Airbase-ng: Your free wifi will never be safe Pt.1

by postbreak

I have been somewhat of a wifi guru and today I thought I would write about my favorite wireless exploit. Before I get way too technical I want to first mention that all wireless exploitation for me is simply a hobby. I fiddle with Backtrack 3 when I have time and wearing a black hat is not my thing. In this post I am going to detail how you can persuade a wireless client into joining your network for the perfect man in the middle attack with Airbase-ng.

First let’s talk about probes. Not the creepy alien kind that we all think of first but more of like a space probe. In the wireless world probes are sent out to figure out if networks are available, a sort of ping if you will. If you have your wireless card setup to automatically connect to known networks then you have probing enabled, and I would say 98% of you do.

Lets run down the chain of command with wireless probing.

  1. Your laptop boots your operating system
  2. The wireless card is activated and sends out probes for all known networks
  3. If a known network sees this probe it responds back positive
  4. The wireless card tells the operating system a known network is available
  5. The operating system sets the required security and attempts to join the network

With Airbase-ng you can setup a wireless access point that responds to all probes. What happens next is pretty remarkable. Because all networks are available your operating system will most likely try to connect to either the most recent or the highest in a list of preferred networks. If this does not happen the user will most likely see all of these open networks and attempt to join the one most likely to be legitimate.

Because this exploit is a man in the middle attack we need to be in the middle right? Well thats exactly what is happening. We connect to a legitimate access point and then start our lying access point. Because our access point accepts all probes we become the main choice for getting online. This increases our chance of exploiting exponentially.

So now lets talk about what you need to exploit wireless probes. First you need a copy of VMware client or server. With this software you will be running a virtual machine of a specialized penetration build of linux called Backtrack 3. Next you need a laptop with a wireless card to join the legitimate access point. The final key is a USB wireless card. Specifically you need something with an rt73 or rtl8187 chipset. I will detail this at the end of the article.

First download Backtrack 3 from here. You want to choose the VMware image.

Next simply fire it up in VMware and get ready to install some things. Backtrack 3 uses an old kernel so your wireless drivers are fine however you will need a few things for this script to work.

Change directory to /root/

“cd /root/”

Install Dnsmasq with the following command.

“wget http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.46.tar.gz”

“tar zxvf dnsmasq-2.46.tar.gz”

“cd dnsmasq-2.46” followed by “make” then “make install”

Next we need to upgrade the aircrack-ng suite.

Change directory to /root/ again and run this.

“svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng”

“cd aircrack-ng” then “make” and “make install”

Ok now you are pretty much finished. The last step is simply to get these scripts into your virtual machine, make them executable, and run them.

“wget http://iamthekiller.net/downloads/dhcpd.conf && wget http://iamthekiller.net/downloads/softap.sh”

“chmod a+x softap.sh” and “chmod a+x dhcpd.conf”

To run the script make sure you power cycle your USB wireless stick and double check that it is attached in VMware.

In part 2 I will show you how to capture cookies with Wifizoo in order to steal sessions.

A special thanks to Jeronimo from the kismac IRC for letting me use and modify this script!

**rt73 devices can be seen here**

Advertisements