SecurityTube, Wireless Lan Security Megaprimer notes: part 10 (Hacking Isolated Clients)

Vivek’s video is here.

You may have noticed that your phone or laptop autoconnects to wifi networks you’ve used before.
In this part Vivek discusses this behaviour and shows how it can be exploited.

Clients acquire preferred lists of SSIDs as they connect to different networks.

When the client is isolated, it will send out “Probe Request” packets to try and find the networks it already knows about.

0. Make sure your monitor mode interface (mon0 is up and running as before).

SSID is case sensitive.

1. You’ll need a client which you’ve previously connected to a number of networks.
Leave the Wifi on, but don’t associate with any network.

2. Load airodump, you should be able to see the client probing for various networks.

3. Start a wireshark capture as usual.

3.1 Use the mac address of the client from airodump like so:

wlan.addr == MACADDRESS

You should see a bunch of “Probe Request” packets. You should see probe requests for all the networks your client knows about.

You should note that different operating systems behave differently. Newer OSs don’t auto-connect to open networks.

Use Cases:

Your ads will be inserted here by

Easy AdSense Pro.

Please go to the plugin admin page to paste your ad code.

4. Open network, no encryption.

Attacker sniff Probe Request for a network.
Attacker sends a “Probe Response” saying “Yes I’m that network”.
Target is connected to attackers fake access point.
Attacker can attack the client at the IP level.

This is possible because SSID alone is used which network to connect to.

4.1 We can use airbase-ng to create a fake AP as before:

airbase-ng --essid SecurityTube -a AA:AA:AA:AA:AA:AA mon0

Note: You can add a “-v” to airbase-ng which displays a lot of interesting information.

4.2 Fire up wireshark add a filter for the MAC: AA:AA:AA:AA:AA:AA, the filter should look like this (where MACADDRESS is the MAC of your client previously found):

(wlan.addr == MACADDRESS) && (wlan.addr == AA:AA:AA:AA:AA:AA)

5. airbase-ng respond to everything!

airbase-ng can be configured to respond to /ALL/ probe requests:

airbase-ng -P -a AA:AA:AA:AA:AA:AA mon0

-C can also be used to send of beacon packets for networks probed too, neat!

airbase-ng -C 10 -P -a AA:AA:AA:AA:AA:AA mon0 -v

Vivek shows this iPhone hopping between different wifi networks which his fake AP is broadcasting.

We’ll discuss how to can use this behaviour with encrypted networks in later lessons.