Skip to content
Patch for hostapd and wpa_supplicant to attempt to exploit heartbleed on EAP-PEAP/TLS/TTLS connections
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
testconfs
README
patch-hostapd
patch-wpasupplicant

README


                                 (
                         .-'''-..' \ 
               _______ .'       -   \
             <<<<<<<< );__   ,,,_)   \ 
                <<<<<<<<< ) ;C  /     \ 
                  <<<<<< (.-'-.  )====_)_=======> wpa_supplicant-cupid 
                    <<<<< \    '''''''   )           && hostapd-cupid
                    ;  <<<     .......__/
               .-'''         (         )
            .-'              ;.       /
           /  .-'     .     =  .     /
       _-''\_/         '. .'    .   /
    .-'  )  ;\          '''.     . /
   ;   .''''  `.       '    ;     (
   O -'        .'''       .'
             .'   .-'''''`
             'o-'



## Cupid 0.1

## Author: Luis Grangeia 
## lgrangeia@sysvalue.com
## twitter.com/lgrangeia

# INTRODUCTION

Cupid is a pair of patches for hostapd-2.1 and wpa_supplicant-2.1 to exploit 
heartbleed on Wireless networks that use EAP Authentication methods based on 
TLS (specifically OpenSSL)

Please see presentation slides for a simple introduction to cupid:

http://www.slideshare.net/lgrangeia


# COMPILATION

Get wpa_supplicant-2.1 and/or hostapd-2.1, apply the respective patch and 
compile. I don't recommend doing a "make install" as you'll be replacing
your systems binaries with non-functional copies (functional only for exploiting
heartbleed).

# USAGE

Both patches come with a "heartbleed.conf" file that can be used to tweak 
behaviour. It must be present and placed on the same directory you're running 
the binary. Refer to the file for details.

--> wpa_supplicant:

Use the included test_wpasupplicant.conf and change the ssid to the network 
you're wanting to test heartbleed for.

Fire up wireshark or tcpdump on the interface to check for TLS heartbeat 
requests/responses. I usually do:

# airmon-ng start wlan0

and then monitor the whole thing on the mon0 interface (use filter 'EAP || SSL'
for a better picture).

fire up wpa_supplicant:

./wpa_supplicant -i wlan0 -dd -c ~/testconfs/test_wpasupplicant.conf

Look at the output of wireshark to see if the network you're attacking is 
vulnerable.

--> hostapd

Use the included test_hostapd.conf. You may have to set up certificates and an 
empty eap_user file. I've included these for reference as well.

Fire up wireshark as described above.

Note that you need a wireless adapter supporting host AP mode.

fire up hostapd:

./hostapd -d test_hostapd.conf

Then try to connect to the "bleedingheart" network with your mobile device or
laptop, and it will try to heartbleed it. You can put any login/password 
combination.

To see if the patch works just install a vulnerable OpenSSL version and try to
exploit your local copy of wpa_supplicant or a fresh install of hostapd.

### FUTURE WORK
 
Please let me know if you find vulnerable devices and give me their version and
if possible a packet dump of the actual attack.

TODO:
	- Code is still very incomplete, just a PoC
	- Does not decrypt the heartbeat response if encrypted (not the case if
	pre-handshake)
	- Should output the heartbeat responses to a file
	- Test more devices/networks!


You can’t perform that action at this time.