Proof-of-concept implementation of the Apple relay attack in Python
Switch branches/tags
Nothing to show
Clone or download
Latest commit 67d5abe Aug 27, 2014


PEAPwn is a proof-of-concept implementation of the Apple relay attack introduced at WiSec 2014. It uses a modified version of the wpa_supplicant tool by Jouni Malinen to establish a PEAP or EAP-TTLS session with the target Authentication Server, and a Python script to exploit several vulnerabilities in iOS < 8 and the MSCHAPv2 protocol. This allows an attacker to gain unauthorized access to any WPA2-Enterprise network that uses a tunneled authentication protocol such as PEAP or EAP-TTLS.

Link to the paper:

Building the PoC

Currently, only Linux based operating systems are supported. To build the PoC, perform the following steps:

  1. Install the Scapy library for Python 2.
  2. Install libnl1
  3. Navigate to mods/hostap/wpa_supplicant.
  4. cp defconfig .config
  5. Run make.

Running the PoC

To run the PoC, one is required to have two NICs. At least one of these devices is required to support Monitor mode. The PoC can then be run as follows:

# python2 <infra_nic> <mon_nic> <essid>

For example, to attack a network with SSID testnet:

# python2 wlan0 wlan1 testnet

Legal notice

This PoC is intended for research purposes only, and should only be used in a legal context. For example, to verify the security of your own networks.

TODO list

  • More robust error handling.