This project allows hostapd to be used for WPA-Enterprise MITM attacks by spoofing a target network access point.

It is based on the OpenSecurityResearch hostapd-wpe (https://github.com/OpenSecurityResearch/hostapd-wpe) but enhanced with a little better output and useful scripts for easy usage.

I described the problems which can be demonstrated with this "exploit" in a paper you may in the doc folder.
After finishing it, I found this blog post http://h4des.org/blog/index.php?/archives/341-eduroam-WiFi-security-audit-or-why-it-is-broken-by-design.html which mainly says the same. It is definitively a good read!

It adds logging for MSCHAPv2 challenge/response hashes and GTC plaintext passwords.

Beware: The use of these patches may be obliged by your local law. Only operate this on your own network!

Changes:
- Configuration parameter "-F <wpe log>" outputs all relevant information to supplied wpe log file.
  These include the mentioned authentication information, usernames, some TLS state machine information to analyse user settings for certificate checks and additionally RSSI information (if your wireless card reports them in MLME data) to use for filtering or additional analysis eg. for incomplete authentications (due to bad wireless conditions)

Patches should apply to as of now latest HOSTAPD git version. It is also easy to apply the main changes to android versions of HOSTAPD as delivered for example with Cyanogenmod.

The startscript helps you to setup a complete environment: run
start.sh <interface> <SSID> <WPE log>

The android startscript start_android.sh will automatically use the configured PERSIST_FOLDER with current date/time as WPE log file if none is given.

with target interface/ssid/wpe log file output.

It will copy the template certificates to an in script defined temporary folder, generate a new set of certificates, changes your wireless mac by calling macchanger and runs hostapd with the template config.

The same startup file is available for the minimalist android environment.

On android, you also need the macchanger utility.


Configuration:
Both shellscripts allow a little bit of configuration.
MAC_FILE is the name of the faked mac assigned to the wlan interface. It may be used together with wlan monitor utilities to exclude your own rogue ap. Additionally, I had the idea of a deauthenticator that deauthenticates all stations from all APs except your own one. That may use this macfile.


TMP_FOLDER is the storage of all temporary data like certificates (generated on each start) and the MAC_FILE
PERSIST_FOLDER points to the folder where WPE log files are stored on android.
HOSTAPD_BIN points to the hostapd binary to run. 

There is another patch for aircrack-ng:
You may use airodump to deauthenticate clients from access points with given SSID. You may also specify a BSSID where clients would not get deauthenticated. Another filter is for the signal strength: Only disconnect clients which are near to you (so they will connect to your rogue access point)

Update 2015-10-30:
------------------

The main patch (0001) has been ported and now applies to the release hostapd-2.5.tar.gz.
It can be used like this:

wget https://w1.fi/releases/hostapd-2.5.tar.gz
tar zxvf hostapd-2.5.tar.gz
git clone https://github.com/hph86/hostapd-wpe-extended.git
patch -p1 < ./hostapd-wpe-extended/hostapd-patch/0001-patched-WPE-added-additional-WPE-output-file-with-fi.patch
cd hostapd-2.5/hostapd/
cp defconfig .config
vim .config
make
cd ../../hostapd-wpe-extended/
sudo ./start.sh <interface> <ssid> <log file>