SecurityTube, Wireless Lan Security Megaprimer notes: part 9 (Hotspot attack basics)
Vivek’s video is here.
Vivek shows you how to setup a fake software access point and force existing clients to connect to it in preference to the original access point. From this point a number of attacks could be launched, including man-in-the-middle attacks. These attacks are not discussed in detail here.
Wireless hotspots are usually Open Auth, sometimes have MAC filtering, no encryption (can’t really work here). May have application layer authentication (login portal).
Attacks
* Create an “evil twin”:
* Same ESSID
* Same BSSID (optional)
* Use de-auth to break client connections
* If our “evil” network has higher strength, then client will connect to it preferentially.
* Further attack options then exist. (metasploit the client, man in the middle)
0. Locate your target network with airodump. (For the lab setup an AP with no encryption, in the examples it’s called SecurityTube)
1. Use airbase-ng to create an access point.
iwconfig wlan0 channel NN # can be any channel airbase-ng -a AA:AA:AA:AA:AA:AA -e SecurityTube mon0
This access point has 2 interfaces. One is mon0, the wireless interface.
airbase-ng creates a virtual network device called at0. This is the wired side of access point.
2. Bring up the virtual interface
ifconfig at0 up
That was just to test things out, kill airbase-ng.
3. Connect a client to the real access point.
4. Deauth all clients
iwconfig channel NN # same channel as REAL AP. aireplay-ng --deauth 0 -a BSSID_OF_REAL_AP mon0 # BSSID found in airodump
Leave this running in the background.
5. Bring up airbase-ng again. In this case, we’re running airbase on the same channel (so we can send deauths in the background).
airbase-ng -a AA:AA:AA:AA:AA:AA -e SecurityTube mon0 # BSSID can be anything.
6. Try and connect your client again. Your client should connect to your soft access point.
7. Capture some data with wireshark on at0.
ifconfig at0 up #bring up at0
After a while, the client will give up trying to obtain a DHCP address.
It will assign itself an autoconfig address. You’ll see this in wireshark.
Source address will be listed as 169.x.x.x, in Vivek’s case he saw IGMP packets.
8. Assign at0 an address in this range and attempt to ping the client:
ifconfig at0 169.254.174.XX netmask 255.255.255.0 up #where 169.254.174.XX is an address in the same range as the client. ping <address found in wireshark>
You can now access the client at the IP level.