startfiles, readme and certificate template using OpenVPNs EasyRSA sc…

…ripts

README

@@ -0,0 +1,34 @@
+This project allows hostapd to be used for WPA-Enterprise MITM attacks by spoofing a target network access point.
+
+It adds logging for MSCHAPv2 challenge/response hashes and GTC plaintext passwords.
+
+Beware: The use of these patches may be obliged by your local law. Only operate this on your own network!
+
+Changes:
+- Configuration parameter "-F <wpe log>" outputs all relevant information to supplied wpe log file.
+  These include the mentioned authentication information, usernames, some TLS state machine information to analyse user settings for certificate checks and additionally RSSI information (if your wireless card reports them in MLME data) to use for filtering or additional analysis eg. for incomplete authentications (due to bad wireless conditions)
+
+Patches should apply to as of now latest HOSTAPD git version. It is also easy to apply the main changes to android versions of HOSTAPD as delivered for example with Cyanogenmod.
+
+The startscript helps you to setup a complete environment: run
+start.sh <interface> <SSID> <WPE log>
+
+The android startscript start_android.sh will automatically use the configured PERSIST_FOLDER with current date/time as WPE log file if none is given.
+
+with target interface/ssid/wpe log file output.
+
+It will copy the template certificates to an in script defined temporary folder, generate a new set of certificates, changes your wireless mac by calling macchanger and runs hostapd with the template config.
+
+The same startup file is available for the minimalist android environment.
+
+On android, you also need the macchanger utility.
+
+
+Configuration:
+Both shellscripts allow a little bit of configuration.
+MAC_FILE is the name of the faked mac assigned to the wlan interface. It may be used together with wlan monitor utilities to exclude your own rogue ap. Additionally, I had the idea of a deauthenticator that deauthenticates all stations from all APs except your own one. That may use this macfile.
+
+
+TMP_FOLDER is the storage of all temporary data like certificates (generated on each start) and the MAC_FILE
+PERSIST_FOLDER points to the folder where WPE log files are stored on android.
+HOSTAPD_BIN points to the hostapd binary to run. 

certs/Makefile

@@ -0,0 +1,138 @@
+######################################################################
+#
+#	Make file to be installed in /etc/raddb/certs to enable
+#	the easy creation of certificates.
+#
+#	See the README file in this directory for more information.
+#	
+#	$Id$
+#
+######################################################################
+
+DH_KEY_SIZE	= 1024
+
+#
+#  Set the passwords
+#
+PASSWORD_SERVER	= `grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
+PASSWORD_CA	= `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'`
+PASSWORD_CLIENT	= `grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
+
+USER_NAME	= `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`
+CA_DEFAULT_DAYS = `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`
+
+######################################################################
+#
+#  Make the necessary files, but not client certificates.
+#
+######################################################################
+.PHONY: all
+all: index.txt serial dh random server ca
+
+.PHONY: client
+client: client.pem
+
+.PHONY: ca
+ca: ca.der
+
+.PHONY: server
+server: server.pem server.vrfy
+
+######################################################################
+#
+#  Diffie-Hellman parameters
+#
+######################################################################
+dh:
+	openssl dhparam -out dh $(DH_KEY_SIZE)
+
+######################################################################
+#
+#  Create a new self-signed CA certificate
+#
+######################################################################
+ca.key ca.pem: ca.cnf
+	openssl req -new -x509 -keyout ca.key -out ca.pem \
+		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
+
+ca.der: ca.pem
+	openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
+
+######################################################################
+#
+#  Create a new server certificate, signed by the above CA.
+#
+######################################################################
+server.csr server.key: server.cnf
+	openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
+
+server.crt: server.csr ca.key ca.pem
+	openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+
+server.p12: server.crt
+	openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+
+server.pem: server.p12
+	openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+
+.PHONY: server.vrfy
+server.vrfy: ca.pem
+	openssl verify -CAfile ca.pem server.pem
+
+######################################################################
+#
+#  Create a new client certificate, signed by the the above server
+#  certificate.
+#
+######################################################################
+client.csr client.key: client.cnf
+	openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+
+client.crt: client.csr ca.pem ca.key
+	openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+
+client.p12: client.crt
+	openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+
+client.pem: client.p12
+	openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+	cp client.pem $(USER_NAME).pem
+
+.PHONY: client.vrfy
+client.vrfy: server.pem client.pem 
+	c_rehash .
+	openssl verify -CApath . client.pem
+
+######################################################################
+#
+#  Miscellaneous rules.
+#
+######################################################################
+index.txt:
+	@touch index.txt
+
+serial:
+	@echo '01' > serial
+
+random:
+	@if [ -c /dev/urandom ] ; then \
+		dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; \
+	else \
+		date > ./random; \
+	fi
+
+print:
+	openssl x509 -text -in server.crt
+
+printca:
+	openssl x509 -text -in ca.pem
+
+clean:
+	@rm -f *~ *old client.csr client.key client.crt client.p12 client.pem
+
+#
+#	Make a target that people won't run too often.
+#
+destroycerts:
+	rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
+			serial* random *\.0 *\.1

