Full Report
At Defcon 22 we presented several improvements in wifi rogue access point attacks. We entitled the talk “Manna from heaven” and released the MANA toolkit. I’ll be doing two blog entries. The first will describe the improvements made at a wifi layer, and the second will cover the network credential interception stuff. If you just want the goodies, you can get them at the end of this entry for the price of scrolling down.
Analysis Summary
# Tool/Technique: MANA Toolkit / hostapd-mana
## Overview
The MANA toolkit, specifically through the modified `hostapd-mana`, is a set of tools designed to improve the effectiveness of Wi-Fi Rogue Access Point (AP) attacks, building upon previous techniques like KARMA attacks and EAP hash capture. Its primary purpose is to trick wireless clients into connecting to a malicious AP by intelligently responding to their network probes and facilitating credential interception on secured networks.
## Technical Details
- Type: Tool / Framework
- Platform: Primarily focuses on Linux/Wireless infrastructure components (utilizing `hostapd`).
- Capabilities:
* Enhanced KARMA attack functionality by storing and responding to client Preferred Network Lists (PNL).
* Integrated EAP hash capture and offline cracking capabilities (using `asleap` or similar tools).
* Modification of `hostapd` to handle complex probe responses.
- First Seen: Presented at Defcon 22 (Prior to February 23, 2015).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- **T1090.003 - Proxy: Multi-hop Proxy** (Implied, as the rogue AP acts as an intermediary)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (If credentials are relayed)
- TA0008 - Lateral Movement
- T1021 - Remote Services (The connection to the rogue AP is a form of establishing a path)
- TA0007 - Discovery
- T1483 - Discover Network Share (If attempting to interact with internal network resources after connection)
*(Note: Direct MITRE mappings for specific hardware/protocol manipulation like this section of Wi-Fi attacks are often mapped to higher-level interaction tactics or network sniffing capabilities, as precise probe manipulation isn't always explicitly covered.)*
## Functionality
### Core Capabilities
- **Improved KARMA Attacks**: `hostapd-mana` extends traditional KARMA by:
1. Storing the Preferred Network List (PNL) of connected devices.
2. Responding to broadcast probes by sending tailored directed probe responses for every network stored in the discovered PNL.
3. Ensuring the AP responds to broadcast probes before sending privileged directed responses, accommodating modern device behavior (especially mobile).
- **EAP Hash Stealing**: Implements functionality (ported from `freeradius-wpe` capabilities) within `hostapd-mana` to intercept EAP authentication challenges/responses.
- It accepts any EAP hash and writes it to a file for offline cracking.
- Allows devices to attempt connection, fail initially (due to missing challenge response data), and then succeed upon subsequent attempts once the intercepted hash is cracked offline.
### Advanced Features
- **iOS Hidden Network Exploitation**: Identified and leveraged a specific behavior in iOS devices: they only probe for hidden networks in their PNL if at least one hidden network is physically nearby. This suggests requiring the attacker to deploy a secondary hidden network (even a fake one) to maximize the chance of catching iOS clients probing for a memorized hidden network.
- **Integrated Cracking**: Ships with a simple Python tool, `crackapd`, designed to offload the intercepted EAP hashes for cracking using tools like `asleap` and password lists (e.g., Rockyou).
## Indicators of Compromise
- File Hashes: Not provided in the article. Look for binaries named `hostapd-mana` or related components from the MANA toolkit.
- File Names: `hostapd-mana`, `crackapd`.
- Registry Keys: Not applicable (Linux/wireless tool focus).
- Network Indicators: The tool operates at the wireless link layer, primarily manipulating frame responses. Connection attempts would utilize SSIDS from the targets' PNLs.
- Behavioral Indicators:
* An AP responding to broadcast probes with directed probe responses listing numerous SSIDs.
* Devices attempting EAP authentication repeatedly against an unknown AP, failing, and then succeeding after a delay (indicating an offline hash crack being implemented).
## Associated Threat Actors
The information describes research presented at Defcon and the release of public tools. This implies use by security researchers, penetration testers, or potentially sophisticated threat actors leveraging public exploits. No specific known threat group is explicitly named as *actively* using this capability in the provided context.
## Detection Methods
- Signature-based detection: Signatures for the custom `hostapd-mana` binary.
- Behavioral detection: Monitoring APs that exhibit highly aggressive or sophisticated probe response behavior associated with the KARMA variant (responding to broadcast probes with PNL enumerations).
- YARA rules: Not provided in the article.
## Mitigation Strategies
- **Disable PNL Storage/Auto-connect**: Configuring devices to not automatically connect based on stored SSIDs, especially in untrusted environments.
- **Disable Probe Response Trust**: Modern best practice suggests disabling the feature where clients constantly probe for forgotten networks.
- **WPA3/SAE Adoption**: Moving away from vulnerable EAP/WPA2 enterprise implementations that are susceptible to pre-shared key cracking or downgrade attacks.
- **iOS Mitigation**: Recognizing that iOS devices may require a local, active hidden network presence to prompt hidden network probes.
## Related Tools/Techniques
- **KARMA Attack**: The foundational technique improved upon by MANA.
- **freeradius-wpe**: The predecessor project whose EAP cracking functionality was ported into `hostapd-mana`.
- **wpa_supplicant patch**: Mentioned as a development that limits the "stupid probing behavior" that these attacks exploit.