Everything ingenious is simple. And before you start brute-force hashes and WPS passwords, it's better to start simple. The attack that we will talk about today is effective in the immediate vicinity of the attacked point. The more powerful your signal, the more effective the attack. The effect directly depends on the area covered by the attacked access point. For example, if you are in an office building and the access point is located in one office, the client is in another, and you managed to settle in the corridor between them with a laptop, this is a direct profit. We will talk about how to implement such an attack and how to get maximum power from your Wi-Fi adapter in this article.
What is a fake access point?
A fake or fraudulent access point is one that behaves exactly like the real one and forces the end user to connect to itself. Our aircrack-ng kit includes a tool called airbase-ng that you can use to turn your wireless adapter into an access point. This is a powerful client-side hack, allowing you to see all traffic and conduct a middleman attack.
What do we do
In this scenario, we will take on the role of a private detective. A client asked us to investigate the possibility that his neighbor is downloading and selling child pornography. We have to find out if this is really the case and then gather evidence against him.
Step 1: Run Airmon-Ng
First, we need to check if our wireless card is working.
Code:
bt > iwconfig
Run Airmon-Ng
As you can see, our wireless card is quite functional and is called wlan0. The next step is to switch the wireless card to monitor mode, also called mixed mode. To do this, run the following command:
Code:
bt >airmon-ng start wlan0
Airmon-ng switched our map to monitor mode and changed its name to mon0. Now our card is able to receive any wireless traffic.
Step 2: Run Airdump-Ng
Next, we need to start capturing traffic using our wireless card. To do this, enter:
Code:
bt > airodump-ng mon0
Run Airdump-Ng
We see all wireless access points within their range, as well as their important statistics. A neighbor suspected of downloading and selling child pornography uses an access point with SSID “Elroy”.
If we do everything right, we can clone his hotspot and force him to connect to our rogue wireless hotspot. After that, we will be able to monitor all his traffic and insert our own packages / messages / code into his computer.
Step 3: Wait for the suspect to connect to the access point
Now we just have to wait until the suspect connects to his access point. As soon as this happens, you will see a corresponding message at the bottom of the airodump-ng screen.
Step 4: Create a new AP with the same SSID and MAC address
After the suspect connects to his hotspot, we can use airbase-ng to create a fake hotspot. Open a new terminal window and type:
Code:
bt > airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0
Create a new access point with the same SSID and MAC address
Where 00: 09: 5B: 6F: 64: 1E is the BSSID, Elroy is the SSID, and -c 11 is the suspect's hotspot channel.
Step 5: deauthenticate or disconnect from the access point
Now we need to disconnect the "neighbor" from his access point. In the 802.11 standard, there is a special frame called deauthentication, which, as you would expect, kicks everyone out of the access point. When his computer tries to log in again, it will connect to the access point with the ESSID “Elroy”, which has the strongest signal.
To do this, we can use aireplay-ng with the deauth package:
Code:
bt > aireplay-ng --deauth 0 -a 00:09:5B:6F:1E
Note that we used its BSSID again in the aireplay-ng command. If our signal is stronger than his own hotspot, the suspect will automatically connect to our fake network!
Step 6: increase the power of the fake point
One of the most important aspects of hacking using this method is that the signal of the fake access point must be stronger than the signal of the original access point. In the absence of physical access, this can become a critical vulnerability. There is no problem in airports and other public places, but in this scenario we do not have physical access and it is very likely that his point is closer and broadcasts a stronger signal than ours. But don't despair!
First, we can increase the power of our own access point. This can work because most access points automatically reduce their signal strength to the minimum required to maintain client connections.
To increase the power of your point to its maximum, enter:
Code:
iwconfig wlan0 txpower 27
After executing this command, the power of our access point will come very close to the limit allowed in the United States, which is 27 dBm or 500 milliwatts.
In some cases, even increasing the power to 500 mW may not be enough. If we try to raise the signal strength of our Alfa wireless card to the maximum possible 1000 mW or 30 dBm, we will get an error message, which you can see in the screenshot below (some of the new cards are capable of transmitting a signal of up to 2000 mW, which is four times higher US limit).
iwconfig wlan0 txpower 30
Increasing the power of the access point
Each country has its own laws governing Wi-Fi. Some states allow more channels and higher power signals than the United States. For example, Bolivia allows 12 channels and 1000 mW of power. To make our card go to Bolivian restrictions, simply enter:
iw reg set BO
Being in the regulatory domain of Bolivia, we can increase our signal strength to its maximum using the following command:
Code:
iwconfig wlan0 txpower 30
Check the output power with the command:
Code:
iwconfig
Increase the power of your own access point
Judging by the end of the second line, the power of our signal is now 30 dBm or 1000 mW. This is enough to overcome any local hotspot, even within a few houses!
Fake hotspot works
Now that the neighbor has connected to our access point, we can start analyzing his activities.
For example, we can use an application like Ettercap to carry out a middleman attack. Thanks to this, we will be able to intercept and analyze his traffic and even send our own traffic to his computer. In other words, due to the fact that he connected to our access point, we got full control over all incoming and outgoing data. If he really downloads child porn, we'll see it.
In addition, we will be able to intercept emails and passwords for other applications and networks. If desired, we can even implement meterpreter or another wiretap application into his system if we want to get more information.