Hands-On Penetration Testing on Windows
上QQ阅读APP看书,第一时间看更新

Bridged sniffing and the malicious access point

In Chapter 1, Bypassing Network Access Control, we built an access point to serve as a backdoor into a network. The access point provided us with DHCP, DNS, and NAT to get us out the eth0 interface attached to the inside network. The attached client was not a victim; it was the attacker on the outside of the building. This time, we're creating an access point, but it's intended for our target(s) to connect to it. The access point will grant them some kind of wanted network access, and the destination network will handle them like normal – in fact, we're going to let the destination network handle DHCP and DNS, so don't even bother with dnsmasq this time. The idea is that we're essentially invisible: aside from providing an access point, we offer no network services. What we will be doing is sniffing everything that passes through our bridge.  

The principles can be applied to any bridged sniffing scenario, so I encourage you to let your hacking imagination run wild with the possibilities. For our demonstration, we're firing up the timeless classic Free Wi-Fi attack. The idea is simple: offer free internet and let the fish come to you. This attack has potential in legitimate pen tests; attacking your client's users can be difficult in secure networks and setting up free Wi-Fi in a corporate environment is surprisingly effective. (Wouldn't you like the opportunity to bypass your company's web filters?) Another possibility is the evil twin concept where you're masquerading as a legitimate ESSID, or even the ESSID of a lonely wireless device's probes, looking for a familiar face in a strange place. Again, I leave the rest to your imagination.

First, I set up my access point. If you're following the hostapd example from Chapter 1, Bypassing Network Access Control, note the differences here – I don't need dnsmasq and I don't need iptables:

I gave the wireless interface an IP assignment in the Ethernet interface's network. I also ran airmon-ng check kill to ensure that any wireless networking utilities are killed, as they will prevent hostapd from doing its thing.

We used the graphical interface last time; I'm going to keep it clean and just fire off this command in a new terminal window:

# ettercap -T -q -B eth0 -B wlan0 -w FreeWifiTest

The following screenshot illustrates the output of the preceding command:

The command is easy thanks to Ettercap's behind-the-scenes power to manage the bridge and sniffing:

  • -T tells Ettercap to go old school and use a text-only interface.
  • -q means be quiet. We don't want Ettercap reporting every packet to our interface; that's what our capture file is for. We are analyzing later, not now. Let's just let it run.
  • -B starts up bridged sniffing. Remember, we need two interfaces, so I run this flag twice for each interface. 
  • -w will write the packets to a .pcap file for later analysis in Wireshark.

We then apply ordinary Wireshark analysis here. With this privileged position, we can proceed to advanced attacks such as SSL stripping – we'll cover this in Chapter 4, Advanced Network Attacks.