Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: SoftAP with airbase-ng for wireless-testing

  1. #1
    Junior Member
    Join Date
    Jul 2008
    Posts
    25

    Default SoftAP with airbase-ng for wireless-testing

    Hello,

    as I have some older Wifi devices @home not capable of WPA/WPA2, I once wrote basic script to give them temporary access to my Inet through a softAP. Since there is airbase-ng out I started to extend my script to have a separate subnet for testing purpose with its own dhcpd service and some basic monitoring. After all that worked fine for a while I got bored and though of a MitM modification and that is where all my trouble started

    --
    #!/bin/bash

    # - SoftAP for wireless-testing -
    # Hardware: Eee PC 701 - NICs eth0 (LAN) / ath0 (WLAN)
    # Software: BT3 Final (HD inst.)
    # infra: net mask gateway
    # LAN 192.168.1.0 255.255.255.128 192.168.1.1 (home-zone)
    # WLAN 192.168.1.128 255.255.255.128 192.168.1.129 (test-net)

    # prepare interface / softap
    wlanconfig ath0 destroy
    wlanconfig ath0 create wlanmode mon wlandev wifi0
    xterm -e airbase-ng -c 6 -e N3TG3AR -a 00:14:6C:F0:AD:00 -z 2 ath0 &
    ifconfig at0 up
    sleep 1
    ifconfig at0 192.168.1.129 netmask 255.255.255.128
    route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129

    # monitor
    xterm -e airodump-ng -c 6 --bssid 00:14:6C:F0:AD:00 ath0 &
    xterm -e tshark -i 3 "not broadcast and not multicast" & # at0 = 3

    # create custom dhcpd.conf for WLAN
    cat > dhcpd.conf << EOF
    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 192.168.1.128 netmask 255.255.255.128 {
    option subnet-mask 255.255.255.128;
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.129;
    option domain-name-servers 192.168.1.129;
    range 192.168.1.130 192.168.1.140;
    }
    EOF

    # start dhcp server for subnet
    dhcpd -cf dhcpd.conf at0

    # iptables cleanup
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain

    # iptables
    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1 # DNS
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE # gateway to ext. router
    iptables --append FORWARD --in-interface at0 -j ACCEPT # rogue gateway
    iptables -t nat -A PREROUTING -s 192.168.1.128/25 -d 192.168.1.0/25 -j DROP # protect LAN from WLAN (DROP/REJECT)
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # --- works so far but now the fun-stuff that causes my headache

    # ettercap TCP Ports
    # IMAP - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS)
    # POP3 - 110/TCP 995/TCP
    # SMTP - 25/TCP 465/TCP
    # SSL - 443/TCP
    # HTTP - 80/TCP
    # SSH - 22/TCP

    xterm -e ettercap -Tq -i at0 -l ettercap -M arp:remote /192.168.1.129/ /192.168.1.130-140/22,25,80,110,143,220,443,465,993,995 &

    ---
    starting ettercap causes all client request to end at at0. The subnet seems to be complete locked down.

    P.S. as I'm at work and wrote this from what I remember, there might be some minor mistakes.

  2. #2
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    One thing I've noticed is that you enabled ipforwarding. Ettercap forwards packets also, unless you specifiy unoffensive mode.

  3. #3
    Junior Member
    Join Date
    Jul 2008
    Posts
    25

    Default

    thank you for the help. unfortunately -u for unoffensive doesn't seem to be allowed in MitM so I have to give "man iptables" a re-run to get around this

  4. #4
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    I've never had any luck with remote sniffing using ettercap with a tun device. The best I've done is passive sniffing.

    I tried your method and could ping from the softap to the client but not the other way. You noted that you were working from memory - have you noticed anything that needs to be changed?

    Just remembered, if you use unoffensive mode you need to start another instance of ettercap to do a mitm attack.

  5. #5
    Junior Member
    Join Date
    Jul 2008
    Posts
    25

    Default

    this is a cut&paste of my script from bt3

    #!/bin/bash

    # - SoftAP for wireless-testing -
    # Hardware: Eee PC 701 - NICs eth0 (LAN) / ath0 (WLAN)
    # Software: BT3 Final (HD inst.)
    # infra: net mask gateway
    # LAN 192.168.1.0 255.255.255.128 192.168.1.1 (home-zone)
    # WLAN 192.168.1.128 255.255.255.128 192.168.1.129 (test-net)

    modprobe tun
    sleep 1

    # prepare interface / softap
    wlanconfig ath0 destroy
    wlanconfig ath0 create wlanmode mon wlandev wifi0
    xterm -e airbase-ng -c 6 -e N3TG3AR -a 00:14:6C:F0:AD:00 -W 0 ath0 &
    sleep 1
    ifconfig at0 up
    ifconfig at0 192.168.1.129 netmask 255.255.255.128
    route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129

    # monitor
    xterm -e airodump-ng -c 6 --bssid 00:14:6C:F0:AD:00 ath0 &
    xterm -e tshark -i 3 "not broadcast and not multicast" & # at0 = 3

