SecurityTube, Wireless Lan Security Megaprimer notes: part 9 (Hotspot attack basics)

Vivek’s video is here.

Vivek shows you how to setup a fake software access point and force existing clients to connect to it in preference to the original access point. From this point a number of attacks could be launched, including man-in-the-middle attacks. These attacks are not discussed in detail here.

Wireless hotspots are usually Open Auth, sometimes have MAC filtering, no encryption (can’t really work here). May have application layer authentication (login portal).

Attacks

* Create an “evil twin”:
* Same ESSID
* Same BSSID (optional)

* Use de-auth to break client connections

* If our “evil” network has higher strength, then client will connect to it preferentially.

* Further attack options then exist. (metasploit the client, man in the middle)

0. Locate your target network with airodump. (For the lab setup an AP with no encryption, in the examples it’s called SecurityTube)

1. Use airbase-ng to create an access point.

iwconfig wlan0 channel NN # can be any channel
airbase-ng -a AA:AA:AA:AA:AA:AA -e SecurityTube mon0

This access point has 2 interfaces. One is mon0, the wireless interface.
airbase-ng creates a virtual network device called at0. This is the wired side of access point.

2. Bring up the virtual interface

ifconfig at0 up

That was just to test things out, kill airbase-ng.

3. Connect a client to the real access point.

4. Deauth all clients

iwconfig channel NN # same channel as REAL AP.
aireplay-ng --deauth 0 -a BSSID_OF_REAL_AP mon0 # BSSID found in airodump

Leave this running in the background.

5. Bring up airbase-ng again. In this case, we’re running airbase on the same channel (so we can send deauths in the background).

airbase-ng -a AA:AA:AA:AA:AA:AA -e SecurityTube mon0 # BSSID can be anything.

6. Try and connect your client again. Your client should connect to your soft access point.

7. Capture some data with wireshark on at0.

ifconfig at0 up #bring up at0

After a while, the client will give up trying to obtain a DHCP address.
It will assign itself an autoconfig address. You’ll see this in wireshark.
Source address will be listed as 169.x.x.x, in Vivek’s case he saw IGMP packets.

8. Assign at0 an address in this range and attempt to ping the client:

ifconfig at0 169.254.174.XX netmask 255.255.255.0 up #where 169.254.174.XX is an address in the same range as the client.
ping <address found in wireshark>

You can now access the client at the IP level.

  • Himanshu

    Its not giving any sort of IP not even APIPA , my cellfone is just going mad , and for ssl mitm , we need IP which are not APIPA i guess to get to the internet
    even after waiting for over half an our my phone was looking for an IP address and the message was showing “Obtainig IP Address all the time

    Vivek if you are watching it need your help