Added EAP Success options

EAP success is now configurable. It's only up for PEAP-MSCHAPv2. EAP-TTLS does EAP Success too but not in a configurable or smart way. I'll get to that next. I also cleaned up some config option ordering, to group options better. I also removed some left over code from early EAP attempts.
sensepost · Aug 2, 2018 · 133517d · 133517d
1 parent ea05e75
commit 133517d
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 52 deletions.
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
@@ -2192,6 +2192,12 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		fclose(f);
 		conf->mana_credout = tmp2;
 		wpa_printf(MSG_INFO, "MANA: Captured credentials will be written to. File %s set.",conf->mana_credout);
+	} else if (os_strcmp(buf, "mana_eapsuccess") == 0) {
+		int val = atoi(pos);
+		conf->mana_eapsuccess = (val != 0);
+		if (conf->mana_eapsuccess) {
+			wpa_printf(MSG_DEBUG, "MANA: EAP success mode enabled");
+		}
 	// MANA END
 	} else if (os_strcmp(buf, "dump_file") == 0) {
 		wpa_printf(MSG_INFO, "Line %d: DEPRECATED: 'dump_file' configuration variable is not used anymore",
@@ -3712,6 +3718,7 @@ struct hostapd_config * hostapd_config_read(const char *fname)
 	conf->mana_ssid_filter_file = "NOT_SET"; //default none
 	conf->mana_wpe = 0; //default off; 1 - dump credentials captured during EAP exchanges 0 - function as normal
 	conf->mana_credout = "NOT_SET"; //default non
+	conf->mana_eapsuccess = 0; //default off; 1 - allow clients to connect even with incorrect creds 0 - function as normal
 	// MANA END
 
 	while (fgets(buf, sizeof(buf), f)) {

diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
@@ -149,6 +149,12 @@ static int hostapd_ctrl_iface_mana_get_wpemode (struct hostapd_data *hapd)
 	return hapd->iconf->mana_wpe;
 }
 
+static int hostapd_ctrl_iface_mana_get_eapsuccessmode (struct hostapd_data *hapd)
+{
+	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPSUCCESS MODE STATUS QUERY");
+	return hapd->iconf->mana_eapsuccess;
+}
+
 static int hostapd_ctrl_iface_mana_change_ssid (struct hostapd_data *hapd,
 					     const char *ssid) {
 	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE CHANGE SSID %s", ssid);
@@ -212,6 +218,18 @@ static int hostapd_ctrl_iface_mana_wpe_enable_disable (struct hostapd_data *hapd
 
 	return 0;
 }
+
+static int hostapd_ctrl_iface_mana_eapsuccess_enable_disable (struct hostapd_data *hapd, int status)
+{
+	if (status) {
+		wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPSUCCESS MODE ENABLED");
+	} else {
+		wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPSUCCESS MODE DISABLED");
+	}
+	hapd->iconf->mana_eapsuccess = status;
+
+	return 0;
+}
 // MANA END
 
