Full Report
Wi-Fi is everywhere and having a better understanding of it can fair you well! Over the years we have made various tools such as hostapd-mana to enable attacks against Wi-Fi, and then tools such as berate_ap for those people who don’t want to, or have to, learn how to use hostapd-mana. In our Unplugged: Modern Wi-Fi Hacking course you will be forced to shun the convenience of automated tools such as berate_ap and get dirty with setting up Access Points and Client configurations in a terminal window to ensure you have a good understanding of what is happening under the hood.
Analysis Summary
# Tool/Technique: hostapd-mana
## Overview
`hostapd-mana` is a tool developed by SensePost to enable various attacks against Wi-Fi networks, often involving the setup of malicious Access Points (APs). It is mentioned in the context of Wi-Fi hacking training where users are encouraged to move beyond automated tools to understand underlying mechanics.
## Technical Details
- Type: Tool
- Platform: Linux (Implied, as related tools like `hostapd` and general wireless tooling are Linux-centric)
- Capabilities: Enabling Wi-Fi attacks, setting up custom Access Points.
- First Seen: Not specified, but context implies it is an established tool for custom AP setups.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy (Potentially, depending on configuration to relay traffic)
- TA0009 - Collection
- T1005 - Data from Local System (If used to capture credentials or session information)
- TA0004 - Privilege Escalation
- T1484 - Domain Trust Manipulation (Less direct, but related to network control)
## Functionality
### Core Capabilities
- Facilitating advanced configuration of Wi-Fi access points for attack scenarios.
- Enabling users to perform attacks that require manual configuration rather than relying on high-level automation.
### Advanced Features
- The name "mana" suggests advanced frameworks often associated with fake AP/Evil Twin attacks, typically incorporating features like captive portal redirection or credential harvesting, although the article focuses on its role as a foundational setup tool.
## Indicators of Compromise
- File Hashes: N/A (Source code repository provided)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Creation of a custom Access Point interface, manipulation of wireless drivers.
## Associated Threat Actors
- SensePost (as the developer/promoter of the tool for training purposes).
- General penetration testers or malicious actors targeting Wi-Fi infrastructure.
## Detection Methods
- Detection would focus on the presence of non-standard or compromised `hostapd` configurations, abnormal AP broadcasting SSIDs, or unusual wireless interface activity.
- **Behavioral detection:** Monitoring system processes for the execution of custom wireless daemon software where standard configurations are expected.
## Mitigation Strategies
- Network monitoring for rogue/unauthorized Access Points.
- Implementing strong enterprise authentication protocols (e.g., WPA3-Enterprise) instead of easily manipulable open or WPA2-Personal networks.
## Related Tools/Techniques
- berate_ap (An automated alternative tool mentioned in the context)
- airodump-ng (Used for network reconnaissance)
- macchanger (Used to spoof MAC addresses)
- OpenNDS (A captive portal implementation that is targeted by the techniques discussed)
---
# Tool/Technique: berate_ap
## Overview
`berate_ap` is an automated tool designed for Wi-Fi attacks, serving as a convenient alternative for users who prefer not to learn the manual configuration required by tools like `hostapd-mana`.
## Technical Details
- Type: Tool (Automation Framework)
- Platform: Linux (Implied)
- Capabilities: Automated execution of Wi-Fi attacks, likely including Evil Twin or rogue AP setups.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- TA0003 - Persistence (If configured to restart automatically)
## Functionality
### Core Capabilities
- Simplifying complex Wi-Fi attack setup through automation.
### Advanced Features
- Convenience and ease of use compared to manual terminal configuration.
## Indicators of Compromise
- File Hashes: N/A (Source code repository provided)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Automated network interface configuration changes, broadcasting of targeted SSIDs.
## Associated Threat Actors
- Beginners or efficiency-focused individuals seeking quick Wi-Fi exploitation results.
## Detection Methods
- Detection would focus on system processes executing the `berate_ap` binary or script.
- Monitoring wireless adapter configurations for rapid changes indicative of automated AP setup.
## Mitigation Strategies
- Employing NAC solutions that validate AP identity.
- User training to avoid connecting to unexpected or spoofed SSIDs.
## Related Tools/Techniques
- hostapd-mana (The tool it serves to automate the functionality of)
---
# Technique: Captive Portal Impersonation / MAC Spoofing
## Overview
This technique bypasses standard captive portals (e.g., in hotels or restaurants) by observing the MAC addresses of already authenticated users and then impersonating one of those addresses to gain unauthorized internet access.
## Technical Details
- Type: Technique
- Platform: Wi-Fi enabled client devices
- Capabilities: Bypassing network authorization mechanisms based on MAC address allow-listing.
- First Seen: Inherently tied to the implementation of MAC-based captive portals.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1533 - Steal or Forge Credentials (MAC address acts as a temporary credential here)
- TA0005 - Defense Evasion
- T1036 - Masquerading
- T1036.005 - Masquerading: Match Legitimate Name or Location (MAC spoofing to blend in)
## Functionality
### Core Capabilities
- Network reconnaissance using `airodump-ng` to discover connected user MAC addresses (Stations).
- Changing the client device's MAC address using `macchanger` to mimic an authenticated user.
- Accessing the network based on the victim's existing authentication status.
### Advanced Features
- Implied credential/session theft if the action of impersonation is paired with subsequent traffic snooping or man-in-the-middle attacks.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `macchanger` execution observed.
- Registry Keys: N/A
- Network Indicators: A client MAC address rapidly changes or is observed communicating immediately after connecting, matching a previously connected, authenticated device.
- Behavioral Indicators: Use of `airodump-ng` or similar tools to monitor the BSSID/channel traffic immediately prior to connection establishment.
## Associated Threat Actors
- General attackers, pentesters, or opportunistic users attempting to use free/paid Wi-Fi without authorization.
## Detection Methods
- **Behavioral detection:** Logging and alerting on frequent or rapid MAC address changes on the client device, especially immediately following association with an AP.
- Monitoring the DHCP/authentication logs for multiple devices suddenly using the same MAC address sequentially, or an unauthenticated device suddenly gaining full access.
## Mitigation Strategies
- **Transition away from MAC-based authentication:** Employing protocols that rely on credentials or certificates (802.1X, WPA2/3 Enterprise).
- **Dynamic MAC Address Logging:** Systems managing the captive portal should detect and potentially blacklist devices that switch MAC addresses shortly after authentication or exhibit patterns suggesting impersonation.
## Related Tools/Techniques
- airodump-ng (Reconnaissance)
- macchanger (Execution)
- OpenNDS (Targeted system)