Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Failed to load latest commit information.|
( .-'''-..' \ _______ .' - \ <<<<<<<< );__ ,,,_) \ <<<<<<<<< ) ;C / \ <<<<<< (.-'-. )====_)_=======> wpa_supplicant-cupid <<<<< \ ''''''' ) && hostapd-cupid ; <<< .......__/ .-''' ( ) .-' ;. / / .-' . = . / _-''\_/ '. .' . / .-' ) ;\ '''. . / ; .'''' `. ' ; ( O -' .''' .' .' .-'''''` 'o-' ## Cupid 0.1 ## Author: Luis Grangeia ## firstname.lastname@example.org ## twitter.com/lgrangeia # INTRODUCTION Cupid is a pair of patches for hostapd-2.1 and wpa_supplicant-2.1 to exploit heartbleed on Wireless networks that use EAP Authentication methods based on TLS (specifically OpenSSL) Please see presentation slides for a simple introduction to cupid: http://www.slideshare.net/lgrangeia # COMPILATION Get wpa_supplicant-2.1 and/or hostapd-2.1, apply the respective patch and compile. I don't recommend doing a "make install" as you'll be replacing your systems binaries with non-functional copies (functional only for exploiting heartbleed). # USAGE Both patches come with a "heartbleed.conf" file that can be used to tweak behaviour. It must be present and placed on the same directory you're running the binary. Refer to the file for details. --> wpa_supplicant: Use the included test_wpasupplicant.conf and change the ssid to the network you're wanting to test heartbleed for. Fire up wireshark or tcpdump on the interface to check for TLS heartbeat requests/responses. I usually do: # airmon-ng start wlan0 and then monitor the whole thing on the mon0 interface (use filter 'EAP || SSL' for a better picture). fire up wpa_supplicant: ./wpa_supplicant -i wlan0 -dd -c ~/testconfs/test_wpasupplicant.conf Look at the output of wireshark to see if the network you're attacking is vulnerable. --> hostapd Use the included test_hostapd.conf. You may have to set up certificates and an empty eap_user file. I've included these for reference as well. Fire up wireshark as described above. Note that you need a wireless adapter supporting host AP mode. fire up hostapd: ./hostapd -d test_hostapd.conf Then try to connect to the "bleedingheart" network with your mobile device or laptop, and it will try to heartbleed it. You can put any login/password combination. To see if the patch works just install a vulnerable OpenSSL version and try to exploit your local copy of wpa_supplicant or a fresh install of hostapd. ### FUTURE WORK Please let me know if you find vulnerable devices and give me their version and if possible a packet dump of the actual attack. TODO: - Code is still very incomplete, just a PoC - Does not decrypt the heartbeat response if encrypted (not the case if pre-handshake) - Should output the heartbeat responses to a file - Test more devices/networks!