Wireless Attackswirelessheartbleedwpaeaphostapdwpa_supplicanthertbleed

Cupid-WPA

Cupid-WPA is a set of forked wireless tools patched to exploit the Hertbleed vulnerability over EAP-TLS tunneled protocols in wireless networks. It includes modified hostapd and wpa_supplicant binaries for setting up rogue APs or attacking legitimate ones.

Description

Cupid-WPA provides cupid-hostapd, a fork of hostapd, to create fake wireless networks that exploit the Heartbleed vulnerability in terminals attempting to connect via EAP-PEAP, EAP-TLS, or EAP-TTLS protocols. This allows extraction of sensitive information from vulnerable clients.

The companion cupid-wpasupplicant fork enables attacks against wireless access points by exploiting the same vulnerability when connecting as a client. Additional utilities like cupid-hostapd_cli, cupid-wpa_cli, cupid-wpa_passphrase, and cupid-wpa_supplicant support configuration, management, and PSK generation for WPA networks.

Use cases include penetration testing wireless networks vulnerable to Hertbleed, demonstrating risks in EAP-TLS implementations. See the presentation slides for an introduction: http://www.slideshare.net/lgrangeia.

How It Works

The tools use patched versions of hostapd v2.1 and wpa_supplicant v2.1 with libunsafessl1.0.2, incorporating an unsafe OpenSSL variant vulnerable to Heartbleed (CVE-2014-0160 variant for Hertbleed). Cupid-hostapd sets up an IEEE 802.11 AP with 802.1X/WPA/WPA2/EAP/RADIUS authentication, triggering Heartbleed during TLS handshakes in EAP-PEAP, EAP-TLS, or EAP-TTLS tunnels to leak memory contents from connecting clients. Cupid-wpasupplicant reverses this, acting as a client to exploit vulnerable APs during authentication.

Installation

bash

sudo apt install cupid-hostapd

Flags

-hshow this usage (hostapd, hostapd_cli, wpa_cli, wpa_supplicant)

-dshow more debug messages (-dd for even more) (hostapd, wpa_supplicant)

-Brun daemon in the background (hostapd, hostapd_cli, wpa_cli)

-i<ifname>interface name (wpa_supplicant, hostapd_cli, wpa_cli)

-c<config file>Configuration file (wpa_supplicant, hostapd)

-D<driver>driver name e.g. nl80211 (wpa_supplicant)

-p<path>path to find control sockets (hostapd_cli, wpa_cli)

Examples

Display usage and options for cupid-hostapd

cupid-hostapd --help

Show hostapd_cli usage including commands like mib, sta, deauthenticate

cupid-hostapd_cli -h

Display wpa_cli usage with commands like status, mib, interface

cupid-wpa_cli -h

Example usage of wpa_supplicant with nl80211 driver on wlan0 interface

wpa_supplicant -Dnl80211 -iwlan0 -c/etc/wpa_supplicant.conf

Generate WPA PSK from ASCII passphrase and SSID for wpa_supplicant.conf

cupid-wpa_passphrase [ ssid ] [ passphrase ]

Run cupid-hostapd with configuration file to set up rogue AP

cupid-hostapd <configuration file(s)>

Run wpa_supplicant daemon with increased debugging on specified interface

cupid-wpa_supplicant -BddhKLqqstuvW -i<ifname> -c<config file>

Updated 2026-04-16kali.org ↗