Full Report
Back in 2018, I was interested that MSCHAPv2 and NTLMv1 hashes crack using the same algorithms, and wanting to get onto the WiFi of one of our clients, I naively thought “Surely if you can relay NTLMv1 and it uses the same crypto as MSCHAPv2, you should be able to relay MSCHAPv2!”. The resulted in the creation of wpa_sycophant (and its helper berate_ap) to perform PEAP relay attacks. It was presented in our Defcon talk last year from about 17m in.
Analysis Summary
# Tool/Technique: wpa\_sycophant and berate\_ap (PEAP Relay Attacks)
## Overview
`wpa_sycophant` and its helper `berate_ap` are custom-developed tools created to perform **Protective Extensible Authentication Protocol (PEAP) relay attacks** against EAP-protected WiFi networks. The core concept leverages the shared cryptographic algorithms between MSCHAPv2 and NTLMv1 to facilitate relaying authentication credentials across a Man-in-the-Middle (MitM) setup involving a modified rogue AP (`hostapd-mana`) and a modified supplicant (`wpa_sycophant`).
## Technical Details
- Type: Tool
- Platform: Implied Linux/Unix-like systems (given the reliance on `hostapd` and `wpa_supplicant` modifications).
- Capabilities: Performing PEAP relay attacks by mediating authentication between a WiFi client and a legitimate Access Point (AP).
- First Seen: Developed around 2018, publicized around 2019 (Defcon talk).
## MITRE ATT&CK Mapping
The primary technique involves establishing a presence to intercept authentication and then relaying that session.
- **TA0011 - Command and Control** (If the relay is used to gain access for subsequent C2 operations)
- **TA0005 - Defense Evasion** (By impersonating a legitimate AP)
- **TA0006 - Credential Access** (By being "in the tunnel" and potentially cracking hashes or bypassing authentication)
- **T1557 - Man-in-the-Middle**
- **T1557.001 - Man-in-the-Middle: Protocol Spoofing** (Impersonating the AP initially via `hostapd-mana`)
- **T1557.002 - Man-in-the-Middle: Relay** (The core function of relaying credentials between the victim and the legitimate AP)
## Functionality
### Core Capabilities
1. **Rogue AP Impersonation (via `hostapd-mana`):** A modified version of `hostapd-mana` acts as a rogue AP, enticing victim devices to connect by responding to network probes (similar to how `Responder` works in SMB).
2. **Authentication Interception:** `hostapd-mana` captures the victim's authentication attempt (specifically the outer TLS portion of PEAP) and writes state/challenge/response information to files.
3. **Relay Mechanism:** `wpa_sycophant` (a modified `wpa_supplicant`) reads the captured data from the files and uses it to initiate an association and perform the outer authentication against the *legitimate* AP.
4. **Inner Authentication Reliance:** `wpa_sycophant` does not perform the inner authentication calculations itself; it relies on relaying the challenge-response exchange (MSCHAPv2) mediated by the victim device connecting to `hostapd-mana`.
### Advanced Features
* **Separable Components:** Using files to synchronize state between `wpa_sycophant` and `hostapd-mana` allows the two components to run on different hosts, potentially enabling relay attacks across geographically separated networks.
* **"Auto Crack 'n Add" Equivalent:** By successfully relaying the authentication handshake and obtaining a valid authenticated connection, the attacker gains network access equivalent to an auto-crack (like older mana techniques) without needing to wait for the MSCHAPv2 hash to be cracked offline. The attacker essentially tricks the legitimate AP into believing the victim authenticated successfully, opening access for the attacker's relayed session.
* **RADIUS Server Relay (Alternative):** The author notes that using `hostapd`'s built-in RADIUS server could potentially enable more reliable remote relaying than file synchronization.
## Indicators of Compromise
* **File Hashes:** Not provided in the text.
* **File Names:** `wpa_sycophant`, `berate_ap`.
* **Registry Keys:** Not applicable/provided.
* **Network Indicators:** Defanged network indicators are not present as this technique focuses on protocol manipulation rather than external C2 traffic.
* **Behavioral Indicators:** Observation of a modified `wpa_supplicant` attempting to negotiate PEAP connections where state synchronization appears unusual (file-based or unusual RADIUS interaction).
## Associated Threat Actors
The tools were developed by SensePost researchers (Michael Kruger). Usage by established adversarial threat groups is not mentioned in this context.
## Detection Methods
* **Signature-based detection:** Custom signatures for the modified executables/binaries (`wpa_sycophant`, `berate_ap`).
* **Behavioral detection:** Monitoring for unusual file descriptor activity if the file synchronization method is utilized, or monitoring for unexpected state changes in supplicant/AP communications.
* **YARA rules:** Not provided in the text.
## Mitigation Strategies
1. **Enable Cryptobinding (Cryptographic Binding):** This is the primary defense against PEAP relay attacks. Cryptobinding ensures a link between the keys derived during inner authentication (MSCHAPv2) and the keys used for the outer TLS tunnel communication with the AP, preventing unauthorized relaying.
2. **Client Certificate Validation:** Clients must properly validate the leaf certificate presented by the AP during the initial outer TLS setup. Failure to validate certificates exposes the system to in-tunnel MitM attacks.
3. **Disable Vulnerable Protocols/Configurations:** Ensuring that network access controls do not default to configurations that allow relaying when cryptobinding is not enforced.
## Related Tools/Techniques
* `hostapd-mana` (Used as the rogue AP base/server side of the relay)
* `hostapd` (Base software)
* `wpa_supplicant` (Base software that was modified into `wpa_sycophant`)
* `Responder` (Analogy used for LLMNR poisoning in the NTLM context)
* `bettercap` (Mentioned in the context of post-authentication operations)