Page 1 of 3 123 LastLast
Results 1 to 10 of 137

Thread: Rogue Accesspoint + MitM Sniffing tutorial

Hybrid View

  1. #1
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Exclamation Rogue Accesspoint + MitM Sniffing tutorial

    This is probably my first real tutorial. I will try to write it the way I would like to read a tutorial (:
    I'm not quite sure the explanation of what airbase is doing is correct as there isn't that much documentation at the time being, so
    verification/correction would be greatly appreciated together with comment's in general maybe also towards the script. Enjoy

    Tools of trade:
    dhcpd (Our dhcp server)
    Airbase-ng Included in the latest Aircrack-NG. Make sure you get the latest before attempting this. (fast-track -> update -> aircrack-ng)
    Ettercap (Our sniffer)
    All contained in BackTrack3 final, just remember to update Aircrack

    First off, make sure that your wireless card supports injecting.
    Secondly, I had an extremely hard time getting airbase-ng to work. Clients could connect to the rogue AP, but the data seen in Wireshark on the at0 interface shows nothing else than "Malformed Data". I found out that booting BackTrack3 properly instead of running it through vmware fixed the problem. So keep that in mind if you are using VMWare and it won't work (just remember to check Wireshark first to confirm). Also, a lot of the troubleshooting being done with airbase-ng is often linked with the MTU of both the wireless interface, and the at0 interface. The script is hardcoded to change the MTU to 1400 on at0, you may wan't to do some additional research with MTU and airbase if experiencing problems.
    Thirdly, please go far far away if you have bad intentions. I see this as a hobby and an opportunity to learn and have fun with friends when they borrow my wifi :b. Respect the law and other people's privacy Also, a BIG also, running this script without removing the -P and -C 30 with wifi equipment nearby, not owned by you, actually means committing a crime in most countries. Keep that in mind before attempting anything!

    I made this script that executes the entire attack, read every line find out what is happening.
    The only prerequisite is that you edit /etc/dhcpd.conf to reflect this configuration: http://pastebin.com/f1859fad7 and that you have another interface, for example eth0 which has access to the internet. (The script will ask you which interface). *Note: I haven't tested using another wireless defice to forward the internet, only an ethernet device - so it may or may not work.
    I chose to use Open DNS as the domain name server to avoid configuration of a dns on the rogue access point. Lazy??

    The Script:
    http://pastebin.com/f3a400f76 (5/01-09)

    The scenario is this:
    The attacker configures a rogue access point that will have 3 ways of attaining clients.
    "airbase-ng -e "Free WiFi" -P -C 30 -v wlan0"
    -e
    1. The Rogue AP created by airbase, will name the ESSID to whatever you choose when running the script. This could be for example "Free WiFi" that may tempt people to connect.
    -P
    2. The Rogue AP will respond to all probes from clients regardless of the ESSID. In other words, if there is an accesspoint nearby named "Bush Network", when a client attempts to connect to that network he will first send a probe. If we get lucky, airbase-ng will respond to this probe quicker than the legitimate access point resulting in the client connecting to OUR ap.
    Running disassociation attacks simultaneously on other access points is a very effective way of making clients connect to your rogue access point. Compare it to gaining a WPA handshake, instead of waiting for the client to connect to a random AP, you disassociate and hope the client is configured to connect automatically. But I haven't had luck doing that with the same network card without creating a lot of lag on the access point, using another network card worked although.
    -C 30
    3. The Rogue AP will begin broadcasting the same ESSID's of the captured broadcast probes from other Access points (or other Windows boxes probing for a certain AP), tricking the client to connect once again. This option may pressure your network card pretty much so you may choose to leave it out if you experience an unstable rogue AP.


    Once the clients are connected they will receive an IP address through the dhcp server, and a DNS configuration pointing to Open DNS to resolve. The script will also ask you when it starts which interface is connected to the internet (for example eth0), to properly configure the IP forwarding between your rogue AP and the Internet.

    The script will then start ettercap and listen on at0 which is the interface that airbase-ng created. All traffic will be manipulated by it. So just like when ARP poisoning, ettercap will setup fake SSL certifications and you could also try playing with some filters. Ettercap is the tool that will filter all the traffic going through the access point and extract all passwords and other valuable information. You could also use other various tools such as dsniff, urlsnarf, msgsnarf etc. on the at0 interface. You could also fire up Wireshark and listen on at0 to capture everything. I logged onto the rogue AP with another computer and my Gmail password was easily sniffed, but if you've played with ettercap before - nothing new. But hope you liked the read, feel free to say whatever you wan't!
    Conclusion: Even though WPA is near impossible to crack when using a strong key, a rogue AP can easily trick clients to connecting to the wrong AP without them even knowing! Also, use your imagination. You own the network, you can do whatever you want. Run your own dns pointing legitimate domain names to phishing sites, try karmetasploit, evilgrade, run a filter in ettercap telling people that even though this AP is unencrypted, connecting to it is still a crime, or save the script for school time when wifi crashes and people wan't to get online! (just remember to comment out the ettercap part )

