Sunday, October 16, 2016

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.10 - WiFishing: creation of multiple honeypots

2.10 - WiFishing: creation of multiple honeypots

- The creation of just 1 fake Access Point or honeypot is not always enough, because the victim would connect automatically to only one AP matching the stored network configuration. How the attacker would force the client to connect to its own fake AP, and not other one available, without knowing a priori the preferred type of encryption of the victim?

- For that reason, and for the purpose of penetration testing, it is very handy to create several fake APs with the same SSID, but each of one matching diferent types of encryption methods: for instance Open, WEP, WPA-PSK and WPA2-PSK, with TKIP or AES-CCMP.

- So, taking 4 different encryption options, it would be necessary to create 4 virtual interfaces: mon0, mon1, mon2 and mon3, using airmon-ng start wlan0 repeatedly at the attacker "kali" machine.

- mon0:

- mon1:

- mon2:

- mon3:

- Now, there are 4 virtual interfaces working in monitor mode:

- The command airbase-ng holds interesting options to fake APs:

- For creating WEP, option -W 1 is available:

- For creating WPA option -z is used, being 2 for TKIP and 4 for AES-CCMP. Same for WPA2 using -Z:

- The first honeypot called "puntodeacceso" doesn't have any encryption, it is Open, so no option is used. MAC address will be AA:AA:AA:AA:AA:AA, working in mon0 monitor interface:

- The second honeypot is also called "puntodeacceso" and uses WEP encryption (-W 1). MAC address will be BB:BB:BB:BB:BB:BB, working in mon1 monitor interface:

- The third honeypot is also called "puntodeacceso" and uses WPA-PSK TKIP encryption (-z 2). MAC address will be CC:CC:CC:CC:CC:CC, working in mon2 monitor interface:

- The fourth honeypot is also called "puntodeacceso" and uses WPA2-PSK TKIP encryption (-Z 2). MAC address will be DD:DD:DD:DD:DD:DD, working in mon3 monitor interface:

- It can be verified the existence of the 4 honeypots, all sharing the same ESSID, each one with different type of encryptions and different number of MAC addresses:

 - The question that arises now is: Which one would the victim "roch" pick up to connect to?

Based on the Preferred Network List, in this case the client "roch" has got a stored network called "puntodeacceso":

Also, the configuration forces to connect automattically to the network "punto de acceso"when it is in range:

- The stored security configuration uses WPA with TKIP encryption:

- So, no doubt that the picked up honeypot to be connected by the victim "roch" (whose MAC adress is 28:C6:8E:63:15:6B) will be the third honeypot, which uses WPA-TKIP and has got CC:CC:CC:CC:CC:CC as MAC address, because it is the only one that matches the stored configuration:

This practice has shown how to create the appropiate bait for a victim, offering fake APS or honeypots with different encryptions modes, assuming that one of them would match the stored security configuration mode by the victim.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.9 - Automating the creation of a honeypot

2.9 - Automating the creation of a honeypot

- Gerix Wifi Cracker is a software tool designed to automate attacks against Wi-Fi networks. Due to the fact that a Graphical User Guide (GUI) is available, the easiness of use is improved in comparison with command shell:

- For starting Gerix from the "kali" command shell:

- Gerix is launched:

- On the Configuration tab, and selecting wlan0 interface, clicking Enable/Disable Monitor Mode puts wlan0 in promiscuous/monitoring mode:

- The virtual interface mon0 is created. To change the MAC address, so that it cannot be recognized, Set random MAC address tab is clicked:

- Now, both mon0 and wlan0 have changed their MAC address numbers. It is important to write down the MAC address 58:6D:BC:54:58:C9, because it will be the MAC associated to the fake AP "honeypot":

Clicking the tab Fake AP, the honeypot is created without any authentication. Of course, in a real environmente, an attacker would use a less suspicious network name like "honeypot":

- Gerix announces the creation of the honeypot. Actually, it can be checked that the real command shell is airbase-ng, working behind the Gerix GUI:

- Now, "kali" detects its owned created fake AP, wich ESSID is "honeypot", and MAC address 58:6D:BC:54:58:C9. So far, no client is associated to "honeypot":

- From "roch", Vistumbler detects "honeypot" with all its features:

- Now, it is time to connect the victim "roch" to the network:

- The association is succesful:

