Wardriving 103 : Spoofing APs

[DNR]

DNR-Imagine going to Starbucks coffee and connecting to starbuck - and its not the Starbucks free wifi, but actually the laptop of the guy sitting two tables across from you. SSID spoofing doesn't rely on human error - your laptop uses the Service Set IDentifier to locate the wifi AP .. so if it locks into the spoofed AP signal first, it connects to it! If the person had been to Starbucks before, he will likely have selected for the laptop to 'automatically' connect to Starbuck's SSID!. Otherwise, you create an similar named AP like Starbuck_free or Starbuck02 then you sit and wait for a user to foolishly pick your SSID, thinking it was the legitimate AP.

Why bother with aircracking WEP/WPA, when it is easier to spoof an AP and have them give you the login!

Read this article: /DNR

Spoofing Has Never Been Easier

It's always been simple to configure an AP with someone else's hotspot, corporate or residential SSID. SSIDs are trivial to sniff from an active WLAN and cannot be completely hidden, even if omitted from beacons. Because most wireless clients connect to SSIDs, not APs, nearby users are just as likely to choose a phony or illegitimate AP as they are a legitimate one. Jacking up transmit power and sending deauthenticates can improve the odds of successful misdirection.

Once connected, a phony AP can use its man-in-the-middle vantage point to launch a plethora of attacks. For example, the AP can intercept Web requests and supply bogus responses carrying corrupted images or malware (define). Those seeking financial gain are more likely to phish (define)for values like credit card numbers, e-commerce credentials and corporate logins. Identity theft has become big business, and phony APs are a relatively easy way to phish high-value users without raising suspicion or leaving tracks.

Unfortunately, easy-to-use platforms are readily available to create a phony AP that phishes for identities and sniffs returned values:

For Windows, a 4-in-1 USB adapter like the ZyXEL G-220 turns any laptop into a software-based host AP, using ICS and another 802.11 or 3G card to relay traffic to the Internet. DNS and HTTP servers installed on the laptop can redirect users to fake Web pages, designed to trick them into revealing sensitive values.
For Linux, there is KARMA, a toolset that combines a host AP and fully-automated SSID spoofing with built-in DNS, HTTP and POP servers for "Bring Your Own" exploits. KARMA takes advantage of wireless client automatic network selection, spoofing any or all of the SSIDs being probed by nearby clients.
For a turnkey appliance, the Airsnarf: Rogue Squadron firmware converts a Linksys WRT54G router into a phony hotspot, complete with login portal, redirection to phishing pages, and Internet backhaul over WDS. Add a WEP cracker, Web page spoofer and common snarfing tools, and you have Evil Bastard—a proof of concept demonstrated at Shmoocon 2006.

There's a big difference between knowing that phony APs exist and actually protecting yourself from them. First, let's dispel some popular myths:

Phony APs only affect hotspot users. Wrong. Any SSID can be spoofed; with tools like Hotspotter and KARMA, it is not even necessary to target a single pre-configured SSID. Wireless users at home or work should also be concerned about verifying AP identity.
Using WEP or WPA-PSK stops phony APs. No. If the AP can observe at least some legitimate traffic, either of these static values can be cracked using tools like Aircrack or coWPAtty applied to the phony AP's security settings.
SSL, SSH or VPN protects anyone connected to a phony AP. Not necessarily. A phony AP can use conventional man-in-the-middle tools (e.g., ike_crack, THC-pptp-bruter, sslsniff, sshsniff) to attack all of these protocols. Clients that fail to verify an SSL server's certificate, SSH server's key or VPN gateway's identity can still end up disclosing usernames, passwords or tunneled data.

Steps That Can Help
It is hard for an end user to visually differentiate between a legitimate AP and one using a spoofed SSID (and perhaps MAC address). But a wireless intrusion prevention system (WIPS) has a broader, full-time view of activity throughout your office. It can spot an AP that wasn't there an hour ago, APs operating with spoofed SSIDs, unusual deauthenticate messages, excessive client roaming between APs, and other signs of possible attack. Companies can deploy WIPS to spot all kinds of rogue APs (including those with spoofed SSIDs), automatically deauthenticating connections made to them by employees.