    Oh and by the way, I learned all of this bit by bit here at our forums and other places (except ettercap on a tun/at*, yipee ), this is more of a summarization than me doing anything wonderful. So respect to the people who helped out (:

    Additional reading and related content:
    Airbase-NG
    Karmetasploit
    Configuring IP Tables to NAT = share internet
    Wireless Key Harvester
    bt ~ # man ettercap
    Dsniff suite
    EvilGrade
    Rogue Access Points
    Rogue AP Detection
    Troubleshooting, MTU
    Karmetasploit (at bottom, read about MTU)
    Airbase MTU bug ticket
    Further replies in this thread

    - Poul Wittig

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Thank you for the write up, will have to try it out as soon as christmas is over and I get some free time on my hands again. Never had any luck playing with ettercap on an at interface, neither using it to bridge the connection or simply sniff the traffic, but might just have overlooked the -p setting to disable promiscuous mode.

    Apart from that I have not noticed any restrictions using airbase-ng under VMware, and do not recall seeing any malformed packets using wireshark, but guess I will have to look into this some more.
    -Monkeys are like nature's humans.

  3. #3
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by =Tron= View Post
    Thank you for the write up, will have to try it out as soon as christmas is over and I get some free time on my hands again. Never had any luck playing with ettercap on an at interface, neither using it to bridge the connection or simply sniff the traffic, but might just have overlooked the -p setting to disable promiscuous mode.
    Thank's for the comment (: , yeah I believe a lot of people have had trouble using ettercap on an at interface and I myself had a really hard time getting it to work. Ettercap likes manually configuring ip forwarding which makes it so hard to get right. I got this crazy idea which luckily made it work.
    If you use the -p to disable promiscuos mode ettercap will still go in and deactivate ip forwarding for some reason. So as long as you execute echo "1" > /proc/sys/net/ipv4/ip_forward after starting ettercap with -p, it works great

    Quote Originally Posted by =Tron= View Post
    Apart from that I have not noticed any restrictions using airbase-ng under VMware, and do not recall seeing any malformed packets using wireshark, but guess I will have to look into this some more.
    It might just be me, but I definitely couldn't get it to work no matter what I did for some reason :S I'll edit the tutorial to point out it most likely is just me
    - Poul Wittig

  4. #4
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Deathray View Post
    Thank's for the comment (: , yeah I believe a lot of people have had trouble using ettercap on an at interface and I myself had a hard time getting it to work. Ettercap likes manually configuring ip forwarding which makes it so hard to get right. I got this crazy idea which luckily made it work.
    If you use the -p to disable promiscuos mode ettercap will still go in and deactivate ip forwarding for some reason. So as long as you execute echo "1" > /proc/sys/net/ipv4/ip_forward after starting ettercap with -p, it works great
    Sounds promising. It really bugged me that I couldn't get this tool to work as I wanted, as it at least on paper is the ideal situation as you play the role of the man in the middle by default. Still don't get why ettercap won't pick up any credentials when used to bridge the at and the normal interface together though. Used in this manner it is supposed to take over the role of the iptables and perform all the forwarding by itself, which it happily did, but for some reason seemed to forget to actually sniff any passwords during the process.
    Quote Originally Posted by Deathray View Post
    It might just be me, but I definitely couldn't get it to work no matter what I did for some reason :S I'll edit the tutorial to point out it most likely is just me
    As I said I will have to look into this a bit closer to be 100 % sure, but I have been playing with airbase-ng quite a bit under VMware without noticing any problems.
    -Monkeys are like nature's humans.

  5. #5
    Junior Member
    Join Date
    Sep 2008
    Posts
    32

    Default

    Thanks for documenting your attempts.. I'll give it a go later. I also noticed Malformed Packets when trying this same thing earlier.. I thought it was my Alfa card or something wrong with Airbase, but I was running in VirtualBox. Interesting if it is tied to a problem/limitation with virtual machines.

    I think you have a typo in your script, on line 9, you have "airebase-ng" instead of "airbase-ng".

    You can also delete "ifconfig lo up" as I think another forum member had posted that they cut and pasted something out of their configuration and it wasn't necessary for it to work. Its not doing anything bad as-is, but might save you a few questions.

    While I'm picking nits, its a little confusing that you named your variable with the Internet interface "WLANIFACE" and your Wireless interface "IFACE".

    Again, I think your script will work as is, but it might be confusing to others.

    Thanks for posting!

    -- Tom

  6. #6
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    For anyone using an ALFA card you must set the MTU values to 1500 or you will get DNS errors when clients try to surf over your fake AP.