- Gerix announces that a client with MAC 28:C6:86:63:15:6B ("roch"s MAC address) has associated to the network whose ESSID is "honeypot":

- Also, airodump-ng detects "roch" connected to "honeypot":

- So, the deception to the victim has been a success. The same attack could have been done using another AP's legitimate name.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.8 - Working at disallowed channels and exceeding power output limits

2.8 - Working at disallowed channels and exceeding power output limits

- Because every country in the world has got its own legislation regarding to the radio spectrum, it is important to know which are the channels and output power allowed in every place. Moreover, each wireless network interface has got its own default regulatory settings.  
- First of all, assuming we are in the United States (US), let's take for instance the US regulatory domain:

- This new setting is immediately detected by the log file of the system:

- In the US regulatory domain is perfectly possible to use channel 11:

- But it is not allowed channel 12:

- About the power output, maximum allowed is 27 dBm (500 mW):

- For that reason, 30 dBm ( 1 Watt) is rejected:

- Now, although being physically in the US, the regulatory domain can be changed, for instance to Bolivia (BO):

- Again, the log file records the news:

- Now, the system allows to use both channel 12 (2.467 GHz) and power 30 dBm (1 Watt), because Bolivian regulatory domains are different from the US:

- What to do for using the all over the world forbidden channel 14? the answer is to change to Japanese regulatory domain, because Japan is the only country in the world allowing channel 14:

- The log informs about the changes:

- Verifying that the wireless interface card is now working at the forbidden channel 14 (2.484 GHz):

- From this practice, we conclude that although in each country there are unlicensed wireless bands and strict power limits specified, all those regulations can be overwritten changing the regulatory domain to other country. In this way, the wireless interface card is forced to work at:
  • disallowed channels
  • more than allowed power transmission

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.7 - Discovering unauthorized clients

2.7 - Discovering unauthorized clients

- The method of discovering if there is any unauthorized client connected to an specific AP consists just on comparing the list of authorized clients with the list of the actually connected clients. There are two ways to detect what clients are connected to an specific AP:

a) checking the AP itself:

- The Access Control option allows to obtain the list of connected clients at a given instant:

- For example, in this case there are 5 clients connected to the lab's AP:

- Obviously, client "kali" shouldn't be on the authorized client list, so it could be easily considered an intruder.

b) using the airodump-ng command to explore the AP:

- It can be checked that boths ways of discovering clients yield identical output.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.6 - Bridge to a network through a rogue Access Point

2.6 - Bridge to a network through a rogue Access Point

- The purpose of this practice is to create a rogue (fake, false) Access Point at the "kali" attacker machine, whose ESSID will be "falso", and then to connect any wireless client of the AP through a bridge to the authorized network.

- So, the bridge could be used as a backdoor to the network for any attacker connected to that rogue AP. If achieved that goal, all the efforts by firewalls and Intrusion Prevention System to protect the network would render totally useless, because the access would be free.

- First of all, using airbase-ng command, it is possible to create a Rogue AP called "falso", following the same method used at 9.3:

- Now, brctl addbr command creates a bridge, for instance called "puente", between the Ethernet interface, which is a part of the authorized network, and the rogue AP:

- Adding the Ethernet eth0 and the virtual at0 interfaces to the bridge "puente":

- Bringing up the bridge on both interfaces:

Also, ensuring that the system is routing forward all received packets:

- Finally, the client "roch" is connected to the network newly created "falso":

For the purpose of demonstrating that the practise is correctly done, it is important to note that the MAC addresss of the connected client "roch"is 28:C6:8E:63:15:6B:

- Now, at the "kali" attacker machine, it can be verified that the quoted client whose MAC is 28:C6:8E:63:15:6B (actually "roch") has associated to network "falso" at 13:37:42, two minutes later than the rogue AP was created, at 13:35:38:

- What is the conclusion of the practise? with the creation of: a) the rogue AP, and b) the bridge between the authorized Ethernet network and the rogue AP, any wireless client connecting to the AP would be able to have access to the whole LAN. For instance, from "roch", connected wirelessly to the AP "false", it is possible to ping the gateway of the wired network.

- Of course, once any client has got access to the authorized network, subsequent attacks could be launched for accessing valuable data and files. So, this would be just the first step on a full penetration attack, actually the "wireless" step of the whole potential attack.