    # create custom dhcpd.conf for WLAN
    cat > dhcpd.conf << EOF
    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 192.168.1.128 netmask 255.255.255.128 {
    option subnet-mask 255.255.255.128;
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.129;
    option domain-name-servers 192.168.1.129;
    range 192.168.1.130 192.168.1.140;
    }
    EOF

    # start dhcp server for subnet
    dhcpd -cf dhcpd.conf at0

    # iptables cleanup
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain

    # iptables
    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1 # DNS
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE # gateway to ext. router
    iptables --append FORWARD --in-interface at0 -j ACCEPT # rogue gateway
    iptables -t nat -A PREROUTING -s 192.168.1.128/25 -d 192.168.1.0/25 -j DROP # protect LAN from WLAN
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # --- works so far but now the fun-stuff that causes my headache

    # ettercap TCP Ports
    # IMAP - 143/TCP 220/TCP (IMAP3) 993/TCP (IMAPS)
    # POP3 - 110/TCP 995/TCP
    # SMTP - 25/TCP 465/TCP
    # SSL - 443/TCP
    # HTTP - 80/TCP
    # SSH - 22/TCP

    #xterm -e ettercap -Tq -i at0 -l ettercap -M arp:remote /192.168.1.129/ /192.168.1.130-140/22,25,80,110,143,220,443,465,993,995 &

    ---
    ping works but with some DUP! entries:
    .140 is a test-client
    .7 softAP machine LAN IP
    .129 gateway at0

    ping directions
    192.168.1.129 <-> 192.168.1.140 ok
    192.168.1.7 -> 192.168.1.140 ok
    192.168.1.7 <-192.168.1.140 firewalled
    192.168.1.7 <-> 192.168.1.129 ok

  6. #6
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    If you move the first line in the iptables section to right below the DROP line, the client can connect to the internet.

  7. #7
    Junior Member
    Join Date
    Jul 2008
    Posts
    25

    Default

    Hi level, tank you for the help!

    that works quite fine

    I also changed my ettercap part to ...

    xterm -e ettercap -u -Tq -i at0 /192.168.1.129/ /192.168.1.130-140/22,25,80,110,143,220,443,465,993,995 &

    have to do some reading now to get a sufficient MitM solution up & running

    I think of a solution with webmitm & ssldump. As I AM the gateway I can skip the arp poisoning stuff

  8. #8
    Just burned his ISO
    Join Date
    May 2006
    Posts
    11

    Default

    I'm trying to do something similar to this, but am having a few problems.

    Here's how I have it set up

    wlan0: wireless card, connected to my AP, configured via DHCP
    wlan1: RT8187 (Alfa500mW) - used as the airbase interface
    Code:
    #at0 is created like this
    airbase-ng -c 6 -e "test" wlan1
    Then I configure at0
    Code:
    ifconfig at0 up
    ifconfig at0 10.0.0.1netmask 255.255.255.0
    Next I start up my dhcpd
    Code:
    dhcpd -cf /etc/dhcpd.conf at0
    
    cat /etc/dhcpd.conf
    ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    subnet 10.0.0.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 10.0.0.255;
    option routers 10.0.0.1;
    option domain-name-servers 10.0.0.1;
    range 10.0.0.20 10.0.0.50;
    }
    then I set up ip_forwarding and iptables
    Code:
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
    
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    iptables -t nat -A PREROUTING -p udp  --dport 53 -j DNAT --to 192.168.1.1
    iptables -t nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    at this point, I am able to connect to the softap using my other laptop and get an IP address from DHCP (10.0.0.20). However I cannot ping anything from 10.0.0.20. I also cannot ping anything in the 10.0.0.0 subnet from the laptop that is acting as a softap (this ping would be comming from the 192.168.1.1 subnet). I'm sure its a simple route or something that I have neglected to set up.

    Thanks in advance,
    band-aid

  9. #9
    Junior Member
    Join Date
    Jul 2008
    Posts
    25

    Default

    do you have a iptables cleanup section like

    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain

    I would try the following as I'm not sure if your double "--dport" sequence is valid in iptables.

    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1

  10. #10
    Just burned his ISO
    Join Date
    May 2006
    Posts
    11

    Default

    the --dport thing was a typo, sorry.

    I did the iptables flushing like you recommended but no dice.

    pinging goes like this

    192.168.1.134 == wlan0 (wireless card that connects to my AP)
    10.0.0.1 == at0
    10.0.0.20 == client connected to my softAP
    192.168.1.1 == my AP

    192.168.1.134 can ping 192.168.1.1
    192.168.1.134 can ping 10.0.0.1
    10.0.0.1 cannot ping 192.168.1.134
    10.0.0.1 cannot ping 192.168.1.1
    10.0.0.1 cannot ping 10.0.0.20
    10.0.0.20 cannot ping anything

    thanks

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •