Description: Welcome to Part 9 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will look at hotspot based attacks. Most of us use public hotspots such as a Coffee Shops, Airport network etc. from time to time. We will learn how simple it is for an attacker to intrude your wireless privacy when you are on such a network.
The Attacker will scan the neighborhood to find all hotspot based access points. Then he will use airolib-ng to create a fake access point with the same ESSID as the hotspot. Once this is created, he will send De-Authentication messages to break the current connection between the authorized client and access point pair. Once the client is disconnected, it will try to reconnect back to the access point. At this point, if the attacker is closer to the client and has a higher signal strength than the authorized access point, then the client will mistakenly connect to the attacker's access point. Once this happens, the attacker can get IP connectivity to the client and will be able to run tools such as Nmap and Metasploit to compromise the security of the client.
Tags: 802.11 , wireless , security , hacking , hotspots , attack , signal strength , mis-association ,
A superb series! Thank you!
Excellent video, Please keep it up, how many video for this mega primer you are planning for!
Amazing Amazing
when i read the title i thought you gonna show us how to get the username and the password of users in hotspot , but what i've seen is very brilliant thank you
i have a question :- what if we did the same procedures against a WEP enabled access point , will the client manage to connect to our soft AP ??
Fantastic :-) As ever another brilliant video! I've just had a play with DHCP, enabling forwarding and setting up IPTABLES to allow the victim to surf whilst attacked! Great fun and looking forward to more of this from the master himself!
Couple of questions if I may:
1) Is it possible to tell the card to change its output power manually so it can be set to max and drown out the original?
2) Do Windows security suites pick up the change of AP?
3) Can this also be used to deauth a WEP/WPA client connection and replace it with an open/insecure connection or does the client always honour the security settings for the connection?
Thanks again Vivek - this series is really engaging, thank you so much for making it.
Barry
awesome, you are very informative.
Thanks for sharing knowledge.
Thanks a lot Vivek. This seems an awesome video.
btw i wanted to ask you, is there any way of getting my hands on your slides ? It will help me a lot when we do a small conference in my country between my friends.
another great tutorial,Thanks Vivek
Just got back from vacation. I couldn't wait to get back and catch up. Good fun, Vivek.
Good work. Your tutorial videos are very simple and informative.
@QuarterCask, driov, behrouz, WCNA, Jijo.Emmanual, Thanks Guys! :)
@m0ei Thanks! Currently I am not distributing the slides as I am planning to use this for corporate trainings as well. But you could just take screenshots of the video and compile a PDF for personal purposes.
@ahmadqdemat Thanks! Even in this case the Client will connect to us. But how, why and what we can do with it? I will be covering them in the videos, so stay tuned :)
@Blackmarketeer Awesome! Its great to see you improvise on the hack! this will teach you a lot and solidify your concepts. Answers to your questions:
1. Yes, you can do it with the iwconfig or iw family of commands. I will be covering this in detail in this series.
2. What do you mean by change of AP? If you mean same ESSID but different BSSID - then no, windows and other OSs don't care about the BSSID at all.
3. Good question. The client honors the security settings but you could have it connect to a softAP created by you, with similar security settings. I just started this topic in the next video. Have a look.
Would have liked to see Session Jacking as well...Or do you simply spoof MAC and connect ?
I thoroughly enjoyed this video. I have found my favorite video of the wireless series. I also have a few questions:
-When you send the deauth attack, is the deauth packet going to the AP to deauthenticate the client, or is the deauthentication packet going to the client to disconnect from the AP?
-I think you may have already answered this before with blackmarketeer but how would I allow the target machine to surf the internet using a separate internet source? (air card, separate wireless card on legitimate network)
-When I was trying this attack on my network at home it worked like a charm on an iphone 3gs but while sniffing packets from my iphone 4 it showed mostly "malformed packets" of the "FC" protocol on wireshark. Any idea what that is?
Another great video. Thanks Vivek!
Absolutely AWESOME !
WOW!!! I have never seen video as professional and clearly explained as yours Vivek. Thanks for sharing your insanely sick brain loaded with information it means a lot to people trying to learn & expand their security knowledge. 100% best tutorials on the net! Vivek for president!!!! lol
Finally, the attacks begin!
Looking forward to the MITM attack...
@Ro0t_ {PhaseAmbiguity clicks like button}
very concise and easy to follow. nice to see you reiterate each step several times throughout the tutorial. excellent teacher.
Just finished this one , I could never this that this is so easy , I see suspicious guys around my house , and my net is a bit slow , I think it's time to take my shotgun and talk to them :) [ just kidding , I have grenade launcher ;P ].
