Closed mattbrun closed 7 years ago
s0lst1c3
commented
7 years ago It could very well be the self-signed cert, but I think it's unlikely unless every client you tested with has been configured to automatically reject self-signed certificates. If you're comfortable doing so, could you possibly upload the cert you're using (or a cert with similar attributes)? Also, what version of OpenSSL are you using? Thanks.
s0lst1c3
commented
7 years ago As I mentioned in #1, hostapd-wpe has the capability of testing supplicants for the Heartbleed vulnerability. Since this capability is not optional, and because newer versions of OpenSSL cannot be used to test for Heartbleed, the entire project has to be compiled with a downgraded version of libssl (namely libssl1.0-dev). I suspect that this is causing the "SSL: SSL3 alert: " error, since properly configured devices will outright reject connections over SSLv2 and SSLv3.
To remediate this problem, I've modified the original hostapd-wpe into a leaner binary that doesn't have the Heartbleed component, among other tweaks. This means that the project no longer depends on libssl1.0-dev (see solution for #1). If you could please try cloaning the repo again, then running the new kali-setup.py file that's been added to the project, that would be great. If my hypothesis is correct, you should no longer see the errors. Thanks for your help.
mattbrun
commented
7 years ago Hi @s0lst1c3 , thanks for your help and your effort! I'll give it a try after Wednesday.
Cheers
s0lst1c3
commented
7 years ago Hey @mattbrun, did the fix ever work for you?
mattbrun
commented
7 years ago This is the output I get now:
$ sudo ./eaphammer --bssid 00:11:22:33:44:55:66 --essid "XXXXX" --interface wlan0 --auth peap --creds
.__
____ _____ ______ | |__ _____ _____ _____ ___________
_/ __ \\__ \ \____ \| | \\__ \ / \ / \_/ __ \_ __ \
\ ___/ / __ \| |_> > Y \/ __ \| Y Y \ Y Y \ ___/| | \/
\___ >____ / __/|___| (____ /__|_| /__|_| /\___ >__|
\/ \/|__| \/ \/ \/ \/ \/
v0.0.5
[*] stopping network-manager service.
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 4/4 [00:04<00:00, 1.00s/it]
Error: NetworkManager is not running.
[*] Reticulating radio frequency splines...
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00, 1.00s/it]
Configuration file: ./conf/hostapd-wpe.conf
Using interface wlan0 with hwaddr 00:11:22:33:44:55 and ssid "XXXXX"
OpenSSL: tls_global_client_cert - Failed to load client certificate error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
OpenSSL: pending error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
TLS: Failed to set global parameters
Failed to set TLS parameters
Interface initialization failed
wlan0: interface state UNINITIALIZED->DISABLED
wlan0: AP-DISABLED
wlan0: Unable to setup interface.
wlan0: interface state DISABLED->DISABLED
wlan0: AP-DISABLED
hostapd_free_hapd_data: Interface wlan0 wasn't started
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
press enter to quit...
[*] Killing all processes for: hostapd-wpe
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 4/4 [00:04<00:00, 1.00s/it]Consider that I just cloned a new repo, uninstalled all dependencies and then reinstalled them, created a new certificate.
Just to prove that the wifi dongle was working ok, I tried to connect to a wireless network, and everything was fine.
For this reason note that the NetworkManager service was actually running, even though eaphammer says it wasn't.
It seems there is a problem with the generated cert though.
mattbrun
commented
7 years ago I tried all over again:
./eaphammer --cert-wizard went okrunning sudo ./eaphammer --bssid 00:11:22:33:44:55:66 --essid "XXXXXX" --interface wlan0 --auth peap --creds gives
$ sudo ./eaphammer --bssid 00:11:22:33:44:55:66 --essid "XXXXXX" --interface wlan0 --auth peap --creds
.__
____ _____ ______ | |__ _____ _____ _____ ___________
_/ __ \\__ \ \____ \| | \\__ \ / \ / \_/ __ \_ __ \
\ ___/ / __ \| |_> > Y \/ __ \| Y Y \ Y Y \ ___/| | \/
\___ >____ / __/|___| (____ /__|_| /__|_| /\___ >__|
\/ \/|__| \/ \/ \/ \/ \/
v0.0.5[*] stopping network-manager service.
