-
Notifications
You must be signed in to change notification settings - Fork 128
Creating PSK or EAP Networks
This assumes a basic understanding of hostapd.conf files. If you don’t have that, please read simplest hostapd.conf.
Clients will not automatically connect to a network, even if the name matches one they are looking for, if the security configuration of that network does not match what they are expecting (i.e WPA-MGT/EAP or WPA/2-PSK). Additionally, impersonating secure networks can allow the interception of crackable credentials from the clients.
Creating PSK networks is as simple as adding the following lines to the wlan’s config:
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=ASecurePassword
auth_algs=3
A full simple config for the above setup based on the simplest hostapd.conf would look like:
interface=wlan0
ssid=PSKNet
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=ASecurePassword
auth_algs=3
After this, you may want to read MANA WPA-2 Options (handshakes) on how to capture handshakes for cracking.
Creating an EAP network is slightly more complicated due to the additional options it required, the simplest EAP configuration could look like:
wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=ca.pem
server_cert=server.pem
private_key=server.key
private_key_passwd=
dh_file=dhparam.pem
You’ll notice, several files are required and the key isn’t encrypted (hence a blank passwd). These can be named what you like, I’ve merely used examples, and would ideally have absolute paths. You only need to do this setup once:
-
ca.pem, server.pem, server.key - These are certificates in PEM format. You can generating or purchase these. The following openssl commands will do it for you too:
openssl genrsa -out server.key 2048 openssl req -new -sha256 -key server.key -out csr.csr openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem ln -s server.pem ca.pem
-
hostapd.eap_user - This is the RADIUS server’s authentication configuration, detailed below.
-
dhparam.pem - These are the Diffie Helman parameters. They can be generated with
openssl dhparam 2048 > dhparam.pem
The format of this file can be quite complicated. Given our primary purpose is to allow any user to connect, we can use a simple permissive configuration:
* PEAP,TTLS,TLS,MD5,GTC
"t" TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP "1234test" [2]
The top line handles "outer authentication" or in the case of non-tunneled EAP modes, the only authentications. The bottom line handles inner EAP modes. In the inner EAP mode, we assume a username of "t" because MANA and hostapd-wpe will translate the incoming username to "t" so that it always matches. Inner auth is indicated by the [2] at the end.
There are other EAP modes, but these are the ones for which MANA has implemented credential capture.
After this you will probably want to read MANA EAP Options (aka WPE) on how to capture EAP passwords for cracking.