Sunday, October 16, 2016

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.6 - Bridge to a network through a rogue Access Point

2.6 - Bridge to a network through a rogue Access Point

- The purpose of this practice is to create a rogue (fake, false) Access Point at the "kali" attacker machine, whose ESSID will be "falso", and then to connect any wireless client of the AP through a bridge to the authorized network.

- So, the bridge could be used as a backdoor to the network for any attacker connected to that rogue AP. If achieved that goal, all the efforts by firewalls and Intrusion Prevention System to protect the network would render totally useless, because the access would be free.

- First of all, using airbase-ng command, it is possible to create a Rogue AP called "falso", following the same method used at 9.3:

- Now, brctl addbr command creates a bridge, for instance called "puente", between the Ethernet interface, which is a part of the authorized network, and the rogue AP:

- Adding the Ethernet eth0 and the virtual at0 interfaces to the bridge "puente":

- Bringing up the bridge on both interfaces:

Also, ensuring that the system is routing forward all received packets:

- Finally, the client "roch" is connected to the network newly created "falso":

For the purpose of demonstrating that the practise is correctly done, it is important to note that the MAC addresss of the connected client "roch"is 28:C6:8E:63:15:6B:

- Now, at the "kali" attacker machine, it can be verified that the quoted client whose MAC is 28:C6:8E:63:15:6B (actually "roch") has associated to network "falso" at 13:37:42, two minutes later than the rogue AP was created, at 13:35:38:

- What is the conclusion of the practise? with the creation of: a) the rogue AP, and b) the bridge between the authorized Ethernet network and the rogue AP, any wireless client connecting to the AP would be able to have access to the whole LAN. For instance, from "roch", connected wirelessly to the AP "false", it is possible to ping the gateway of the wired network.

- Of course, once any client has got access to the authorized network, subsequent attacks could be launched for accessing valuable data and files. So, this would be just the first step on a full penetration attack, actually the "wireless" step of the whole potential attack.