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 4/4 [00:04<00:00, 1.01s/it]
Error: NetworkManager is not running.
[*] Reticulating radio frequency splines...
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 1/1 [00:01<00:00, 1.00s/it]
Configuration file: ./conf/hostapd-wpe.conf Using interface wlan0 with hwaddr 00:11:22:33:44:55 and ssid "XXXXXX" OpenSSL: tls_global_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) TLS: Failed to set global parameters Failed to set TLS parameters Interface initialization failed wlan0: interface state UNINITIALIZED->DISABLED wlan0: AP-DISABLED wlan0: Unable to setup interface. wlan0: interface state DISABLED->DISABLED wlan0: AP-DISABLED hostapd_free_hapd_data: Interface wlan0 wasn't started nl80211: deinit ifname=wlan0 disabled_11b_rates=0 press enter to quit...
[*] Killing all processes for: hostapd-wpe
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 4/4 [00:04<00:00, 1.00s/it]
Which is a different error from before, but definetely something related to generated cert.I just pushed an update that stops the wpa_supplicant service, which might be interfering with hostapd entering Master mode. With that said, I still wasn't able to reproduce your error despite following all of the steps you outlined in the last comment. I'm not saying it's not happening on your end, but there's obviously at least one subtle difference between our two configurations that we haven't accounted for yet.
What were the values that you entered when you generated your cert? Also, have you tested this with any additional wireless adapters? I'm using both a TP-Link WN722N and an Alfa AWUS036NHA. The Alfa literally says "Atheros AR9271" on the back of it, so I'm definitely using the same chipset as you. However, I'm wondering if there are subtle differences between our adapters.
mattbrun
commented
7 years ago I'm using your same tplink dongle, and starting from scratch again now it starts fine, but it still gives the error it was giving in the beginning when the client tries to connect.
I tried with both --auth ttls and --auth peap,and I receive the same error.
My guess is that the client is forcing the disconnection.
$ sudo ./eaphammer --bssid 00:11:22:33:44:55:66 --essid "XXXXXX" --interface wlan0 --auth peap --creds
[sudo] password for user1:
.__
____ _____ ______ | |__ _____ _____ _____ ___________
_/ __ \\__ \ \____ \| | \\__ \ / \ / \_/ __ \_ __ \
\ ___/ / __ \| |_> > Y \/ __ \| Y Y \ Y Y \ ___/| | \/
\___ >____ / __/|___| (____ /__|_| /__|_| /\___ >__|
\/ \/|__| \/ \/ \/ \/ \/
v0.0.6
[*] stopping network-manager service.
100%|█████████████████████████████████████████████████████████| 4/4 [00:04<00:00, 1.00s/it]
[*] stopping wpa_supplicant service.
100%|█████████████████████████████████████████████████████████| 4/4 [00:04<00:00, 1.00s/it]
Error: NetworkManager is not running.
[*] Reticulating radio frequency splines...