certs/bootstrap

@@ -0,0 +1,81 @@
+#
+#  This is a wrapper script to create default certificates when the
+#  server first starts in debugging mode.  Once the certificates have been
+#  created, this file should be deleted.
+#
+#  Ideally, this program should be run as part of the installation of any
+#  binary package.  The installation should also ensure that the permissions
+#  and owners are correct for the files generated by this script.
+#
+#  $Id$
+#
+umask 027
+cd `dirname $0`
+
+make -h > /dev/null 2>&1
+
+#
+#  If we have a working "make", then use it.  Otherwise, run the commands
+#  manually.
+#
+if [ "$?" = "0" ]; then
+  make all
+  exit $?
+fi
+
+#
+#  The following commands were created by running "make -n", and edited
+#  to remove the trailing backslash, and to add "exit 1" after the commands.
+#
+#  Don't edit the following text.  Instead, edit the Makefile, and
+#  re-generate these commands.
+#
+if [ ! -f dh ]; then
+  openssl dhparam -out dh 1024 || exit 1
+  if [ -e /dev/urandom ] ; then
+	dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1;
+  else
+	date > ./random;
+  fi
+fi
+
+if [ ! -f server.key ]; then
+  openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
+fi
+
+if [ ! -f ca.key ]; then
+  openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
+fi
+
+if [ ! -f index.txt ]; then
+  touch index.txt
+fi
+
+if [ ! -f serial ]; then
+  echo '01' > serial
+fi
+
+if [ ! -f server.crt ]; then
+  openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
+fi
+
+if [ ! -f server.p12 ]; then
+  openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+fi
+
+if [ ! -f server.pem ]; then
+  openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+  openssl verify -CAfile ca.pem server.pem || exit 1
+fi
+
+if [ ! -f ca.der ]; then
+  openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
+fi
+
+if [ ! -f client.key ]; then
+  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
+fi
+
+if [ ! -f client.crt ]; then
+  openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+fi

certs/ca.cnf

@@ -0,0 +1,59 @@
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+dir			= ./
+certs			= $dir
+crl_dir			= $dir/crl
+database		= $dir/index.txt
+new_certs_dir		= $dir
+certificate		= $dir/ca.pem
+serial			= $dir/serial
+crl			= $dir/crl.pem
+private_key		= $dir/ca.key
+RANDFILE		= $dir/.rand
+name_opt		= ca_default
+cert_opt		= ca_default
+default_days		= 365
+default_crl_days	= 30
+default_md		= md5
+preserve		= no
+policy			= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+prompt			= no
+distinguished_name	= certificate_authority
+default_bits		= 2048
+input_password		= whatever
+output_password		= whatever
+x509_extensions		= v3_ca
+
+[certificate_authority]
+countryName		= FR
+stateOrProvinceName	= Radius
+localityName		= Somewhere
+organizationName	= Example Inc.
+emailAddress		= [email protected]
+commonName		= "Example Certificate Authority"
+
+[v3_ca]
+subjectKeyIdentifier	= hash
+authorityKeyIdentifier	= keyid:always,issuer:always
+basicConstraints	= CA:true

certs/client.cnf

@@ -0,0 +1,53 @@
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+dir			= ./
+certs			= $dir
+crl_dir			= $dir/crl
+database		= $dir/index.txt
+new_certs_dir		= $dir
+certificate		= $dir/server.pem
+serial			= $dir/serial
+crl			= $dir/crl.pem
+private_key		= $dir/server.key
+RANDFILE		= $dir/.rand
+name_opt		= ca_default
+cert_opt		= ca_default
+default_days		= 365
+default_crl_days	= 30
+default_md		= md5
+preserve		= no
+policy			= policy_match
+
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+[ req ]
+prompt			= no
+distinguished_name	= client
+default_bits		= 2048
+input_password		= whatever
+output_password		= whatever
+
+[client]
+countryName		= FR
+stateOrProvinceName	= Radius
+localityName		= Somewhere
+organizationName	= Example Inc.
+emailAddress		= [email protected]
+commonName		= [email protected]

certs/dh

@@ -0,0 +1,4 @@
+-----BEGIN DH PARAMETERS-----
+MEYCQQDe4i7W0PdPRpGmE8+5kp3/Gkn6bVDtrATHYClSuQP4vTJjy+wD6NJ9AAK6
+Pg2Xf85uiYjYx8rn5WWP3px39X8rAgEC
+-----END DH PARAMETERS-----