is this possible !!!!!!!!!!!!!!!!?????

[minanagehsalalma]

https://www.youtube.com/watch?v=HoihKhQWZ7k&feature=youtu.be

!!!!!!!!!

[singe]

Yes. See https://github.com/sensepost/hostapd-mana/wiki/MANA-EAP-Options-(aka-WPE)

…

On 15 Feb 2019, at 06:48, mina nageh salama ***@***.***> wrote: https://www.youtube.com/watch?v=HoihKhQWZ7k&feature=youtu.be !!!!!!!!! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[CapitanShinChan]

This has been possible for many years. It depend on the underlying authentication mechanism and the validation of the certificates in the clients.

All started in Shmoocon in 2008, almost 11 years ago. Check these:
http://www.willhackforsushi.com/presentations/PEAP_Shmoocon2008_Wright_Antoniewicz.pdf
http://www.willhackforsushi.com/?page_id=37
https://github.com/OpenSecurityResearch/hostapd-wpe

[minanagehsalalma]

@singe @CapitanShinChan
As I understood from the links ...
Only TTLS-PAP and GTC that gets the password in plain text ...
So how should my .conf file have if I want to make it TTLS-PAP that doesn't accept wrong passwords ! .

And does this one
https://github.com/sensepost/wpa_sycophant
Gets the wpa password in plaintext via a rouge ap ?
...
Thanks

[singe]

It’s all in the wiki link I sent you.

[minanagehsalalma]

@singe
mana_wpe=1
I want it to use GTC only .. Which number should I type ?

[singe]

You control EAP modes with the radius config as documented at https://github.com/sensepost/hostapd-mana/wiki/Creating-PSK-or-EAP-Networks#eap_user_file the default config supports GTC. mana_wpe can only be 1 or 0 for on or off. This project is deprecated. Please open future requests on the hostapd-mana issue tracker. Please also spend some time reading the docs and testing before asking questions.

[minanagehsalalma]

@singe
"the default config supports GTC"
but supports is different than "use GTC only" no any other types ...
can you send me more links ?
as i it seems like i know nothing ...

[minanagehsalalma]

@singe @CapitanShinChan
i think this what i was looking for !!
https://twitter.com/W00Tock/status/1019251419310972930

[minanagehsalalma]

@singe
@CapitanShinChan
the hostapd.conf gave me headache ...can you please take a look on these and see if i did something wrong ?!😩😩
and is it possible to get plain text password using WPA-EAP mode ?
and is it possible to Switch between the identity and password section like the password section is renamed to identity and the identity section renamed to password ..
is there a more familiar mode that shows username instead of identity ??!

thanks I appreciate every response :)

simplest hostapd.conf

driver=hostap
mana_wpe=1
mana_credout=hostapd.credout
mana_loud=0
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=hostapd.eap_user
ca_cert=ca.pem
server_cert=server.pem
private_key=server.key
private_key_passwd=testtestx#7CL
dh_file=dhparam.pem
interface=wlan1
ssid=testwifi
channel=5
hw_mode=g
ap_max_inactivity=3000
eap_message=please\0enter\0your\0password
Operator-Name = "wifi"
manufacturer= ZTE
bssid=02:21:91:01:11:31

eap_user_file

`* PEAP,GTC,TTLS

`"t" GTC,TTLS-PAP "1234test" [2]

[minanagehsalalma]

And what if I want to make it use
TLS only !?

Should my eap_user_file
Be like this
"* TLS "
As there no inner modes for TLS !! ?

[minanagehsalalma]

@singe @CapitanShinChan
just like this

btw is the identity encrypted ??!
the description didn't say much

[CapitanShinChan]

No, the identity is not encrypted, since it's send before the TLS tunnel is established.

In order to be secure, you have to verify the certificate of the server.

[CapitanShinChan]

The identity is only sent for tracking of the session purposes before the TLS tunnel is established. A proper configured AAA server (RADIUS in this case) would allow you to use anonymous identities, which most of clients support.

If you want more details about how this works, take a look to the RFC: https://tools.ietf.org/html/rfc3748

[minanagehsalalma]

@CapitanShinChan thanks ..
"would allow you to use anonymous identities, "
I have read the identity part from the link .... But does it allow the user to chose between anonymous identities and just identities ... Which one shows up when he tries to connect with default settings ?
And what about the other two questions !?