Outside of the office, SSID spoofing detection is harder. Users are surrounded by an ever-changing world of unknown APs. But depending upon the operating system, you can run a WIPS program on your laptop itself. These host-resident programs watch for forbidden or hotspot SSIDs, APs or client behaviors. Some generate alerts to warn users; others can stop connections that violate configured rules. Examples include the Shmoo Group Hot Spot Defense Kit (HSDK), AirTight Network's SpectraGuard SAFE, AirMagnet StreetWISE, Network Chemistry's RFprotect Endpoint, and AirDefense Personal.


wi-fiplanet.com/tutorials/article.php/3656661

DNR- Once you spoofed yourself as the AP, you can setup DNS to route users to your versions of google or yahoo.com, this gets people to login to your site rather than the secure versions of the other. You can also capture cookies, and replay them to login as the user. If the real AP is WEP you can prompt with your fake login requesting the network ID
/DNR

[lilrofl]

I was reading about this a few months ago, I thought, and still do think, it is not only ingenious, but also funny as hell =)

[Lyecdevf]

This is one of the best things I have read in a while. I have thought about this today and I decided that I was going to set up this my self and see what kind of results I am going to get.

[DNR]

This would be the easiest way
Wireless Pocket Router/AP by D-Link
http://www.dlink.com/products/?sec=0&pid=346
• Portable 802.11g Wireless Connectivity
• Can Be Used as an Access Point, Router, or Wireless Client
• Includes Convenient Travel Case
• Supports Power over USB

D-LinkShop Price: $54.99

The Wireless Pocket Router/AP might be small in size, but is huge in functionality. The DWL-G730AP supports multiple operation modes including: Access Point (AP) mode to create a wireless connection; Router mode to share an Internet connection; and Wireless Client mode to connect an existing wireless network. Easily switch between these modes by using the 3-way configuration switch located at the bottom.

In AP mode, the DWL-G730AP can be used to create a wireless network in a room where a single Ethernet port is provided. Now multiple wireless clients can connect to the network at the same time to share resources and files.

In Router mode, the DWL-G730AP can be used to share a single broadband Internet connection, such as in a hotel room. The internal DHCP server automatically assigns IP addresses to ensure everyone in the room can connect to the Internet.



You should have a RJ-45 jack for the ethernet cable to plug into your laptop, I am not sure the USB cable is for data, it might be just power.
You now have a AP via the RJ-45 port and a wifi card in the laptop.
I figure the wifi card will provide internet access for those logging onto the AP. You run a packet sniffer on your laptop and watch the traffic - kind of a passive operation.

DNR

[nightkid]

good read DNR..but if your in a public place, like a library would it be easier to use ARP spoofing? from what i've read you set up a fake access point & have to wait for the user to connect, but with arp the users have to go through your laptop to the AP without having to wait for them to connect since your between them and the modem already?

[DNR]

Correct ARP spoofing can be done once you are connected to the same network. By using a fake AP you avoid logging by most IDS - network security rarely logs external wifi signals, a rogue APs and its traffic would need special attention to detect it. I believe with careful analysis you could detect ARP spoofing in the logs - something has to happen to the real device that the ARP spoof is trying to pose as.

If the wifi network requires a login or WEP - this is how you will try to obtain logins - by users being fooled they are logging into the real wifi AP and actually typing in their user/pass into your computer. This method could be faster than trying to collect packets to crack the network's WEP. (as in the case of small to medium sized networks) and again, its kind of a passive attack on the network and hard to detect.

The above example I showed with a wifi AP is a versile tool, you can use it to connect to a cabled network and access it wirelessly, you can set up a rogue wifi AP for spoofing real APs, and you can use it as a stronger WNIC.

Getting busy here - sorry if the post was confusing! DNR

[nightkid]

lets say your sitting in a library and have the router connected to your computer, you change the name of your AP to the same as the libraries, someone comes in and boots up their computer, they still have the choice to pick the wireless connection they want to connect to even if their named the same? so it would be a 50-50 chance?

[DNR]

Well - the library AP SSID "Library" would have a MAC address different from your AP SSID "library". Now - the whole thing will depend on which is closer to the victim - your AP or the real AP - if your signal is stronger, the victim's WNIC might chose your SSID over the weaker signal library SSID.
In some cases the victim will see both SSIDs broadcasted, and pick one - hopefully yours!

I am not sure if having the same SSID causes problems on a network like two NICs with the same IP, most spoofed APs use a name misspelled or similiar - like "Library_01" or "library_wifi" since most victims wouldn't know how to chose.

DNR