 #ifdef CONFIG_IEEE80211W
@@ -2638,38 +2656,6 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
 		reply_len = hostapd_ctrl_driver_flags(hapd->iface, reply,
 						      reply_size);
  	// MANA
-	} else if (os_strcmp(buf, "MANA_STATE") == 0) {
-		if (hostapd_ctrl_iface_mana_get_state(hapd)) {
-			os_memcpy(reply, "MANA ENABLED\n", 14);
-			reply_len = 14;
-		} else {
-			os_memcpy(reply, "MANA DISABLED\n", 15);
-			reply_len = 15;
-		}
-	} else if (os_strcmp(buf, "MANA_MODE") == 0) {
-		if (hostapd_ctrl_iface_mana_get_mode(hapd)) {
-			os_memcpy(reply, "MANA LOUD MODE ENABLED\n", 23);
-			reply_len = 23;
-		} else {
-			os_memcpy(reply, "MANA LOUD MODE DISABLED\n", 24);
-			reply_len = 24;
-		}
-	} else if (os_strcmp(buf, "MANA_ACLMODE") == 0) {
-		if (hostapd_ctrl_iface_mana_get_aclmode(hapd)) {
-			os_memcpy(reply, "MANA ACL MODE ENABLED\n", 22);
-			reply_len = 22;
-		} else {
-			os_memcpy(reply, "MANA ACL MODE DISABLED\n", 23);
-			reply_len = 23;
-		}
-	} else if (os_strcmp(buf, "WPE_MODE") == 0) {
-		if (hostapd_ctrl_iface_mana_get_wpemode(hapd)) {
-			os_memcpy(reply, "MANA WPE MODE ENABLED\n", 22);
-			reply_len = 22;
-		} else {
-			os_memcpy(reply, "MANA WPE MODE DISABLED\n", 23);
-			reply_len = 23;
-		}
 	} else if (os_strcmp(buf, "MANA_GET_SSID") == 0) {
 		wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE GET SSID");
 		size_t len;
@@ -2692,24 +2678,70 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
 	} else if (os_strcmp(buf, "MANA_ENABLE") == 0) {
 		if (hostapd_ctrl_iface_mana_enable_disable(hapd, 1))
 			reply_len = -1;
+	} else if (os_strcmp(buf, "MANA_STATE") == 0) {
+		if (hostapd_ctrl_iface_mana_get_state(hapd)) {
+			os_memcpy(reply, "MANA ENABLED\n", 14);
+			reply_len = 14;
+		} else {
+			os_memcpy(reply, "MANA DISABLED\n", 15);
+			reply_len = 15;
+		}
 	} else if (os_strcmp(buf, "LOUD_ENABLE") == 0) {
 		if (hostapd_ctrl_iface_mana_loud_enable_disable(hapd, 1))
 			reply_len = -1;
 	} else if (os_strcmp(buf, "LOUD_DISABLE") == 0) {
 		if (hostapd_ctrl_iface_mana_loud_enable_disable(hapd, 0))
 			reply_len = -1;
+	} else if (os_strcmp(buf, "MANA_MODE") == 0) {
+		if (hostapd_ctrl_iface_mana_get_mode(hapd)) {
+			os_memcpy(reply, "MANA LOUD MODE ENABLED\n", 23);
+			reply_len = 23;
+		} else {
+			os_memcpy(reply, "MANA LOUD MODE DISABLED\n", 24);
+			reply_len = 24;
+		}
 	} else if (os_strcmp(buf, "MANAACL_ENABLE") == 0) {
 		if (hostapd_ctrl_iface_mana_macacl_enable_disable(hapd, 1))
 			reply_len = -1;
 	} else if (os_strcmp(buf, "MANAACL_DISABLE") == 0) {
 		if (hostapd_ctrl_iface_mana_macacl_enable_disable(hapd, 0))
 			reply_len = -1;
+	} else if (os_strcmp(buf, "MANA_ACLMODE") == 0) {
+		if (hostapd_ctrl_iface_mana_get_aclmode(hapd)) {
+			os_memcpy(reply, "MANA ACL MODE ENABLED\n", 22);
+			reply_len = 22;
+		} else {
+			os_memcpy(reply, "MANA ACL MODE DISABLED\n", 23);
+			reply_len = 23;
+		}
 	} else if (os_strcmp(buf, "WPE_ENABLE") == 0) {
 		if (hostapd_ctrl_iface_mana_wpe_enable_disable(hapd, 1))
 			reply_len = -1;
 	} else if (os_strcmp(buf, "WPE_DISABLE") == 0) {
 		if (hostapd_ctrl_iface_mana_wpe_enable_disable(hapd, 0))
 			reply_len = -1;
+	} else if (os_strcmp(buf, "WPE_MODE") == 0) {
+		if (hostapd_ctrl_iface_mana_get_wpemode(hapd)) {
+			os_memcpy(reply, "MANA WPE MODE ENABLED\n", 22);
+			reply_len = 22;
+		} else {
+			os_memcpy(reply, "MANA WPE MODE DISABLED\n", 23);
+			reply_len = 23;
+		}
+	} else if (os_strcmp(buf, "EAPSUCCESS_ENABLE") == 0) {
+		if (hostapd_ctrl_iface_mana_eapsuccess_enable_disable(hapd, 1))
+			reply_len = -1;
+	} else if (os_strcmp(buf, "EAPSUCCESS_DISABLE") == 0) {
+		if (hostapd_ctrl_iface_mana_eapsuccess_enable_disable(hapd, 0))
+			reply_len = -1;
+	} else if (os_strcmp(buf, "EAPSUCCESS_MODE") == 0) {
+		if (hostapd_ctrl_iface_mana_get_eapsuccessmode(hapd)) {
+			os_memcpy(reply, "MANA EAPSUCCESS MODE ENABLED\n", 29);
+			reply_len = 29;
+		} else {
+			os_memcpy(reply, "MANA EAPSUCCESS MODE DISABLED\n", 30);
+			reply_len = 30;
+		}
  	// END MANA
 	} else {
 		os_memcpy(reply, "UNKNOWN COMMAND\n", 16);

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
@@ -52,6 +52,12 @@ mana_macacl=0
 # from the cracking string by a tab if you'd like to grep & cut.
 #mana_credout=hostapd.credout
 
