Tag: wireless

Meterpreter script – rogueap.rb – Abusing Windows Virtual Wireless NIC Feature

by on Oct.08, 2011, under Meterpreter Scripts, Posts

I found myself inspired by Vivek Ramachandran‘s videos, I thought I would take the honor in creating the simple meterpreter script that basically does what you see in the third installation of the Swse Addendum videos.

When I watched the third video I thought to myself, “This shouldn’t be too difficult to do”. From my perception, I think that Vivek was kind of hinting that he might have wanted to see someone in the info-sec community create a meterpreter script that does what you see in this video. I was glad to do this. 🙂

For penetration testers, this script means that they can now more easily setup rogue wireless access points by utilizing this script, that utilizes the soft ap feature that is implemented into Windows 7 and Windows 2008.

If the victim computers are part of a Windows domain and have wireless NICs, by automating Metasploit with a pass-the-hash attack and using my script, one could essentially automate deploying a series of rogue ap points throughout a domain. This would be kind of like a network worm.

If you’re curious about automating Metasploit, please see:

http://dev.metasploit.com/redmine/projects/framework/repository/revisions/8878/entry/documentation/msfconsole_rc_ruby_example.rc

My script gives the end user the option if they want to install the meterpreter service on the victim computer. I thought that giving this option would be ideal for if the victim computer ends up rebooting. If you were just to deploy the soft AP and run a binding payload, the binding payload most likely wouldn’t survive a reboot.

The script is available here:

http://zitstif.no-ip.org/meterpreter/rogueap.rb

http://zitstif.no-ip.org/meterpreter/rogueap.txt

If you have any issues and you need help, feel free to contact me. Additionally, don’t hesitate to modify the script if you need/want to do so.

2 Comments :, , , , , , , , , , , , , , , , , , , , , , more...

Weaponizing the Nokia N900 – Part 3.6 – Portable Rogue AP Point

by on Feb.26, 2011, under Code, Posts

With continuing the series of weaponizing the N900 and hoping that Infosec Island will continue with their series as well, I have successfully setup my N900 as a rogue AP point.

Firstly, to effectively deploy it you want to make sure your cell phone service (3G for the N900) is quite strong. You may even want to try pinging google or the like and see what the delay is. With a good connection, it will very for me between 70 and 90 milliseconds.

Second, you want to survey the site you’re going to deploy your portable rogue ap point. Luckily, you can run kismet on the N900. Once you have surveyed the site for other AP points, take note of the MAC addresses of each AP point that is specific to the area and also take note of the names of the AP points. With this mac address you can spoof your wlan0 interface to something that is very similar:

ifconfig wlan0 hw ether 00:XX:XX:XX:XX:XX

You will need to have the extra repos enabled to install an application called mobilehotspot. You will also need prior to this, to install the custom kernel for the N900. You will also need ettercap and sslstrip to carry out this attack. See my earlier post for notes on the two: http://zitstif.no-ip.org/?p=451

1.) Get sslstrip up and running, and make sure you have iptables. For steps on using sslstrip check out:
http://www.thoughtcrime.org/software/sslstrip

2.) Spoof your wlan0 hardware address to what is appropriate for the site.

3.) Run the mobilehotspot application.

4.) Wait for a few seconds

5.) Run ettercap by doing so (modify as needed):
ettercap -i wlan0 -q -T -p -u // //

The reason why we don’t have ettercap forward packets, is because the kernel is already doing so due to the mobilehotspot application.

That is pretty much it. You could also do dnsspoofing to send your victims to a server under your control to do drive by attacks.

6 Comments :, , , , , , , , , , , , , , , , , , , , , , , , , more...

Kismet: passively sniffing wireless network traffic

by on May.06, 2010, under Code, Posts

The threat of information leakage via unencrypted wireless networks is quite real and needs to be taken into consideration. Especially if you’re an organization/entity, who handles sensitive information.

Today I’ll be covering a simple demonstration that will have 3 hosts. The three hosts are as follows:

Host A (Attacker)
Host B (Client)
Host C (Server)

Host A will be running kismet, so it will not be connected to the network. The network will only have MAC filtering deployed. Host B and C will be wireless clients on the network, but I will set up netcat loops that will just simply print a string over the network.

Host B will be running this:

while true; do echo "CAPTURE THIS WHILE NOT CONNECTED" | nc -w2 hostC 8080; done

Host C will be running this:

while true; do nc -l -s hostCIP -p 8080 -vv; done

Host A which is the attacker, will simply be within close range of the network and will give the kismet log files a name as well by doing:

kismet -t capture-test

Once kismet has started to run, make sure to use ‘L’ to lock onto the channel that the wireless network is on. With this done, wait a few minutes and you should have captured the test string.

To view your captured information, you need to view the contents of the dump files. The dump files are located in/var/log/kismet.

Upon location of the dump file, what worked for me was using egrep to look for the captured string.

egrep 'CAP*' capture-test*.dump 

This may ‘bork’ your terminal, so just use reset. Per contra, you should see the captured text.

This simple demo demonstrates how real of a threat passive wireless sniffing devices are. If you’re curious, I actually used my Nokia N810 as the attacker. 🙂

I’ll have more to come as usual… (I’m back in school so I’m going to have less time to work on ettersploit 🙁 )

Leave a Comment :, , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!