rogue access points
DESCRIPTION
Rogue Access Points. Patrick Araya. What is it?. Any unauthorized device that provides wireless access Implemented using software, hardware, or a combination of both It can be intentional or unintentionally set up. Unintentional?. Employees attempting to put in their own wireless at work - PowerPoint PPT PresentationTRANSCRIPT
Rogue Access Points
Rogue Access PointsPatrick ArayaWhat is it?Any unauthorized device that provides wireless accessImplemented using software, hardware, or a combination of bothIt can be intentional or unintentionally set up
Unintentional?Employees attempting to put in their own wireless at workMobile hotspots from cell carriersHoneypot to see what people are up to on your networkNefarious activitiesIntentional?Why is it a bad thing?Its a huge security risk!In a corporate environment it allows unauthorized access to the networkOften theyre misconfigured and lack security featuresHardware Based APYour everyday wireless routerMobile hotspotsWi-Fi Pineapple
Wi-Fi PineappleHardware Access Point for Man-in-the-Middle attacksConnection fromMobile BroadbandAndroid TetheringEthernetAuxillary Wireless AdapterManaged via SSH or the Web InterfaceSmall, easily concealed and battery powered Expandable with community modules
Wi-Fi Pineapple Cont.MITM attack tools: Karma, DNS Spoof, SSL Strip, URL Snarf, Ngrep and more via the modulesWireless cracking, replay, and deauth attacks with the Aircrack-NG suiteAutostart service like karma and reverse ssh for instant attack on power-up
Software Based APSetup with :Ad-hocConnectify (Windows)Alfa Wireless Lan Utility (for Alfa wireless card on Windows)Airbase-ng (Linux)Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the access point itself
Airbase-ngImplements the Caffe Latte WEP client attackImplements the Hirte WEP client attackWPA/WPA2 handshake captureAct as an ad-hoc access pointAct as a full featured APFilter info by SSID or client MAC addressManipulate and resend packetsEncrypt & decrypt sent &received packets
Airbase-ng Switches-a bssid : set Access Point MAC address-i iface : capture packets from this interface-w WEP key : use this WEP key to encrypt/decrypt packets-h MAC : source mac for MITM mode-f disallow : disallow specified client MACs (default: allow)-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)-q : quiet (do not print statistics)-v : verbose (print more messages) (long --verbose)-M : M-I-T-M between [specified] clients and bssids (NOT CURRENTLY IMPLEMENTED)-A : Ad-Hoc Mode -Y in|out|both : external packet processing-c channel : sets the channel the AP is running on-X : hidden ESSID -s : force shared key authentication
-S : set shared key challenge length (default: 128)-L : Caffe-Latte attack (long --caffe-latte)-N : Hirte attack (cfrag attack), creates arp request against wep client (long cfrag)-x nbpps : number of packets per second (default: 100)-y : disables responses to broadcast probes-0 : set all WPA,WEP,open tags. can't be used with -z & -Z-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104-Z type : same as -z, but for WPA2-V type : fake EAPOL 1=MD5 2=SHA1 3=auto-F prefix : write all sent and received frames into pcap file-P : respond to all probes, even when specifying ESSIDs-I interval : sets the beacon interval (ms)-C seconds : enables beaconing of probed ESSID values (requires -P)Airbase-ng Bridged AP Configurationairmon-ng start wlan0airbase-ng-e"Free Wifi"-c1-vmon0ifconfigat0 up brctl addbr mitm brctl addif mitm eth0 brctl addif mitm at0 ifconfigeth0 0.0.0.0 up ifconfigat0 0.0.0.0 up dhclient3 mitm
Put wireless card in monitor modeCreate SSID on the wireless interfaceBring up the APConfigure the bridged adaptersProfitWireless AP Setup With Sniffing