Great vids , great teacher :)
Alot of AP now are able to detect 'rogue devices', I know Cisco definitely implements this on its Enterprise level APs, but what can they actually do about it ? Bar shutting the network down.
it is possible that the android's phone do not takes an ip by itself?
The only 802.11 device in my house besides an old netgear wireless card is a Sony PSP, so the poor thing was my test subject..
As soon as I started the deauth, the PSP switched over to the fake AP I created, without ANY kind of prompting or indication that something was wrong (besides no internet since I didn't create a bridge yet)
When the deauth was finished the PSP stayed connected to my fake AP.
Everything went as planned. Then I turned off the wireless on the PSP and something odd happened in Airodump:
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:09:5B:84:CB:41 0 100 16052 102 0 9 54 OPN Taco
00:13:46:AA:EF:C4 -34 100 7819 1445 0 9 54 . OPN Taco
BSSID STATION PWR Rate Lost Packets Probes
00:09:5B:84:CB:41 00:13:46:AA:EF:C4 -1 1 - 0 << 0 68 00:13:46:AA:EF:C4 00:01:4A:80:60:76 -37 11 - 2 0 25502 Taco
at the << mark above is the entry for 00:09:5B:84:CB:41 00:13:46:AA:EF:C4
with the first MAC being my fake AP, and the second being the Authorized AP.. What is this for, and is it something that can be leveraged from a curiosity to something useful?
And thanks for this megaprimer, I have worked with computers for 20 years but have only taken an interest in security for the last 6 months, and the megaprimers have helped out SO much. You just can't read a tutorial and get this quality of information.
Hi there just thought of an idea.... If you can setup SoftAP attacks, so people connect to your AP with no encryption. what if it wasnt a Hotspot and a normal wirelless router with encryption, you could make a softAP for clients that connected to that router they would now connect to mine. Question is could I capture the handshake the client makes to me or a way of seeing the WPAkey as they connect to mine. As its a Soft AP is there no progam that could show the key that they use to conect to my Softap apart from actually cracking it. Or if the client uses a WPA-key and I dont have encryption on my SoftAP but they still connect to mine could I not still receive the key... Iv'e been looking into this for months now hopefully you can help me... Thanks
Great job with the videos :) Just as a note, it is (as far as i have tried) possible to create more than one monX interface for the same physical wlan interface using airmon-ng (i guess they are time muxed maybe ?) . Well it is also possible to put them to different channels. So u can use the same adapter to send the deauth packets on say channel X and setup a rogue AP on channel Y. (run airmon-ng start wlanX twice. Also this doesnt work if wlanX itself is in the 'up' state). Once again great series, keep em coming :)
(ps: tried with linksys WUSB54GC)
hi vivek! i have a wireshark installed in my mac, is it possible to capture deauth packets if someone is trying to hijack my connection from my mac and my wireless router, as shown in this video?
Sir,
I have one question how to send deauth packet to particular client(i dont want to broadcast) . wats the command line argument?
by
Ramki
Man this was great! The little SSH > iPhone connection bit at the end was fun! YOU ARE A GREAT TEACHER!
my password is not "alpine", made me laugh loud ;-)
Very interesting, my notes are here: http://41j.com/blog/2011/10/securitytube-wireless-lan-security-megaprimer-notes-part-9-hotspot-attacks/
hi all I need some help. I can not deauthenticate my android phone from my Access point. I tried this using Alfa Networks awus051nh (rt2800usb) on BackTrack 5 r1. I used the following command: aireplay-ng --deauth 0 -a <MY AP="" MAC=""> mon0
also tried with -a and -c <MY ANDROID="" PHONES="" MAC=""> to no avail . my phone stays connected. I can surf the web etc. and I can not get it to deauthenticate to capture the wpa handshake afterwards. The card does capture the handshake if I disconnect my android device and then reconnect. but sadly --deauth does not work. Does anyone know what I am doing wrong?. also tried this with my internal intel card (I think it uses iwlagn driver)>also does not work. :(
any help appreciated thx.
uhm sry about the weird quotes inside the <> tags. of course I used something like aireplay-ng --deauth 0 -a aa:bb:cc:dd:ee:ff mon0
Never mind I forgot to set the right channel. I wanted to deauth on channel 13, but card was still set to only use 1-12
Hey guys, I got a question. I set up my airbase-ng soft AP its all set up right but my Iphone client won't connect to it after I deauth the --bssid of the AP but than like it says on backtrack its shows connection but doesnt show a connection on my Iphone. also when I go into wireshark and monitor at0 no packets show up like its not online or something..
Do I need alfa card to do this. I only got dual band dlink. alfa is coming in the mail next week.
awesome videos!!!!!!!!!!you are the best.........
