Fully Automatic Wireless Hacking Station

This article describes a working all-in-one standalone mobile wireless attack station that can perform MITM type attacks on clients automatically and without any internet access or other external connectivity or influence. In laypersons terms; this portable battery powered device can automatically entice wireless devices to connect to it, be that iPhones/iPads, Androids and other phones or laptops and PCs. Most devices will connect to it automatically without the user even realizing. The device will provide a fake network running fake email and web servers and using some network trickery, will capture the hostname, username and password of any attempted connection and log it, along with the GPS co-ordinates of where the details were captured. This device could be used to hijack corporate and personal email logins, facebook logins, and so on. Messing around with airbase-ng, part of the aircrack-ng suite over the last few months and researching wireless client vulnerabilities has led to an interesting proof of concept project. There are several weaknesses within the current wireless technologies in widespread use. First however, an explanation of the project. The project description was to launch a wireless man in the middle (MITM) attack, without having another end to connect the victim to. We need to create a MITM attack without having any internet access. Such an attack could theoretically be used on the tube, in locked down buildings, on the move, and so on, and without the use of a mobile data card. Built on top of a modified raspberry pwn release, although any Linux distribution would have been suitable, I have set my wireless device with a power output of 30dBm and started the following automated process: Firstly, an airbase instance on my rtl8187 card as follows; /usr/local/sbin/airbase-ng -c 3 wlan0 –essids “/root/pen/code/scripts/essids” -P -C 60 -I 60 -vv|grep –line-buffered  “directed probe request”|tee /run/probes This starts an access point on channel 3, beaconing the SSIDs contained within /root/pen/code/scripts/essids as well as any probe requests that the access point may receive from clients looking to connect to an access point. Now, in a little more detail, regular ‘non-hidden’ access points will broadcast ‘beacons’ which are pieces of data that specify the SSID (wireless network name) as well as the supported encryption types and so on. These beacons are usually sent every 100msec. Wireless clients will send probe packets, containing the SSIDs of all wireless networks that they have stored, and asking if any of them are here. The -P switch to airbase-ng will have airbase respond to all probes saying “yes, that’s me” at which point assuming the encryption or lack thereof matches the stored profile, the client will attempt to associate. Mid way through building this test however, Apple released IOS 6, and one of the changes seems that the iPhone will now only send out broadcast probes rather than directed probes, rendering the -P feature useless against them. The broadcast probe is where the device sends out a “is anyone there?” probe, and waits to see which access points reply. Most iPhones however have connected at some point to a wireless hotspot, and so the SSIDs I chose for the essids file are “Boingo Hotspot”, “BTOpenzone” and “BTWiFi” in the UK. I believe that “attwifi” is a popular one in the US. […]

By | April 26th, 2013|Linux, Perl, Projects, Raspberry Pi, Security Consultant, Wireless|18 Comments

Raspberry Pwn

I’ve recently acquired two Raspberry Pi boards along with power supplies and a nice case. I was attracted by the price and the processing power/RAM vs power consumption. The first thing I was interested to install was the Raspberry Pwn release. I wouldn’t call it a distro as such, it’s more of a script that just downloads tools that most pen testers would download themselves at some point. The Raspberry Pwn site advises that it is not compatible with ‘Raspbian’ which is the newer release shown on the Raspberry Pi site, although I couldn’t see a reason why. I downloaded the installer and ran it manually line by line some time ago, and I remember it running correctly and without issue. There were a few changes to the aptitude installs to address missing packages and I also gave up trying to download the exploitdb through SVN at the end of the script as it seems to be permanently down. I also downloaded aircrack, dnsmasq, compat-wireless, mdk3-v6, nmap, mitmproxy, reaver, and sqlmap. [nggallery id=3] […]

By | October 15th, 2012|Projects, Raspberry Pi, Technology|0 Comments

Robot voice control

I’ve set up a new mic and used cvoicecontrol (with some bug fixes) to perform voice control. I’ve integrated cvoicecontrol into my C HAL layer. Each voice model needs training and saving, however once done, they can be reused in the code. For example; if (listen(“yesno”)) { … } is all that’s required to listen for a yes or a no, assuming that “yesno.cvc” has been trained in advance. I’ve also integrated the clap switch across the one of the Phidgets digital inputs. The software requires two toggles within 8 seconds of each other, and the hardware configuration requires two claps to generate one output toggle. This seems the best way to filter out other noise from triggering it. The result is two sets of two claps are required to activate the voice control. Here’s an example: […]

By | May 2nd, 2011|Projects, Robot|0 Comments

Linux robot automatically charging

Since the robot’s rebuild, I finally tackled the automatic charging situation. There are a number of ways to get the device to autocharge. If it always has line of sight to it’s charger, it can spin until it finds it using infra red, then follow the beam – this however doesn’t work without line of sight. It could use a compass, although there are too many magnetic fields, and this requires advance knowledge of positioning. The simplest method would be to always start on charge, and just store movement history, reversing it when it was necessary to charge. Problem here is that even with good wheel alignment, AND accelerometers, even after few movements, simply reversing them is often not good enough to get it even close to it’s original position. […]

By | May 2nd, 2011|Projects, Robot, Technology|0 Comments

Rebuilding the Robot

It had been a while since I’d worked on the robot, and I wanted to work on some movement algorithms. I’ve done some AI work lately on a separate project, and thought that this would help with the automated movement task. Unfortunately, the Robot had a little accident, namely falling out of the loft whilst I was bring it down. It’s been long overdue the removal of some of the excess hardware, and also needed some bugfixes that I now had no choice but to perform. […]

By | May 1st, 2011|C/C++, Development, Hardware, PHP, Robot, Technology|0 Comments