Skip to content

Creating PSK or EAP Networks

Jump to bottom Edit New page
Dominic White edited this page Sep 26, 2019 · 5 revisions

Creating PSK or EAP Networks

This assumes a basic understanding of hostapd.conf files. If you don’t have that, please read simplest hostapd.conf.

Clients will not automatically connect to a network, even if the name matches one they are looking for, if the security configuration of that network does not match what they are expecting (i.e WPA-MGT/EAP or WPA/2-PSK). Additionally, impersonating secure networks can allow the interception of crackable credentials from the clients.

WPA/2 Pre-shared Key (PSK) Networks

Creating PSK networks is as simple as adding the following lines to the wlan’s config: 

wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=ASecurePassword
auth_algs=3
This will create a permissive PSK network that can do WPA1 and WPA2. The password (aka the key) is "ASecurePassword".

A full simple config for the above setup based on the simplest hostapd.conf would look like: 

interface=wlan0
ssid=PSKNet
channel=6
hw_mode=g
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=ASecurePassword
auth_algs=3

After this, you may want to read MANA WPA-2 Options (handshakes) on how to capture handshakes for cracking.

EAP Networks

Creating an EAP network is slightly more complicated due to the additional options it required, the simplest EAP configuration could look like: 

wpa=3
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP
auth_algs=3

ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=ca.pem
server_cert=server.pem
private_key=server.key
private_key_passwd=
dh_file=dhparam.pem

You’ll notice, several files are required and the key isn’t encrypted (hence a blank passwd). These can be named what you like, I’ve merely used examples, and would ideally have absolute paths. You only need to do this setup once:

  • ca.pem, server.pem, server.key - These are certificates in PEM format. You can generating or purchase these. The following openssl commands will do it for you too: 

    openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key -out csr.csr
openssl req -x509 -sha256 -days 365 -key server.key -in csr.csr -out server.pem
ln -s server.pem ca.pem

  • hostapd.eap_user - This is the RADIUS server’s authentication configuration, detailed below.

  • dhparam.pem - These are the Diffie Helman parameters. They can be generated with 

    openssl dhparam 2048 > dhparam.pem

eap_user_file

The format of this file can be quite complicated. Given our primary purpose is to allow any user to connect, we can use a simple permissive configuration: 

*		PEAP,TTLS,TLS,MD5,GTC
"t"     	TTLS-MSCHAPV2,MSCHAPV2,MD5,GTC,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP  "1234test"  [2]

The top line handles "outer authentication" or in the case of non-tunneled EAP modes, the only authentications. The bottom line handles inner EAP modes. In the inner EAP mode, we assume a username of "t" because MANA and hostapd-wpe will translate the incoming username to "t" so that it always matches. Inner auth is indicated by the [2] at the end.

There are other EAP modes, but these are the ones for which MANA has implemented credential capture.

After this you will probably want to read MANA EAP Options (aka WPE) on how to capture EAP passwords for cracking.

Add a custom footer
Clone this wiki locally