+# Enabled EAP Success mode (from WPE)
+# Allow clients to connect with incorrect credentials
+# Most often, when rogue AP'ing you won't have the clients creds
+# But still want a shot at collecting them via MitM
+#mana_eapsuccess=1
+
 ##### hostapd configuration file ##############################################
 # Empty lines and lines starting with # are ignored
 

diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c
@@ -393,7 +393,7 @@ static int hostapd_cli_cmd_mana_macacl_enable(struct wpa_ctrl *ctrl, int argc, c
 }
 static int hostapd_cli_cmd_mana_get_aclmode(struct wpa_ctrl *ctrl, int argc, char *argv[])
 {
-	return wpa_ctrl_command(ctrl, "MANA_ACLMODE");
+	return wpa_ctrl_command(ctrl, "MANAACL_MODE");
 }
 static int hostapd_cli_cmd_mana_wpe_disable(struct wpa_ctrl *ctrl, int argc, char *argv[])
 {
@@ -407,6 +407,18 @@ static int hostapd_cli_cmd_mana_get_wpemode(struct wpa_ctrl *ctrl, int argc, cha
 {
 	return wpa_ctrl_command(ctrl, "WPE_MODE"); 
 }
+static int hostapd_cli_cmd_mana_eapsuccess_disable(struct wpa_ctrl *ctrl, int argc, char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "EAPSUCCESS_DISABLE");
+}
+static int hostapd_cli_cmd_mana_eapsuccess_enable(struct wpa_ctrl *ctrl, int argc, char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "EAPSUCCESS_ENABLE");
+}
+static int hostapd_cli_cmd_mana_get_eapsuccess(struct wpa_ctrl *ctrl, int argc, char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "EAPSUCCESS_STATE");
+}
 // END MANA
 
 
@@ -1453,6 +1465,9 @@ static const struct hostapd_cli_cmd hostapd_cli_commands[] = {
  	{ "mana_wpe_off", hostapd_cli_cmd_mana_wpe_disable, NULL, "= disable mana's wpe mode" },
  	{ "mana_wpe_on", hostapd_cli_cmd_mana_wpe_enable, NULL, "= enable mana's wpe mode" },
 	{ "mana_wpe_state", hostapd_cli_cmd_mana_get_wpemode, NULL, "= check mana's wpe mode" },
+ 	{ "mana_eapsuccess_off", hostapd_cli_cmd_mana_eapsuccess_disable, NULL, "= disable mana's eapsuccess mode" },
+ 	{ "mana_eapsuccess_on", hostapd_cli_cmd_mana_eapsuccess_enable, NULL, "= enable mana's eapsuccess mode" },
+	{ "mana_eapsuccess_state", hostapd_cli_cmd_mana_get_eapsuccess, NULL, "= check mana's eapsuccess mode" },
  // END MANA
 
 	{ NULL, NULL, NULL, NULL }

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
@@ -620,6 +620,7 @@ struct hostapd_config {
 	char * mana_ssid_filter_file;
 	int mana_wpe;
 	char * mana_credout;
+	int mana_eapsuccess;
 	// MANA END
 
 	u16 beacon_int;

diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
@@ -164,29 +164,21 @@ int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
 		 int phase2)
 {
 	struct eap_user *user;
-	struct eap_user *user2;
 	char ident = 't';
 
 	wpa_printf(MSG_INFO, "MANA EAP Identity Phase %d: %.*s", phase2, (int)identity_len, identity);
 
 	if (sm == NULL || sm->eapol_cb == NULL ||
-	    sm->eapol_cb->get_eap_user == NULL) {
+	    sm->eapol_cb->get_eap_user == NULL)
 		return -1;
-	}
 
 	eap_user_free(sm->user);
 	sm->user = NULL;
+
 	user = os_zalloc(sizeof(*user));
-	if (user == NULL) {
+	if (user == NULL)
 	    return -1;
-	}
-	user2 = os_zalloc(sizeof(*user2));
-	if (user2 == NULL) {
-		return -1;
-	}
-	if (sm->eapol_cb->get_eap_user(sm->eapol_ctx, identity, identity_len, phase2, user2) != 0) {
-		user2 = NULL;
-	}
+
 	if(phase2) {
 		identity = (const u8 *)&ident;
 		identity_len = 1;
@@ -196,15 +188,10 @@ int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
 		eap_user_free(user);
 		return -1;
 	}
-	if (user2 != NULL) {
-		user->password = user2->password;
-		user->password_len = user2->password_len;
-	}
 
 	sm->user = user;
 	sm->user_eap_method_index = 0;
 
-
 	return 0;
 }
 

diff --git a/src/eap_server/eap_server_mschapv2.c b/src/eap_server/eap_server_mschapv2.c
@@ -410,7 +410,11 @@ static void eap_mschapv2_process_response(struct eap_sm *sm,
 		return;
 	}
 
-	os_memcpy(expected, nt_response, 24); //MANA set challenges to match
+	//MANA Start
+	if (mana.conf->mana_eapsuccess) {
+		os_memcpy(expected, nt_response, 24); //MANA set challenges to match
+	}
+	//MANA End
 	if (os_memcmp_const(nt_response, expected, 24) == 0) {
 		const u8 *pw_hash;
 		u8 pw_hash_buf[16], pw_hash_hash[16];
@@ -451,7 +455,9 @@ static void eap_mschapv2_process_response(struct eap_sm *sm,
 		wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Invalid NT-Response");
 		data->state = FAILURE_REQ;
 	}
-	data->state = SUCCESS; //MANA WPE
+	if (mana.conf->mana_eapsuccess) { //MANA
+		data->state = SUCCESS; //MANA WPE
+	}
 }