Hello guys,
I'm trying to build a evil twin AP to perform some wireless security
research using my Raspberry Pi 4B. The normal AP is encrypted via
WPA-PSK(CCMP) to protect transmitted data in the air, the WPA passphrase
is public. I build an AP almost the same, same channel, same ESSID, same
encryption, same WMM config.
But if a new STA is connecting to my evil AP (or after about 1 min after
get connected), it just got WPA-PSK-MISMATCH (I confirm the passphrase
is correctly input). And verbose debugging log shows that there's
invalid MIC in 2/4 4-way handshake, also the wireless driver failed to
remove PTK from driver. A detailed log and config can be downloaded via
the link at the bottom of this mail.
I can't figure out the reason is driver or hostapd itself, can you help
me solve this problem?
Thank you very much.
Preview of log file:
```
wlan0: STA 20:32:6c:6f:69:56 WPA: received EAPOL-Key frame (2/4 Pairwise)
WPA: 20:32:6c:6f:69:56 WPA_PTK entering state PTKCALCNEGOTIATING
Searching a PSK for 20:32:6c:6f:69:56 prev_psk=(nil)
WPA: PTK derivation using PRF(SHA1)
WPA: PTK derivation - A1=dc:a6:32:0e:94:db A2=20:32:6c:6f:69:56
WPA: Nonce1 - hexdump(len=32): 12 4c 89 8a 36 4b 70 d3 65 9c 59 12 4f 69
d2 21 36 fe 9e 56 66 f1 8d 32 ac 74 bb 24 96 4d c5 c6
WPA: Nonce2 - hexdump(len=32): e9 5e b1 a3 bd 7e f2 f4 63 a5 1a 48 81 d6
91 e9 bd 5f 30 dd c1 12 0f ad b5 cb 17 00 c8 ef b7 f9
WPA: PMK - hexdump(len=32): [REMOVED]
WPA: PTK - hexdump(len=48): [REMOVED]
WPA: KCK - hexdump(len=16): [REMOVED]
WPA: KEK - hexdump(len=16): [REMOVED]
WPA: TK - hexdump(len=16): [REMOVED]
WPA: EAPOL-Key MIC using HMAC-SHA1
Searching a PSK for 20:32:6c:6f:69:56 prev_psk=0x14414c0
wlan0: STA 20:32:6c:6f:69:56 WPA: invalid MIC in msg 2/4 of 4-Way Handshake
wlan0: AP-STA-POSSIBLE-PSK-MISMATCH 20:32:6c:6f:69:56
wlan0: STA 20:32:6c:6f:69:56 WPA: EAPOL-Key timeout
WPA: 20:32:6c:6f:69:56 WPA_PTK entering state PTKSTART
wlan0: STA 20:32:6c:6f:69:56 WPA: sending 1/4 msg of 4-Way Handshake
WPA: Send EAPOL(version=2 secure=0 mic=0 ack=1 install=0 pairwise=1
kde_len=0 keyidx=0 encr=0)
WPA: Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 02
WPA: Use EAPOL-Key timeout of 1000 ms (retry counter 2)
wlan0: Event EAPOL_RX (23) received
IEEE 802.1X: 121 bytes from 20:32:6c:6f:69:56
IEEE 802.1X: version=1 type=3 length=117
WPA: RX EAPOL data - hexdump(len=121): 01 03 00 75 02 01 0a 00 00 00 00
00 00 00 00 00 02 e9 5e b1 a3 bd 7e f2 f4 63 a5 1a 48 81 d6 91 e9 bd 5f
30 dd c1 12 0f ad b5 cb 17 00 c8 ef b7 f9 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 ea
74 a0 71 8c b9 ce f5 3c 49 8f e9 4b af 48 00 16 30 14 01 00 00 0f ac 04
01 00 00 0f ac 04 01 00 00 0f ac 02 00 00
WPA: Received EAPOL-Key from 20:32:6c:6f:69:56 key_info=0x10a type=2
mic_len=16 key_data_length=22
WPA: EAPOL-Key header (ending before Key MIC) - hexdump(len=77): 02 01
0a 00 00 00 00 00 00 00 00 00 02 e9 5e b1 a3 bd 7e f2 f4 63 a5 1a 48 81
d6 91 e9 bd 5f 30 dd c1 12 0f ad b5 cb 17 00 c8 ef b7 f9 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
WPA: EAPOL-Key Key MIC - hexdump(len=16): 63 ea 74 a0 71 8c b9 ce f5 3c
49 8f e9 4b af 48
WPA: Received Key Nonce - hexdump(len=32): e9 5e b1 a3 bd 7e f2 f4 63 a5
1a 48 81 d6 91 e9 bd 5f 30 dd c1 12 0f ad b5 cb 17 00 c8 ef b7 f9
WPA: Received Replay Counter - hexdump(len=8): 00 00 00 00 00 00 00 02
```
PS. 802.11r is not used in this situation.
---
Hostapd related config, log files and WLAN adapter info can be
downloaded from:
https://drive.google.com/drive/folders/1m980bEbn6R7qWY8-k-lnYnHBgD8QLpdJ?usp=sharing
The whole things I use can be found at:
https://github.com/kmahyyg/wlan-phishing
---
Yours Sincerely,
Patrick Young
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
