PEAPwn is a proof-of-concept implementation of the Apple relay attack introduced at WiSec 2014. It uses a modified version of the wpa_supplicant
tool by Jouni Malinen to establish a PEAP or EAP-TTLS session with the target Authentication Server, and a Python script to exploit several vulnerabilities in iOS < 8 and the MSCHAPv2 protocol. This allows an attacker to gain unauthorized access to any WPA2-Enterprise network that uses a tunneled authentication protocol such as PEAP or EAP-TTLS.
Link to the paper: http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf
Currently, only Linux based operating systems are supported. To build the PoC, perform the following steps:
- Install the Scapy library for Python 2.
- Install libnl1
- Navigate to mods/hostap/wpa_supplicant.
- cp defconfig .config
- Run
make
.
To run the PoC, one is required to have two NICs. At least one of these devices is required to support Monitor mode. The PoC can then be run as follows:
# python2 peapwn.py <infra_nic> <mon_nic> <essid>
For example, to attack a network with SSID testnet
:
# python2 peapwn.py wlan0 wlan1 testnet
This PoC is intended for research purposes only, and should only be used in a legal context. For example, to verify the security of your own networks.
- More robust error handling.