rogue access point rootsh3ll

It is often pain in the butt to setup a working Rogue Access Point with (isc!) DHCP server. Most users either fail to set up dhcp server or find a hard time configuring it. Many find it difficult to perform flexible tasks with the rogue access points with airbase-ng but end up getting frustrated.

airbase-ng is a nice little WiFi hacking tool, part of aircrack-ng suite of tools with very limited options along with a full-blown, memory hungry, hard to maintain (isc!)DHCP server which itself isn’t required at minute operational levels or especially when you are working on embedded, lesser powerful devices like raspberry pi.

hostapd (Host access point daemon) is a very flexible and lightweight software access point capable of turning normal NICs into full-blown (real) access points and authentication servers.
Hostapd along with apache can do a lot of interesting things, but a few of those aspects will be covered in this book.

dnsmasq is a lightweight DHCP and caching DNS server.
Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server.
Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions, and allows unneeded functions to be omitted from the compiled binary.

Before jumping right into the possibilities of a fake AP, you must make sure that our configuration files are well settled up.
This will allow one to ready-to-go according to the scenario and would save a lot of time.

This article is an excerpt from my WiFi Penetration testing and Security eBook in which I talk about hacking WiFi enabled devices with rogue access points, war driving, custom captive portals and splash page, multiple access points from a single NIC and much more. Click here to learn more about the contents

Understanding the Basic Attack Scenario

We scan the air and gather information about the target access point.

Information like:

  • ESSID: Extended Service Set Identifier aka AP Name
  • BSSID: Basic Service Set Identifier aka AP MAC address
  • Channel number
  • Connected clients’ aka victim

We create an access point with same name as of our target AP (rsX), though operating channel may be different.
De-authenticate the client from real AP. Wait for him/her to connect to our fake AP (rsX)
The moment victim associates with our fake AP, s/he is allocated an IP address.

Now we have IP level access to the victim machine.
Here you can do a lot of stuff like:

But to make all of these possible you should be prepared with your tools. As being said

A craftsman is only as good as his tools

Configuring the Rogue Access Point

 

Hostapd
To create a specific type of access point, be it WPA/2 personal, enterprise or karma attack. Keep everything commented in your arsenal, for later use.

Dnsmasq
Lightweight DNS/DHCP server. It is used to resolve dns requests from/to a machine and also acts as DHCP server to allocate IP addresses to the clients.
Remember IP level connectivity to client? thanks to dnsmasq

Apache
Basically, it acts as a web server to the client (victim). But you can transcend capabilities of your web server and fake AP using this powerful tool, apache.
Though it’s not necessary to have apache and/or mysql in just any attack.

Mysql
All the client information is stored in the database. So, you better have a corresponding database, tables, columns pre-setup.

hostapd and dnsmasq are required in just any case you want to setup a rogue access point. Though there are some advanced techniques which may differ according to the attack scenario.
Advanced techniques which may use flexibility and features of apache and mysql

Example:
Say you force-connected victim to your AP and simply want to sniff or redirect the traffic. You do not need apache at all.
But in case you want to respond to the web based requests made by the victim, you can manipulate it in a certain way to get the maximum sensitive information out of it.
Kind of lost? No worries upcoming chapters will make it clearer.

We will learn about different attack scenarios and variety of roles of apache and mysql in it.
But before that let us setup the fundamentally required tools i.e. hostapd, dnsmasq

Installation:

Make sure latest version of tools is installed:

Configure hostapd

Create a directory for saved configuration files. Open Terminal and create hostapd config file.

Make sure you edit the changes accordingly every time you perform an attack.

Operating Channel number can cause issues if not chosen properly.

Configure dnsmasq

Make sure to define proper interface in dnsmasq.conf file.

Parameter Breakdown:
dhcp-range=10.0.0.10,10.0.0.250,12h : Client IP address will range from 10.0.0.10 to 10.0.0.250, Network subnet mask is 255.255.255.0 And default lease time is 12 hours.

dhcp-option=3,10.0.0.1 : 3 is code for Default Gateway followed by IP of D.G i.e. 10.0.0.1

dhcp-option=6,10.0.0.1 : 6 for DNS Server followed by IP address

That’s all for configuration. Simple, isn’t it?
Assuming that you’ve already setup the mysql database and required web files in the apache working directory, as taught in previous segment of this chapter, let’s run the server and our fake AP now

Open new Terminal and run hostapd:

To allocate IP addresses to victims, run dnsmasq.
Before that, set IP address for wlan0 interface to enable IP networking, so that dnsmasq can process the incoming requests and direct the traffic accordingly.

Open a new Terminal for dnsmasq:

as soon as victim connects you should see similar output for hostapd and dnsmasq Terminal windows:

hostapd:

dnsmasq:

Now you can enable NAT by setting Firewall rules in iptables

and enable internet access for victims:

Here’s for some extra topping…

Heard about iOS’s 1970 Bug by faking NTP (Network Time Protocol) Server, where if you set an iOS < 10.1.1 date to 01/01/1970 it will brick your device permanently beyond repair? Yes, that is as easy to change this option to NTP server’s code:

# NTP Server

42 tells dnsmasq to redirect all NTP requests for time synchronisation to 0.0.0.0 i.e. any interface of our machine.
Here is a configuration for NetBIOS, note that we do not need it in our current setup

# 44-47 NetBIOS

 

server=8.8.8.8 : Optional for public DNS server, where 8.8.8.8  is Google’s DNS
Log-queries : Enable query logging
Log-dhcp : Enable DHCP logging
listen-address=127.0.0.1 : Dnsmasq will listen on localhost for local/redirected traffic. So that Internet works on our machine too, if required

Optional configurations

You can create an optional fakehosts.conf file for dnsmasq to allow it to redirect a target website traffic to your desired IP address. It will simply tell client that target-site.com
Is hosted on our target IP address.

That’s all. Just pass the file with -H flag to dnsmasq and all your traffic for these sites will redirect to your apache server.

You can also use multiple IP (1 IP/domain) addresses to redirect traffic to another machine, be it public or private IP, example:

It will spoof the traffic requests accordingly.

If you frequently connect to your mobile hotspot and also want to pwn the machines in the vicinity you should keep you wpa_supplicant configuration ready.
After killing network-manager you can still connect to Wi-Fi AP using wpa_supplicant utility.

Save the PSK in a file:

Syntax: wpa_passphrase [ESSID] [Passphrase] > wpa.conf

It will create a file, wpa.conf, with content:

You can connect to WiFi using your WiFi/Station interface

That’s all the setting you need to preserve for saving time and effort.

Now you have your rogue access point working perfectly fine. You must’ve heard of WiFi-Phisher tool that uses captive portals to sniff WPA2 Passphrase in cleartext. well, you can take that to THE NEXT LEVEL!

You heard it right.
Wouldn’t it be better if you could get cleartext WPA2 passphrases, even of those access points that doesn’t virtually/physically exists in the vicinity? that’s what The Ultimate Fake AP is all about. It opens up a captive portal on the client device (automagically) and send a malicious (AV-proof) executable to the victim as a **mandatory system update**. The moment victim executes the file, you get passwords of all the access point victim ever connected to. That too in plain text.

After setting up the Rogue Access Point make sure to test The Ultimate Fake AP setup on it.

References

Port Scanning Machines: https://rootsh3ll.com/rwsps-post-exploiting-the-network-ch6

The Ultimate Fake AP: https://rootsh3ll.com/ultimate-fake-access-point-walkthrough

Kali Linux WiFi Pentesting and Security eBook: https://rootsh3ll.com/klwps