100%|█████████████████████████████████████████████████████████| 1/1 [00:01<00:00, 1.00s/it]
Configuration file: ./conf/hostapd-wpe.conf
Using interface wlan0 with hwaddr 00:11:22:33:44:55 and ssid "XXXXXX"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
press enter to quit...wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: authenticated
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 58:7f:57:3e:d8:b9
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
SSL: SSL3 alert: read (remote end reported an error):warning:close notify
OpenSSL: openssl_handshake - SSL_connect error:00000000:lib(0):func(0):reason(0)
wlan0: CTRL-EVENT-EAP-FAILURE 58:7f:57:3e:d8:b9
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.1X: Supplicant used different EAP type: 13 (TLS)
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: disassociated
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: deauthenticated due to local deauth request
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: authenticated
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 58:7f:57:3e:d8:b9
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
SSL: SSL3 alert: read (remote end reported an error):warning:close notify
OpenSSL: openssl_handshake - SSL_connect error:00000000:lib(0):func(0):reason(0)
wlan0: CTRL-EVENT-EAP-FAILURE 58:7f:57:3e:d8:b9
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.1X: Supplicant used different EAP type: 13 (TLS)
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: disassociated
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: authenticated
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 58:7f:57:3e:d8:b9
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
SSL: SSL3 alert: read (remote end reported an error):warning:close notify
OpenSSL: openssl_handshake - SSL_connect error:00000000:lib(0):func(0):reason(0)
wlan0: CTRL-EVENT-EAP-FAILURE 58:7f:57:3e:d8:b9
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.1X: Supplicant used different EAP type: 13 (TLS)
wlan0: STA 58:7f:57:3e:d8:b9 IEEE 802.11: disassociated
wlan0: interface state ENABLED->DISABLED
wlan0: AP-DISABLED
nl80211: deinit ifname=wlan0 disabled_11b_rates=0
[*] Killing all processes for: hostapd-wpe
100%|█████████████████████████████████████████████████████████| 4/4 [00:04<00:00, 1.00s/it]What are the exact specs for your client device? Also, is it possible for you to upload logs from the client device? Thanks.
mattbrun
commented
7 years ago The device is an iPhone 6S with iOS 10.3, and the WPA2 Enterprise wifi config was not done by me. I am assessing a third party device... For this same reason, I cannot give you the whole log, cause I can't risk to share third party infromations ;)
Nevertheless, I extracted this exerpt from the logs reguarding the "eapolclient" service, and I noticed the server certificate was rejected:
May 8 12:17:48 Testva-Top2 eapolclient[265] <Notice>: en0 START uid 501 gid 501
May 8 12:17:48 Testva-Top2 eapolclient[265] <Notice>: en0: 802.1X User Mode
May 8 12:17:48 Testva-Top2 eapolclient(Security)[265] <Notice>: [leaf ExtendedKeyUsage]
May 8 12:17:48 Testva-Top2 eapolclient(Security)[265] <Notice>: [root AnchorTrusted]
May 8 12:17:48 Testva-Top2 eapolclient(EAP8021X)[265] <Notice>: server certificate not trusted status 1001 -9807
May 8 12:17:48 Testva-Top2 eapolclient[265] <Notice>: en0 EAP-TLS: authentication failed with status 1001
May 8 12:17:48 Testva-Top2 eapolclient[265] <Notice>: State=Held Status=SecurityError (1001): errSSLXCertChainInvalid (-9807):
May 8 12:17:48 Testva-Top2 eapolclient[265] <Notice>: en0 STOPSo I added the server cert to the profiles, but I still get the same error.
Even though we may try to find a solution to make it work, correct me if I'm wrong, but I guess that the client is well configured, and in my particular case the attack would not be so interesting because it would need at least a user interaction - unless I'm missing something of course ;) :)
I'm not closing the issue cause maybe I'm missing something, but for now it seems there's no issue with eaphammer per se.
s0lst1c3
commented
7 years ago Hi Matt, the following line leads me to believe that the network in question is using EAP-TLS.
EAP-TLS: authentication failed with status 1001
This form of EAP uses mutual certificate-based authentication, and as such isn't susceptible to rogue access point attacks. You should be able to find out for certain by inspecting captured EAPOL packets using Wireshark. I'm going to close this issue for now.
mattbrun
commented
7 years ago @s0lst1c3 thanks for you clarification! We arrived at the same conclusion, sorry if I didn't wrote back.
This is the most blocking issue I've got so far, cause I still can't see creds flowing in the shell ;) :(
I'm using an Atheros AR9271 USB WiFi dongle with Kali Linux. The initialization process and the AP creation complete correctly. When a client tries to automatically connect everything goes well until it reaches and
hostapd-side generated error (I guess). For sake of readability I'll report the whole program output at the bottom of the issue.In my several runs, I saw all my clients - iOS 10.3 and Windows 10 - correctly trying to connect to the AP, but they all stop with the error reported in the bottom.
Googling around I found this post, where it seems the problem might be the client which drops the connection because it doesn't recognize the AP certificate. Am I correct? Do you have any clue on why this is happening, or how may I debug it?
Thanks for your help, M.
===========================