hot-spot attack, can this be done?

[rma88]

Hey everyone, I've been playin around with my wireless cards and testing

some things out. One thing I'm curious to try, but would like to ask you

guys if its possible/I'm going at the right way is this:

My laptop has 2 wireless cards, can I go to a hotspot and connect with

one card. Put the 2nd wireless card into AP mode and pretend to be like

an extension (maybe the actual ap w/ the same mac etc...not sure?),

bridge the 2 wireless cards and sniff traffic via ettercap in the

BRIDGED mode? I would use some portal software so a login would be required (just like airsnarf), then would NAT allow me to forward other peoples traffic (like http)? (because they themselves will have connected to me, so they

aren't associated etc.. with the actual AP)

I guess some of the questions are:

1. is this doable to begin with?

2. will NAT work in order for HTTP etc.. to be relayed between me and

the real ap?

3. would i need to mimic the ap as far as mac etc go? or if i just had the same essid would it be seen as an 'extension' or something along those lines?

This idea is stemming from airsnarf. It sure is fun to get someone to log

into your rogue ap, but if they connected, logged in ( and got a successful

login no matter what ), then continued to browse the web through you the

entire time?

please post back w/ anything, help is much appreciated. I'm not sure on

setting up NAT, but any help/tips/comments/suggestions are much appreciated

-Thanks

[Sparda]

This is completely possible and relatively easy to do in exactly the way you describe. Classic MIM attack.

You wouldn't need to worry about routing, just bridge the adapters.

Not a good idea to pretend to be the real AP (by using MAC address spoofing and having the same SSID), this will, most likely, make things (as in the attack and the Internet) not work at all for both you (the attacker) and the victim.

The only reason you would want to do it this way is if you wanted to inject stuff to the victims computer (modified web pages and the like). If you just want to see there traffic stick one of the adapters in promiscuous mode, open Wireshark and you are finished.

[rma88]

Awesome, thanks for the quick responce Sparda. To begin with, I'm glad to hear this is doable.

You wouldn't need to worry about routing, just bridge the adapters.

But if I'm just running one nic in ap mode, and a user connects they wont have an ip or know where the dns server is. So if they connect, when they try to access the internet from what address will they do that? won't i need NAT? they will be associated with me, not with the real ap. maybe i'm looking at this the wrong way?

Not a good idea to pretend to be the real AP (by using MAC address spoofing and having the same SSID), this will, most likely, make things (as in the attack and the Internet) not work at all for both you (the attacker) and the victim.

Okay, thats something I wasn't sure about.. an equally enticing essid will do.

If you just want to see there traffic stick one of the adapters in promiscuous mode, open Wireshark and you are finished.

But doing it this way (using a portal server and ettercap) gets the hotspot login (like att/t-mobile) and will decrypt ssl. atleast thats my thought. thanks for the responce, please don't stop now :).

Any help is much appreciated

[Sparda]

But if I'm just running one nic in ap mode, and a user connects they wont have an ip or know where the dns server is. So if they connect, when they try to access the internet from what address will they do that? won't i need NAT? they will be associated with me, not with the real ap. maybe i'm looking at this the wrong way?

Assuming the bridge is working correctly, DHCP request broadcasts will be forwarded to the DHCP server, and the servers response will also be delivered back to the client, so not an issue.

But doing it this way (using a portal server and ettercap) gets the hotspot login (like att/t-mobile) and will decrypt ssl. atleast thats my thought. thanks for the responce, please don't stop now :).

Yep, the advantage of the MITM method (as opposed to the 'silent' listening method) is the ability to do stuff like intercept SSL certificates, spoof DNS responses (not that you really need to, you could just as easily serve back any web page you want) and grab usernames and passwords (amongst other things).

[rma88]

Ah okay, so correct me if im understanding this correctly.

So option 1 : 1 nic is connected to ap, 1 nic is an ap bridged to the other. run ettercap and thats it. that way all dns, dhcp, etc requests are just forwarded through me. The user would still be presented w/ a login of some sort (b/c most hot spots have a portal software of some sort), and I wouldn't have to provide any dhcp, nat, portal or anything?

option 2 : i connect to an ap on 1 nic and login with a username/pass. run an ap on the other nic along w/ dhcp, portal software, and then use NAT to forward http requests/etc to an ap that i already have access to?

thanks for the help man, i wasn't sure if just bridging the connection having one nic connected one nic as an ap was enough. but it sounds like that is all that is needed, none of the other stuff. so basically one way i do more work than nessesary?

(not that you really need to, you could just as easily serve back any web page you want) and grab usernames and passwords (amongst other things).

and what do you mean by that?

thanks, any help is much appreciated

[Sparda]

So option 1 : 1 nic is connected to ap, 1 nic is an ap bridged to the other. run ettercap and thats it. that way all dns, dhcp, etc requests are just forwarded through me. The user would still be presented w/ a login of some sort (b/c most hot spots have a portal software of some sort), and I wouldn't have to provide any dhcp, nat, portal or anything?

option 2 : i connect to an ap on 1 nic and login with a username/pass. run an ap on the other nic along w/ dhcp, portal software, and then use NAT to forward http requests/etc to an ap that i already have access to?

Both would work, the second option would be slightly harder to setup and slightly more noticeable than the bridge method (until you start altering things).

thanks for the help man, i wasn't sure if just bridging the connection having one nic connected one nic as an ap was enough. but it sounds like that is all that is needed, none of the other stuff. so basically one way i do more work than nessesary?

and what do you mean by that?

If you are performing a MITM attack, you can respond to DNS requests with any response you want, so you could give a computer that asks for google.com hak5.org's IP address, and the computer would go to hak5.org while saying google.com in the address bar.

But, because all the users traffic is going threw you, you may as well let it get google.com's real IP address, but when it tries to open a connection to the google.com server intercept that and serve it hak5.org instead, making the MITM attack slightly harder to detect by automated software.

Such automated software could be looking to see if the IP address google.com apparently has is in the google corporation IP block. Such software could also be looking to see if the google.com page matches it's usual 'style', so serving up the hak5.org site while pretenind to be google.com kind of sets off alarms.

[rma88]

Hey everyone, here's the update..i could use some help. I'm trying to setup a transparent wireless bridge, but traffic is only making it to 2 of the 3 interfaces.. I could really use some help here.

Heres what the situation has boiled down to, I am trying to "extend" the range of my ap. I have a laptop with two wireless cards ( 1 atheros, 1 intel 3945abg ). I am putting one interface into ap mode, the other into managed, bridging the connection, but traffic is only seen on nic hosting the ap, and the bridge. the interface in managed mode isn't receiving any of the traffic. here is how i'm doing it:

ifconfig ath0 down

wlanconfig ath0 destroy

wlanconfig ath0 create wlandev wifi0 wlanmode master (master or ap?same?)

ifconfig wlan0 0.0.0.0 up

iwconfig wlan0 essid "office" key xxxxxxxxxx

ifconfig ath0 0.0.0.0 up

iwconfig ath0 essid "extension"

brctl addbr br0

brctl addif br0 wlan0

brctl addif br0 ath0

ifconfig br0 up

dhclient br0 (or ifconfig br0 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255)

Now if a client connects to "extension" and requests an ip address via dhcp, i can see traffic (via wireshark) on ath0(the ap nic) and br0; however, wlan0(the nic in managed mode connected to "office") doesn't see anything.

some of my key questions are :

1. does wlan0 need to be associated w/ the "office" ap? that only happens when i give it an ip address...so would i need to assign it one to get associated then set my ip 0.0.0.0 on wlan0 again?

2. do i need to set a default route for anything, br0 maybe?

# route add default gw 192.168.1.1 br0

3. my ap currently uses stp ( i can see from the wireshark output ), so i'm assuming i need : brctl br0 stp on ??

Thanks so much for any help, it is greatly appreciated as this has been going unsuccessfully for me for a while.

Thanks

[rma88]

Okay just an update. If I first connect and get associated with the "office" ap on wlan0, then perform the commands above to create the bridge, I can see traffic on all the interfaces, (users)<--->ath0<->br0<->wlan0<---->(office)

I can see all the arp, and stp broadcasts, and i can use dhcp to get an ip on br0. I turned on stp on the bridge as well and gave it a default gw of 192.168.1.1.

So it looks like all the traffic is making it, and everything is good to go; however, my computer im using to connect to my laptop to test this isn't able to get an ip address. i'm requesting one via dhcp and i can see the request on all the interfaces (via wireshark), but its not getting a responce. i can see all the arp and nbns traffic etc...but i cannot get a dhcp reply from the default gw. when i statically assign an ip address and other stuff, i still cannot ping the gateway. any idea why the gw pretty much wont respond to additional hosts connected through my bridge? do they associate w/ the ap themselves and connect get any responce through me?

anyways, I just wanted to give an update so if someone does decide to help it wouldn't be about something that already working.

tip/points in the right direction are <i>always</i> appreciated, as usual :)

Thanks

[shadowlight]

I have been trying to get something like this working for about 2 weeks now.

i have 2 wifi cards, one ipw4965, built into my laptop, and the other a mini pci-ex atheros based.

i put the atheros into master mode, then connect the ipw4965 to the internet via my wireless router.

but as soon as i add the 4965 to the bridge (brctl addif br0 wlan0) the internet gos down. the thing is, the instant i bring the bridge back down, the internet comes back on line, Which would sugest that it never actually disconnected from the internet, it's just that the data wasn't getting through for some reason.

any help greatly apreciated. Thanks.

[staulkor]

Just get ettercap. It does it all for you, lol.