Hostapd-wpe (Wireless Pwnage Edition) is a patch for hostapd v2.2 created by the OpenSecurity Research group aiming to replace FreeRadius-WPE. The WPE patch implements 802.1X authentication server impersonation attacks in order to obtain client credentials, but also implements Cupid attack, allowing to exploit heartbleed vulnerability (CVE-2014-0160) on client connections over EAP-PEAP/TLS/TTLS.


This article arises after the need for a portable device for testing wireless infrastructures security (802.11b/g/n and 802.11ac) . To do this it was decided to purchase a router TP-Link Archer C5 AC1200 (supported by OpenWrt) and a rechargeable Portable Charger Powergorilla to give autonomy to the device.

Hostapd-wpe for OpenWrt Barrier Breaker 14.07 (hostapd 2014-06-04 – v2.2)

OpenWrt already has a package that includes the Aircrack-ng suite tools, but has no default package for testing WPA-Enterprise environments. The Tarlogic Security team (Acrylic WiFi) has created a hostapd-wpe custom package for OpenWrt Barrier Breaker.

The original wpe patch was designed to perform source code modifications on hostapd v2.2, but the hostapd package for OpenWrt has many patches that modify the source code base in order to fix different errors, consequently it was necessary to apply the WPE patch changes manually.

OPKG (.ipk) packages have been created for all architectures supported by OpenWrt. Functional configuration files have also been included allowing to set up an 802.11bgn or 802.11ac networks.

The OPKG packages as well as the source code and the OpenWrt package ready for compilation can be downloaded from the following link:

The file includes all the precompiled packages (.ipk) in the /ipk directory:

  • hostapd-wpe_2014-06-03.1-1_ar71xx.ipk
  • hostapd-wpe_2014-06-03.1-1_ar7.ipk
  • hostapd-wpe_2014-06-03.1-1_at91.ipk
  • hostapd-wpe_2014-06-03.1-1_atheros.ipk
  • hostapd-wpe_2014-06-03.1-1_au1000.ipk
  • hostapd-wpe_2014-06-03.1-1_brcm2708.ipk
  • hostapd-wpe_2014-06-03.1-1_brcm47xx.ipk
  • hostapd-wpe_2014-06-03.1-1_brcm63xx.ipk
  • hostapd-wpe_2014-06-03.1-1_cns21xx.ipk
  • hostapd-wpe_2014-06-03.1-1_cns3xxx.ipk
  • hostapd-wpe_2014-06-03.1-1_imx6.ipk
  • hostapd-wpe_2014-06-03.1-1_ixp4xx.ipk
  • hostapd-wpe_2014-06-03.1-1_kirkwood.ipk
  • hostapd-wpe_2014-06-03.1-1_lantiq.ipk
  • hostapd-wpe_2014-06-03.1-1_malta_mips64.ipk
  • hostapd-wpe_2014-06-03.1-1_malta_mipsel64.ipk
  • hostapd-wpe_2014-06-03.1-1_malta_mipsel.ipk
  • hostapd-wpe_2014-06-03.1-1_malta_mips.ipk
  • hostapd-wpe_2014-06-03.1-1_mpc85xx.ipk
  • hostapd-wpe_2014-06-03.1-1_octeon.ipk
  • hostapd-wpe_2014-06-03.1-1_ramips_24kec.ipk
  • hostapd-wpe_2014-06-03.1-1_ramips.ipk
  • hostapd-wpe_2014-06-03.1-1_realview.ipk
  • hostapd-wpe_2014-06-03.1-1_x86.ipk
  • hostapd-wpe_2014-06-03.1-1_xburst.ipk

The package for TP-Link Archer C5 AC1200 is located at ipk/ar71xx/generic.

 

openwrt with hostapd-wpe cracking

The cross-compiling procedure to create the hostapd-WPE package for any specific architecture supported by OpenWrt is detailed below.

Cross-compiling of hostapd-wpe for OpenWrt Barrier Breaker 14.07

  • hostapd-wpe build enviroment – Prerequisites

The operating system used for compiling the package is Kali Linux 1.1.0 x86-64. The procedure has also been done on Debian 7.8.0

The SDK tools require the following modules: GNU C++, GNU AWK, ncurses, zlib, ccache, Git, Mercurial/Hg and subversion. The following comamnd can be used to download the modules.

apt-get install g++ libncurses5-dev git-core subversion mercurial gawk zlib1g-dev ccache


NOTE:
The known prerequisites packages and the module names in other Linux distributions are shown in the following link wiki.openwrt.org

  • Device with OpenWrt Barrier Breaker 14.07 firmware
  • SDK for the target architecture

OpenWrt SDKs are available for all the supported architectures and version specific firmwares. The SDKs can be download from the following URL: https://downloads.openwrt.org/

  • Build steps:
    • Select the firmware release Barrier Breaker 14.07.
    • Select the target device architecure. For TP-Link Archer C5 AC1200 is ar71xx
    • Select subtarget. For TP-Link Archer C5 is generic.
    • Download the SDK OpenWrt-SDK-XXXX -for-linux-x86_64-gcc-4.8-linaro_uClibc-0.9.33.2.tar.bz2

 

 

  • Hostapd-WPE package for OpenWrt 14.07

Podéis descargar el paquete en el siguiente enlace: hostapd-wpe-for-OpenWrt-14.07.tar

The directory structure is shown below:

  • bootstrap: Script for custom self signed certificates creation.
  • certs: Default certificates and private keys.
  • config: Default configuration files for setting up 802.11bgn and 802.11ac networks
  • dl: hostapd-wpe source code.
  • package: hostapd-wpe OpenWrt package for compiling with the SDK

 

Cross-compiling procedure:

The following steps will need to be performed in order to compile the hostapd-wpe package for OpenWrt Barrier Breaker 14.07

  • Decompress the SDK. The extracted directory will be referenced as {SDK_DIRECTORY}
  • Decompress the file hostapd-wpe-for-OpenWrt-14.07.tar and copy /package/hostapd-wpe into {DIRECTORIO_SDK}/package

cp -R hostapd-wpe  {DIRECTORY _SDK}/package/

  • Copy hostapd-wpe source code (dl/hostapd-2014-06-03.1.tar.bz2) into {SDK_DIRECTORY}/dl

cp -R ./dl/hostapd-2014-06-03.1.tar.bz2  {SDK_DIRECTORY}/dl/

Finally move to the SDK root folder and execute the make package command.

cd {DIRECTORY_SDK}

make package/hostapd-wpe/compile

The hostapd-wpe OPKG (.ipk) package will be created in the following directory:

{SDK_DIRECTORY/bin/{ARCHITECTURE}/packages/base/

From this point the package can be installed manually.

 

Hostapd-WPE for OpenWrt Barrier Breaker 14.07 installation

In order to install hostapd-wpe, the created ipk for the target architecture will need to be copied to the device using SCP. To install the package you should use the following command.

opkg install hostapd-wpe_2014-06-03.1-1_ar71xx.ipk

The hostapd-wpe binary will be deployed in /usr/sbin and the configuration files will be copied into /usr/local/etc/hostapd-wpe.

The following article will detail how to use hostapd-wpe to crack client hashes in order to recover client credentials in WPA Enterprise (802.1X) environments.