-wpe
chmod 755 /usr/share/hostapd-wpe/certs/bootstrap#cd /usr/share/hostapd-wpe/certs/#./bootstrap

The configuration file I moved to Nethunter application configuration
files and pointed it to the certificates and user file to where we copied
it.

Adding the above to the chroot build would be easy (just copy and paste).
The Nethunter app changes shouldn't be terribly difficult either since it
uses nearly the same file as hostapd-mana. Just needs some slight changes
to regex/ui.

I think the biggest challenge would be making sure the certificates get
generated by bootstrap along with how to run it smoothly.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#128 (comment)

[binkybear]

OK - so maybe you can help with testing. Install hostapd-wpe using instructions above. Then install apk:

https://transfer.sh/pDNCa/nethunter-app-release.apk

Under mana-toolkit you can modify hostapd-wpe in the second tab and generate certificates. When you are ready, hit "start mana" and select hostapd-wpe. Let me know what needs to be fixed/added.

[thesle3p]

Will check that out in a bit, just signed on to work.

-----Original Message-----
From: binkybear [mailto:[email protected]]
Sent: Wednesday, April 6, 2016 10:22 PM
To: offensive-security/nethunter-app
Cc: thesle3p
Subject: Re: [offensive-security/nethunter-app] [suggestion] hostapd-wpe front end (#128)

OK - so maybe you can help with testing. Install hostapd-wpe using instructions above. Then install apk:

https://transfer.sh/pDNCa/nethunter-app-release.apk

Under mana-toolkit you can modify hostapd-wpe in the second tab and generate certificates. When you are ready, hit "start mana" and select hostapd-wpe. Let me know what needs to be fixed/added.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub #128 (comment) https://github.com/notifications/beacon/AIqhyFHdNvLrSyBZbixQrLUe3lGoQkPHks5p1GpXgaJpZM4IBH_B.gif

[thesle3p]

Ok, so two things first to compile hostapd-wpe needs two dependencies that you missed

sudo apt-get install libnl-3-dev
and
sudo apt-get install libnl-genl-3-dev

Also when I try and connect to the honey-net hostapd-wpe seems to want a EAP type different then what ever eap type I specify in the config, a example below:

Configuration file: /sdcard/nh_files/configs/hostapd-wpe.conf
Using interface wlan1 with hwaddr 00:11:22:33:44:00 and ssid "Free_Internet"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED 
wlan1: STA  <redacted> IEEE 802.11: authenticated
wlan1: STA  <redacted>  IEEE 802.11: associated (aid 1)
wlan1: CTRL-EVENT-EAP-STARTED <redacted> 
wlan1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan1: CTRL-EVENT-EAP-FAILURE <redacted> 
wlan1: STA <redacted> IEEE 802.1X: authentication failed - EAP type: 0 ((null))
wlan1: STA <redacted>  IEEE 802.1X: Supplicant used different EAP type: 1 (Identity)
wlan1: STA <redacted>  IEEE 802.11: deauthenticated due to local deauth request

I never saw this error on x86 Kali or stock debian, not sure what's going on there.

[binkybear]

Thanks for testing. You can get better debugging results with a -dd. So the command to run would be:

ifconfig wlan1 up && /usr/bin/hostapd-wpe -dd /sdcard/nh_files/configs/hostapd-wpe.conf

Or if you just want a new apk with -dd built it:
https://transfer.sh/VxxYP/nethunter-app-release.apk

edit

Testing shows maybe its a bit to much on the debugging....best to do it do it from ssh and pipe out a log...

edit2

Maybe it would be better/easier to just use built in mana eap attack and modify start-noupstream-eap.sh.

[binkybear]

I think everything is working now:

https://transfer.sh/YJHkL/nethunter-app-release.apk

I've also used the patch for 2.5 hostapd instead. I've submitted a pull request with the updated binary and cert files: offensive-security/nethunter-utils#15

Eventually you should only need to run an apt-get update/upgrade and install latest apk. I took a screenshot to confirm it worked in link below:

Tested on OnePlus1 using TL-WN722N:

Screenshot

[thesle3p]

That version bricks the HID attack menu in the app and makes
nethunter/android no longer see wlan1.

On 04/06/2016 10:22 PM, binkybear wrote:

OK - so maybe you can help with testing. Install hostapd-wpe using
instructions above. Then install apk:

https://transfer.sh/pDNCa/nethunter-app-release.apk

Under mana-toolkit you can modify hostapd-wpe in the second tab and
generate certificates. When you are ready, hit "start mana" and select
hostapd-wpe. Let me know what needs to be fixed/added.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#128 (comment)

[binkybear]

Are you sure the kernel didn't get updated? There were no changes to hid and theres no possible way the app removed ability to detect wlan1. (Feel free to check git history)

[thesle3p]

When i go to the HID attack menu the app crashes. I was able to fix the
wlan1 detection issue with a reboot.
On Apr 14, 2016 9:03 PM, "binkybear" [email protected] wrote:

Are you sure the kernel didn't get updated? There were no changes to hid
and theres no possible way the app removed ability to detect wlan1. (Feel
free to check git history)

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#128 (comment)

[binkybear]

Ah I see now on the hid app crash. Will look for problem/fix and upload. Thanks for the good eye!