    Use DNS spoofing and a forced update/evilgrade disguising a rootkit for "maximum pwnage"

    You can also combine this with WINE and NetworkMiner to reconstruct most types of files being transferred over the air.

    A truly scary attack, hard to detect, hard to stop, almost guaranteed a shell or at least a few passwords, I love it!

    More info:
    http://forums.remote-exploit.org/showthread.php?t=18863 -most recent
    http://forums.remote-exploit.org/showthread.php?t=18369 -2nd thread
    http://forums.remote-exploit.org/showthread.php?t=17692 -original
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  7. #7
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Quote Originally Posted by StriperTS View Post
    Thanks for documenting your attempts.. I'll give it a go later. I also noticed Malformed Packets when trying this same thing earlier.. I thought it was my Alfa card or something wrong with Airbase, but I was running in VirtualBox. Interesting if it is tied to a problem/limitation with virtual machines.

    I think you have a typo in your script, on line 9, you have "airebase-ng" instead of "airbase-ng".

    You can also delete "ifconfig lo up" as I think another forum member had posted that they cut and pasted something out of their configuration and it wasn't necessary for it to work. Its not doing anything bad as-is, but might save you a few questions.

    While I'm picking nits, its a little confusing that you named your variable with the Internet interface "WLANIFACE" and your Wireless interface "IFACE".

    Again, I think your script will work as is, but it might be confusing to others.

    Thanks for posting!

    -- Tom
    Thanks for the comments . I fixed the WLANIFACE to IFACE and IFACE to WIFACE, removed the ifconfig lo up from the script(I got desperate before it started working, thought this actually helped :b), and corrected the typo on line 9, killall -9 airebase-ng. I was thinking WANIFACE instead of WLANIFACE

    Quote Originally Posted by Revelati View Post
    For anyone using an ALFA card you must set the MTU values to 1500 or you will get DNS errors when clients try to surf over your fake AP.

    Use DNS spoofing and a forced update/evilgrade disguising a rootkit for "maximum pwnage"

    You can also combine this with WINE and NetworkMiner to reconstruct most types of files being transferred over the air.

    A truly scary attack, hard to detect, hard to stop, almost guaranteed a shell or at least a few passwords, I love it!

    More info:
    http://forums.remote-exploit.org/showthread.php?t=18863 -most recent
    http://forums.remote-exploit.org/showthread.php?t=18369 -2nd thread
    http://forums.remote-exploit.org/showthread.php?t=17692 -original
    Isn't it the opposite? If you leave the MTU to 1500 you get problems. That is why I manually change the MTU to 1400 in the script, as documented many other places such as aircrack-ng. 1500 is the default that will give you problems (: . I myself have the Alfa 500 mW and have absolutely no problems configured with 1400 mtu.
    - Poul Wittig

  8. #8
    Just burned his ISO imported_Silver_Seven's Avatar
    Join Date
    Feb 2008
    Posts
    20

    Default

    Arggggg ....... Has anyone had any success on this within in a VMware session yet ??? I am being persistent here as I was encouraged to see =Tron= recalling to not experiencing any restrictions using airbase-ng under VMware. I am usuing the Alpha too.

    I really want to show a current client of ours a proof of concept on this in the context of a virtual environment. At worst case, I guess I can drop down into an true laptop environment. Anyway, great job on all this guys ........ :-)

  9. #9
    Junior Member
    Join Date
    Sep 2008
    Posts
    85

    Default

    i was having success earlier, but now when i run airbase-ng i cannot seem to locate the rogue AP i have created... any troubleshooting advice?
    patience is appreciated =]

  10. #10
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Silver_Seven View Post
    Arggggg ....... Has anyone had any success on this within in a VMware session yet ??? I am being persistent here as I was encouraged to see =Tron= recalling to not experiencing any restrictions using airbase-ng under VMware. I am usuing the Alpha too.

    I really want to show a current client of ours a proof of concept on this in the context of a virtual environment. At worst case, I guess I can drop down into an true laptop environment. Anyway, great job on all this guys ........ :-)
    Which part is it that is giving you problems under VMware, ie. how far have you managed to get? I still have yet to experience any real problems with using airbase-ng with my Alfa 500mw under VMware Fusion. I have updated to the latest version of aircrack-ng and am using MTU 1500 on the at0 interface, but apart from that I did not need to make any changes to the script provided by Deathray.
    Quote Originally Posted by benzslr123 View Post
    i was having success earlier, but now when i run airbase-ng i cannot seem to locate the rogue AP i have created... any troubleshooting advice?
    A bit sparse on the information here. As you had it running earlier the best thing to do would probably be to back track your steps and figure out if you did anything differently earlier or have made any changes since then that could be the source of the problem.
    -Monkeys are like nature's humans.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •