This article describes an automatic radio attack that works with all functions. It does not have any Internet connection or other external connections or affects the execution of client-type mitm attacks.
For outsiders, this portable battery powered device automatically attracts wireless devices to connect to it because iPhone/iPad companies, robots and other mobile phones, laptops, and PCs. Most devices will automatically connect to it without users or even being aware of it. The device will provide a fake email and web server running in a fake network, and use some network-mounted dog meat to capture any host name, user name, and password that tries to connect, and record it, with GPS coordinates, the details are captured. This device can be used to hijack enterprise and personal email login, Facebook login, and so on.
As part of the airbase-ng aircrack-ng kit, the study of wireless client vulnerabilities in the past few months has led to an interesting concept verification project. There are some shortcomings in the widely used wireless technology. However, an explanation of the first project. The project description is a victim who launches a wireless man-in-the-middle attack without connecting to another terminal. We need to create a mitm attack without any Internet access. In theory, such an attack can be used for management, locking the building, moving the action, and so on, without the use of mobile data cards. Although any Linux release would be appropriate for modifying raspberry in Central Europe, I have set the output power of my wireless device to 30 dBm and started the automated process as follows:
First, an air force base instance in my rtl8187 card is as follows;
/usr/local/sbin/airbase-ng -c 3 wlan0 –essids “/root/pen/code/scripts/essids” -P -C 60 -I 60 -vv|grep –line-buffered “directed probe request”| tee /run/probes
This starts an access point channel 3. The SSID/root/PEN/code/scripts/essids contained in the Guide and any access point for investigation requests may receive access points that the customer wants to connect. Now, in more details, the "non-hidden" Access Point regularly broadcasts the SSID (wireless network name) of the data block specified by the "beacon" and supports encryption types. These signals are usually sent every 100 milliseconds. The wireless client will send a probe package that contains the SSID of all wireless networks, store it, and require that if they are all here.
Fully automatic IC wireless hacking Station
Limit l 26,201 comments/in Linux, Perl, projects, Raspberry Pi, security consultant, wireless/by Adam Palmer +
This article describes a working all-in-one standalone mobile wireless attack station that can perform mitm type attacks on clients automatically and without any Internet access or other external connectivity or influence.
In laypersons terms; this portable battery powered device can be automatically entice wireless devices to connect to it, be that iPhones/iPads, androids and other phones or laptops and PCs. most devices will connect to it automatically without the user even realizing. the device will provide a fake network running fake email and web servers and using some network trickery, will capture the hostname, username and password of any attempted connection and log it, along with the GPS co-ordinates of where the details were captured. this device cocould be used to hijack login ate and personal email logins, Facebook logins, and so on.
Messing around with airbase-ng, part of the aircrack-ng suite over the last few months and researching wireless client vulnerabilities has led to an interesting proof concept project. there are several weaknesses within the current wireless technologies in widespread use. first however, an explanation of the project. the project description was to launch a wireless man in the middle (mitm) attack, without having another end to connect the victim. we need to create a mitm attack without having any Internet access. such an attack cocould theoretically be used on the tube, in locked down buildings, on the move, and so on, and without the use of a mobile data card. built on top of a modified raspberry pwn release, although any Linux distribution wowould have been suitable, I have set my wireless device with a power output of 30dbm and started the following automatic process:
Firstly, an airbase instance on my rtl8187 card as follows;
/Usr/local/sbin/airbase-ng-C 3 wlan0-essids "/root/PEN/code/scripts/essids"-p-C 60-I 60-VV | grep -Line-buffered "directed probe request" | tee/run/probes
This starts an access point on Channel 3, beaconing the SSIDs contained within/root/PEN/code/scripts/essids as well as any probe requests that the access point may receive from clients looking to connect to an access point. now, in a little more detail, regular 'non-den 'access points will broadcast 'beacons' which are pieces of data that specify the SSID (wireless network name) as well as the supported encryption types and so on. these beacons are usually sent every 100msec. wireless Clients will send probe packets, containing the SSIDs of all wireless networks that they have stored, and asking if any of them are here.
The-P switch to AIRBASE-ng will have airbase respond to all probes saying "yes, that's me" at which point assuming the encryption or lack thereof matches the stored profile, the client will attempt to associate. mid way through building this test however, Apple released iOS 6, and one of the changes seems that the iPhone will now only send out broadcast probes rather than directed probes, renderin G The-P feature useless against them. The broadcast probe is where the device sends out a "Is anyone there ?" Probe, and waits to see which access points reply. most iPhones however have connected at some point to a wireless hotspot, and so the SSIDs I chose for the essids file are "Boingo Hotspot", "btopenzone" and "btwifi" in the UK. I believe that "attwifi" is a popular one in the US.
We then wait for airbase-Ng's 'at0' interface to come up, before starting a DHCP server handing IPS out on the 10.0.0.0/16 range whilst at0 itself is set to 10.0.0.1. clients are set with DNS and router set to 10.0.0.1.
We then create a DNAT entry with iptables to redirect any traffic that comes in on at0 that wowould have been routed back to ourselves on 10.0.0.1;
Iptables-T Nat-A prerouting-I at0-J DNAT-to-destination 10.0.0.1
Remembering that we have no default gateway, the biggest issue we have is that whilst we can run fake services on our device, we have no way of running Ming DNS lookups, and therefore even if we respond to all dns a requests with '10. 0.0.1 ', we'll most likely be logging useless credentials.
At this point, I thought it wocould be a good idea to brush up on my programming skills and relearn Perl. using the Poe framework and sqlite3, we next run a fake DNS server. the DNS server is assigned a range, in this case 199.0.0.0/8 on which to hand out IPs. the first request is assigned 199.0.0.1 and logged in the database, the second request 199.0.0.2, and so on. if we already have a record of that request, we'll hand out the IP we handed out the last time. whether the client accepts our DNS or has their own hardcoded, The DNAT will redirect any DNS request to our device. our DNS table might look something like;
ID |
IP |
Host |
1 |
199.0.0.1 |
Apple.com |
2 |
199.0.0.2 |
Www.google.com |
3 |
199.0.0.3 |
M.google.com |
4 |
199.0.0.4 |
Imap.gmail.com |
Now, idevices and blackberries attempt to connect to a URL to confirm Internet service. if they do not receive the expected response, they assume they are on a wireless hotspot and pull up a login page. we must satisfy the query to pretend to the devices that they have valid Internet access.
The next step in the process is where the client tries to connect to a service. I have currently built protocol support for POP3, IMAP, HTTP and Their SSL versions, and additional services can be added easily.
Once the client initiates a connection, It is redirected back to us over DNAT. under Linux, we have the originally requested destination IP available by using the socket option so_original_dst. assuming the client attempts to connect to 199.0.0.3 now over IMAP, our IMAP server implements enough of the protocol to log the credentials and keep the client happy, as well as looking up the requested hostname'm .google.com' in the sqlite3 database and presenting it as the banner.
Shocould SSL be in use, we dynamically create a self signed certificate for'm .google.com 'and present it to the client. it will yield the usual SSL warning although having a matching hostname, the non-technical user is more likely to accept. the iPhone [4 at least] had an annoying feature where no matter how many times 'cancel' is clicked, it will keep presenting with the same SSL warning until 'contine' is clicked or WiFi is shut off. this almost guarantees that the user will click Continue. in addition, whilst testing, I did not even realize at first that the warning I was presented with on the iPhone was even an SSL certificate warning. I am very surprised that the warning is not worded in stronger terms than it is.
Once we have credentials, these are logged in a separate table and related back to an IP entry which ultimately relates back to the original host the user attempted to connect. thus we are able to log host details, username and passwords on a standalone portable device with no network connectivity. lastly, the device was kitted out with a bluenext GPS dongle, And so GPS coordinates can be logged if they are available for where credentials were sniffed.
It is not legally possible to actively run such a device in public, however based on internally testing the system with my own devices, as well as passively collecting some of the broadcast probes sent over the air in public places, running such a device in public cocould very easily harvest contains hundreds of passwords ranging from home to initialize ate in only a few minutes at a suitably busy location. furthermore, as the device has no internet or external connectivity of its own, and the attacker wocould be entirely untraceable.
In my next posting, I will discuss some of the weaknesses we touched upon and how they can be overcome.
Source: http://www.iodigitalsec.com/fully-automatic-wireless-hacking-station/ this article from the above site you can enter the viewing body welcome to enter!
China Han Long Hei Kuo teaches you how to fully automatic wireless intrusion hotspots, hacker fully automatic WiFi phishing, large-scale batch wireless hotspot phishing-Welcome to subscribe