I stumbled upon the FreeRADIUS-WPE<\/a> patch a while back. I’m a big fan of capturing challenge\/response handshakes and trying to crack them, so that someone applied this to wireless was very interesting to me. I played with it for a bit and then decided it needed to be extended to a Karma-style answer any and all probes role. I initially looked at combining an airbase-ng setup with FreeRADIUS-WPE, but that didn’t go anywhere. In the end, I simply hacked hostapd<\/a>. I’ve also provided the fine John folks a patch for MSCHAPv2 bruting, which you can find in their Jumbo patches. Here ya go:<\/p>\n HostAPd w\/ Karma-Style Fun<\/p>\n HostAP Karma Patch (0.6.9)<\/a> <\/p>\n The eaper.py script utilizes the wpa_supplicant daemon to perform (very slow) brute-force logons of LEAP\/EAP-PEAP networks. This means that\u00a0wpa_supplicant should be running prior to executing eaper.py. If\u00a0the daemon is not auto-started by your operating system, the\u00a0following should suffice:<\/p>\n % sudo wpa_supplicant -iwlan0 -c .\/wpa_supplicant.conf<\/p>\n The following example will test each user listed in “users.txt”\u00a0with the passwords listed in “pass.txt” and a password matching\u00a0the respective username.<\/p>\n % .\/eaper.py -s some_ssid -U users.txt -P pass.txt -e<\/p>\n The following example will test username\/password combinations\u00a0found in “combo.txt”. The format of the file is username:password.<\/p>\n % .\/eaper.py -s some_ssid -c combo.txt<\/p>\n It’s important to note that when wpa_supplicant successfully\u00a0connects, it generates valid keys for the network. These keys\u00a0are used on subsequent logon attempts and username\/password\u00a0attempts are not really performed, potentially resulting in\u00a0false positives. If you want to continue testing after finding\u00a0a valid credential pair, restart wpa_supplicant.<\/p>\n\n
\nHostAP Karma Patch (hostap_0_7_2-775-g9fc6aa9)<\/a>
\nHostAP Karma Patch (1.0)<\/a><\/p>\nEAP Brute-Force Logon Script<\/h2>\n