Rogue EAP (PEAP) access point to obtain hashes

Question

I set up a rogue EAP access point using hostapd-mana. This lets me capture hashes of credentials which can later be cracked by asleap. However, my Android phone doesn't automatically connect to my (rogue) AP even though the SSID is the same and the rogue AP's signal strength is better than the legitimate access point. Why?

Clients do not connect by SSID, but by BSSID (MAC). The SSID is only a human thing :) — Yorick de Wid, Aug 30 '16 at 16:02

Azteca · Accepted Answer · 2017-01-18T23:29:57.157

4

There are few factors you need to have in mind when you want a "supplicant" to connect to an AP automatically. (This is called WiFi roaming)

If you want to set a Rogue AP or an Evil Twin (which aren't the same) to steal credentials and/or capture packets, here's the checklist:

Signal Strength (Make sure your rogue AP signal is higher than the legitimate AP)
ESSID (What probe requests look for)
Encryption algorithm (Open, WEP, WPA, etc.)
Cipher (CCMP, TKIP, WEP40, etc.)

Check all these and your device/supplicant should be able to connect automatically.

edited Jan 18 '17 at 23:29

answered Aug 30 '16 at 16:21

Azteca

1,116
7
16

1

Well said @Azteca – OscarAkaElvis Mar 02 '17 at 21:21

Rogue EAP (PEAP) access point to obtain hashes

1 Answers1

Linked