For my reference logcat:

04-14 21:07:18.577 23733 23733 E AndroidRuntime: FATAL EXCEPTION: main
04-14 21:07:18.577 23733 23733 E AndroidRuntime: Process: com.offsec.nethunter, PID: 23733
04-14 21:07:18.577 23733 23733 E AndroidRuntime: java.lang.NullPointerException: Attempt to read from field 'java.lang.String com.offsec.nethunter.utils.NhPaths.CHROOT_PATH' on a null object reference
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at com.offsec.nethunter.HidFragment.onActivityCreated(HidFragment.java:69)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.support.v4.app.Fragment.performActivityCreated(Fragment.java:1983)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.moveToState(FragmentManager.java:1092)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.moveToState(FragmentManager.java:1252)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.support.v4.app.BackStackRecord.run(BackStackRecord.java:742)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl.execPendingActions(FragmentManager.java:1617)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.support.v4.app.FragmentManagerImpl$1.run(FragmentManager.java:517)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.os.Handler.handleCallback(Handler.java:739)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.os.Handler.dispatchMessage(Handler.java:95)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.os.Looper.loop(Looper.java:148)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at android.app.ActivityThread.main(ActivityThread.java:5466)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at java.lang.reflect.Method.invoke(Native Method)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
04-14 21:07:18.577 23733 23733 E AndroidRuntime:    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
04-14 21:07:18.579  1076  3136 W ActivityManager:   Force finishing activity com.offsec.nethunter/.AppNavHomeActivity
04-14 21:07:18.635  1076 23614 I OpenGLRenderer: Initialized EGL, version 1.4
04-14 21:07:19.095  1076  1695 W ActivityManager: Activity pause timeout for ActivityRecord{7ceffe0 u0 com.offsec.nethunter/.AppNavHomeActivity t206 f}

[thesle3p]

Now that I fixed the wlan1 detection issue I will try the host apd issue
On Apr 14, 2016 9:05 PM, "binkybear" [email protected] wrote:

Ah I see now on the hid app crash. Will look for problem/fix and upload.
Thanks for the good eye!

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#128 (comment)

[thesle3p]

Tried using the apk you sent and hostapd-wpe 2.5 with the patch from the repo you used with the same authentication problem.

[binkybear]

Fixed HID error:
9ba2798

New APK with HID fix:
https://transfer.sh/IJod2/nethunter-app-release.apk

The crash is occurring I believe because of some changes in Android API.

---

So back to your authentication issue, I assume its exactly same error as before? Did you also try "forgetting" network then joining? Just trying to rule out what could be causing issue.

[thesle3p]

I tried that. I also tried from both android and Debian.

[binkybear]

Did you try off the 2.5 hostapd? Here is the binary I used (which worked for me):

https://github.com/binkybear/nethunter-utils/blob/master/usr/bin/hostapd-wpe

(I used TPLINK in testing)

[thesle3p]

Ok, so that binary seems to require different libssl binaries then apt-get install provides and the app crash bug is present in the kali services and duck hunter tabs as well.

[binkybear]

Reverted API back to earlier appears to fix issues with app crashes. However, we will one day have to upgrade to latest api and will probably encounter these issues again:

https://transfer.sh/4EvQ7/nethunter-app-release.apk

[thesle3p]

Great, but so far I have been unable to get hostapd-wpe to capture creds, once hostapd-wpe is pushed to the nethunter repo I will try again. Also just a suggestion maybe the app should parse hostapd-wpe's output and log captured creds to a file?

-----Original Message-----
From: binkybear [mailto:[email protected]]
Sent: Friday, April 15, 2016 7:14 AM
To: offensive-security/nethunter-app
Cc: thesle3p
Subject: Re: [offensive-security/nethunter-app] [suggestion] hostapd-wpe front end (#128)

Reverted API back to earlier appears to fix issues with app crashes. However, we will one day have to upgrade to latest api and will probably encounter these issues again:

https://transfer.sh/4EvQ7/nethunter-app-release.apk

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub #128 (comment) https://github.com/notifications/beacon/AIqhyDxhA8pc7ggCEybaAGmvCm6Wyf2Qks5p33L6gaJpZM4IBH_B.gif

[thesle3p]

Any idea when hostapd-wpe will be pushed to the Nethunter Repo?

[thesle3p]

Flashing nethunter again and compiling hostapd-wpe worked, only suggestion is to have the app parse hostapd-wpe's log file and save it's contents to a external file to make offline cracking easier.