brav0hax / easy-creds

277 stars 97 forks source link

NonIssue: Question: How is EvilTwin AP supposed to work? #9

Closed cmavr8 closed 11 years ago

cmavr8 commented 11 years ago

Hi again, This is not an issue report, but a question/discussion, but there is no forum in github.

I'm trying to get all modes of easy-creds working, so I have some questions. I may write my knowledge down as documentation (in the wiki maybe) of this project when I have enough, if that's ok with you (brav0hax).

So, the question is: how is the EvilTwin mode supposed to work? Create rogue unsecured APs based on client probes, right? Should clients be able to connect and use the APs? Mine doesn't. Even if (the client) chooses to connect to one of the created networks, it can't. Is this normal?

(Feature suggestion: make APs with var security settings. 4 for each ssid. This will increase autoconnection success)

Thanks, Chris

ZeroChaos- commented 11 years ago

The evil AP mode uses airbase-ng at this time, there are numerous bugs with airbase-ng that prevent certain clients from properly connecting. The vast majority of clients will be able to connect to the AP and get hacked, but certain devices are more strict on verifying beacons and airbase-ng is slightly non-compliant.

As for your feature suggestion, that goes for airbase-ng not us, but keep it mind, it won't "just work". If we create a wep network we would have to crack the wep key for each user individually (they could all be different) and then do encryption/decryption in software. For wpa psk it would be impossible to have a valid connection at all like this.

cmavr8 commented 11 years ago

Hi again, thanks for the reply.

Regarding the feature: It can just be done by starting various instances of airebase-ng at the same time, like this guy does in this video: http://www.securitytube.net/video/1921

Yes, it's not gonna be proper (no wep/wpa keys available) but I think it increases the chances of success.

Anyway, I'll try to propose a patch at some point :) Thanks

ZeroChaos- commented 11 years ago

Not really. A better solution (if you have a capable card) would be to run hostapd with the karma patches, and run two vaps, one open running karma, one wpa enterprise with a freeradius-wpe backend. But this much attack is beyond the scope of easy-creds I believe.

brav0hax commented 11 years ago

Agreed. I will be working easy creds towards hostapd.

As long as the karma patch hands beacon responses then I prefer that to airbase and it's bugs. On Sep 26, 2013 8:14 PM, "ZeroChaos" notifications@github.com wrote:

Not really. A better solution (if you have a capable card) would be to run hostapd with the karma patches, and run two vaps, one open running karma, one wpa enterprise with a freeradius-wpe backend. But this much attack is beyond the scope of easy-creds I believe.

— Reply to this email directly or view it on GitHubhttps://github.com/brav0hax/easy-creds/issues/9#issuecomment-25214061 .