Full Report
mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases a while back, which we’ve just done. This is about one of the many changes pushed in our first new set of releases since October 2014; 1.3.1-Fixy McFixface. There’s a longer summary of what’s new available at the previous release page 1.3-WPE & ACLs with the WPE functionality extensions from and inspired by Brad Antoniewicz’s work being the coolest from a pwnage perspective.
Analysis Summary
# Tool/Technique: MANA (specifically updates in versions 1.3 and 1.3.1)
## Overview
MANA is a framework/toolset (often associated with Rogue AP attacks) designed to capture and respond to wireless probe requests, managing interactions with various devices, especially in the context of malicious access points. The updates discussed focus on improving proportionality and handling the challenge posed by random MAC addresses used by modern operating systems.
## Technical Details
- Type: Tool/Framework (used for Rogue AP/MITM attacks)
- Platform: Relevant to 802.11 wireless infrastructure management (likely uses custom or modified hostapd).
- Capabilities: Rogue Access Point functionality, capturing probe requests, responding to probes, "loud mode" for mass response, and updated MAC Access Control List (ACL) functionality extending to management frames.
- First Seen: The article references previous releases dating back to October 2014, with specific updates discussed around May 2016 (releases 1.3 and 1.3.1).
## MITRE ATT&CK Mapping
The primary functionality of MANA relates to gathering information and setting up interception capabilities on a wireless network.
- **TA0011 - Command and Control** (Potentially via the establishment of an unauthorized listening/response point)
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (Indirectly, by establishing an interception infrastructure)
- **TA0007 - Discovery**
- T1543.003 - Rogue Access Point
- **TA0008 - Lateral Movement** (The goal of interception/rogue APs often leads here)
- T1550 - Use Alternate Authentication Material (If credentials are captured)
## Functionality
### Core Capabilities
- **Rogue Access Point Setup:** Establishing an access point to lure client connections.
- **Probe Request Capture:** Listening for and recording ESSIDs that client devices are probing for.
- **Loud Mode:** Responding to captured probes universally, advertising networks that clients remember, increasing the chance of connection/engagement from many nearby devices.
- **WPE Functionality Extensions (v1.3):** Enhancements related to "pwnage perspective" (likely Wireless Protocol Exploitation).
### Advanced Features
- **MAC ACL Extension to Management Frames:** Extending MAC Access Control Lists (ACLs) beyond association level to cover management frames like probe requests and responses. This allows the rogue AP to hide from specific devices during the initial probing phase.
- **Binary Masking in ACLs:** Implementation of functionality similar to `airodump-ng` netmasking, allowing administrators to create flexible ACLs using bitmasks. This enables matching based on partial MAC addresses (e.g., matching by OUI or identifying all locally administered/randomized MAC addresses).
- **Handling Randomized MACs:** Allows for proportionality control—seeing probes from devices using randomized MACs (e.g., iOS, modern Android) while only responding or logging specific targets, thereby maintaining effectiveness without excessively targeting unintended devices.
## Indicators of Compromise
*Note: MANA is a framework, not malware; indicators are generally configuration-based for test setups.*
- File Hashes: Not provided in the context. References specific release tagged as `1.3.1-Fixy McFixface`.
- File Names: `hostapd.conf` (modified version utilized by MANA/hostapd-mana), `hostapd.accept` (for ACL rules).
- Registry Keys: Not applicable (primarily Linux/wireless tooling).
- Network Indicators: No specific C2 infrastructure is mentioned; the tool *creates* the attack infrastructure.
- Behavioral Indicators: Excessively broadcasting known ESSIDs indiscriminately ("loud mode"), responding to probes from devices with randomized MAC addresses unless ACLs are configured to filter management frames.
## Associated Threat Actors
- The tool is developed and maintained by the **SensePost** team.
- The article mentions the **OffSec crew** requesting proper releases, suggesting association with penetration testing communities.
## Detection Methods
Detection would focus on the atypical behavior of the underlying wireless hostapd process:
- Signature-based detection: Signatures for known versions of `hostapd-mana` binaries.
- Behavioral detection: Monitoring for rapid, unsolicited responses to passive wireless probe requests, or the dynamic creation/modification of hostapd configuration files to include management frame ACL extension logic.
- YARA rules: Not available in the context, but could be written against configuration files containing specialized mask syntax.
## Mitigation Strategies
- **Prevention Measures:** Disabling the monitoring of management frames or probe responses on wireless interfaces if possible.
- **Hardening Recommendations:** Strong adherence to WPA3/Enterprise security minimizes MANA's effectiveness post-association. For administrators managing networks where MANA might be deployed:
- Limiting the number of ESSIDs advertised to reduce the success rate of probe response cache poisoning.
- Monitoring wireless traffic for signs of hostapd modifications or unusual probe flood/response patterns.
## Related Tools/Techniques
- Airodump-ng (Mentioned for its netmask functionality integration).
- Rogue_AP attacks.
- Wireless Protocol Exploitation (WPE).