You have done such a great job here sir. I can only say thank you and I look forward to future releases. Would love the Metasploit class onc I am done with this series.
Sir, your teaching is awesome.
Love your videos. I learned so much in last 6 months just from your videos and literature. Please keep it up. I now am a dedicated Security tube Fan. Greatings from Slovenija.
Namaste !! :)
Hello Vivek ! First of all thank you for these videos !
I'm having a problem. After having created the fake AP, and connect to it my smartphone which is a Hawaii crap, i start sniffing with Wireshark using the at0 interface. I can see all the dhcp requests and other arp packets that my smartphone is sending, but after waiting for some time, i don't see any gratuitus arp packets. In few words, i can see all the packets that were shown in this video, except the gratuitus arp packets. The smartphone tries for 3-4 for times to obtain an IP address and after it stops.Then also the traffic that Wireshark is sniffing stop also, without having sniffed any gratuitus arp packet. It seems that my smartphone doesn't have implemented the Auto-Configuration IP Address. Is this possible ? What might be the problem in this case ? I haven't tried to connect to my fake AP any laptop yet, maybe in that case will work, but i thought it will too with a smartphone since it has implemented a wireless card in it.
Thank you !!!
ure so awesome dude :), Like ur videos and ure sarcasm also thumbs up
I have a question with the essid how do I create an essid with a space in the name like securitytube 01 every time I try it says type airbase-ng --help and when I do that it provide me with no answers. I have tried underscores between the name dashs etc... On another note awesome video series!
Hello Vivek. I've been following your videos in these series and I absolutely enjoyed and have learned a lot from you. thank you. I've been able to follow you on your videos step by step but when I tried applying what I learned in this video it seems like there's more to it than what was just shown on the video. Will you please help me with the airbase-ng setup? Im new to networks and how it works so i dont't actually know what should my settings for the dhcp3 and everything so airbase-ng would work. I would appreciate it a lot.. anyway, I'm still following on the other videos. I just want to learn this one coz it seems fun and really interesting. Thank you again Vivek and more power to you.
Need some very urgent help
After creating the softAP and setting up the bridge and everything
When i connect my Client (cellphone) the airbase ng shows a message but my phone keeps me showing "OBTAINING IP ADDRESS" and does not work, It doesnot even give the APIPA address ,
Great video series! I purchased your book as well and this is an amazing combination.
i know this is a bit late but anyone please answer this
when i set
airbase-ng - a AA:AA:AA:AA:AA:AA -e ''the essid of my ap'' mon0
it says
airbase --help
but when i do it this way
airbase-ng -a AA:AA:AA:AA:AA:AA mon0
it works
any difference
thanx in advance
Another great video! Thanks!
hey sir i have an very strange doubt.whenever i connect my cell which is galaxy s2 to my access point ,i cant sniff authentication and association frame .just probe request and response.my cell phone connects to AP but sir authentication and association packet ,i cant sniff,even the Auth column in airodump-ng doesnt indicate whether its OPN or SHRD while i succesfuly authenticate after starting airodump-ng.i am using backtrack 5 live cd and inbuilt network adapter in my dell laptop and samsung galaxy s2 as a victim.
thanks so much for all these vivek
Thank you sir you are a reall inspiration for me and yeah wifi is my fav topic thanks alot
Read from socket failed: Connection reset by peer
when em connecting to iphone through ssh ....
bt5#:~ssh ip-of-victim
bt5#:~Read from socket failed: Connection reset by peer...........can't find any solutn of this error
I love it. Great work again! I still have to try it out, but it all looks good on video and your demos! I am looking forward to the SSL-man-in-the-middle relay hack with transparent proxying!
Really enjoying this series. One question I have for anybody that can help, when I set up a soft AP with my Alfa card I can see the tap interface at0 and can bridge that to a working Internet connection so that the victim is unaware of the attack. What I can't do is see the at0 interface appearing in wireshark to be able to watch the traffic. Any idea why this may be? I am using Backtrack v5 R3 with up to date versions of the aircrack suite. Thanks for your time in answering.
Sir,,when my phone connects with essid i created with airbase-ng,,then first it tries to connect and my phone sends DHCP request packets,,,as mentioned by you in video,,,after that disassosiate then disauthenticate packerts are send,,and connection failed.Means myphone does not take ip address of its own by DHCP and connection failed.But as mentioned by you it takes ipaddress.Please suggest me something.how could i handle this situation.
Sir,,please give a video on how to configure DHCP server for giving ip address in HOTSPOT ATTACK.
Really great!!
i have doubt i could not connect my client which is my ipod touch 5g to my fake ap