search

sensepost / hostapd-mana

SensePost's modified hostapd for wifi attacks.
https://w1f1.net/
Other
541 stars 128 forks source link

TLS accept client certificate failed #24

Open Lexus89 opened 6 years ago

Lexus89 commented 6 years ago

I have been testing the functionality lately and it definately has improved alot!

When reading the wiki i saw a function that was not mentioned in the default hostapd.conf provided with the mana functionality (mana_eaptls=1). Creating the following wifi profile on my android device (8.0.0) still results in failed authentication.

singe commented 6 years ago

Heya. It’s got a little write up at https://github.com/sensepost/hostapd-mana/wiki/MANA-EAP-Options-(aka-WPE)#eap-tls-mitm and https://github.com/sensepost/hostapd-mana/wiki/EAP-WPE-Attack-Theory#eap-tls as of yesterday ;)

I’m confused though, you said you configured your Android to not send a client cert? EAP-TLS requires a client cert?

On 10 Aug 2018, at 05:07, Lexus89 notifications@github.com wrote: Do NOT provide a client certificate

Lexus89 commented 6 years ago

Yeah weird enough my android wifi profile setup let's me connect without providing a client certificate.. I checked the logs and hostapd receives my Identity (hacker) so android seems to accept this. Haven't tested it with a real client cert yet though whether a MITM will work.

wlan0: STA d4:38:9c:60:0f:18 IEEE 802.1X: received EAP packet (code=2 id=204 len=11) from STA: EAP Response-Identity (1) IEEE 802.1X: d4:38:9c:60:0f:18 BE_AUTH entering state RESPONSE EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=204 respMethod=1 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE EAP-Identity: Peer identity - hexdump_ascii(len=6): 68 61 63 6b 65 72 hacker EAP: EAP entering state SELECT_ACTION MANA EAP Identity Phase 0: hacker EAP: getDecision: another method available -> CONTINUE EAP: EAP entering state PROPOSE_METHOD EAP: getNextMethod: vendor 0 type 25 wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: EAP entering state METHOD_REQUEST EAP: building EAP-Request: Identifier 205 EAP-PEAP: START -> PHASE1 EAP: EAP entering state SEND_REQUEST EAP: EAP entering state IDLE

singe commented 6 years ago

Your device is trying to connect with PEAP. I've tried, but have been unable to get hostapd to create a network that advertises itself as only EAP-TLS, even with the following directive:

nai_realm=0,MANA,12[5:6]

Which should advertise the network as EAP-TLS, my iOS and macOS devices will still try PEAP.

Also, hostapd.eap_user let's you configure the EAP modes accepted, so by default, hostapd networks will negotiate the EAP type based on what you configure in there, and most device default to PEAP if it's available. Which means, at least on iOS you need a MDM profile to configure EAP-TLS, and on macOS you need to config the network explicitly.

Lexus89 commented 6 years ago

Thanks singe! I'm going to play with this abit more.