Description: Welcome to Part 12 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will look at Man-in-the-Middle attacks over wireless. There could be multiple configurations which the attacker can use to conduct this attack - Wireless-Wired, Wireless-Wireless or Wireless-GPRS/3G. We will understand each of these scenarios and then create the entire setup and demonstrate one of them.
We will learn a lot of new concepts in the course of this video - how to create a bridge, bridge wireless and other interfaces, sniff packets over a bridge etc. This video will also pave way to understanding the next concept - SSL MITM over wireless in which we will look at how to harvest usernames / passwords over SSL by conducting a MITM.
Tags: 802.11 , wireless , security , mitm , wired , 3G , hotspot , honeypot , hacking ,
wow! dam your fast at making videos. I'll try get my video about a custom regulation database up tomorrow had a few technical difficulties.
Just grabbed any screen recorder off pacman and turns out xvidcap likes to crash under openbox, and I was ripping my hair out with sound recording on arch, I totally broke my audio after trying to use OSS then moving to alsa and then pulse audio. Ended up using Windows sound recorder on a netbook now I just have to peace the video and audio together.
Nice work on your video tho.
Thank you.
WOW!!!,Very Nice vivek, please we need two video per day, if it is applicable let it more,
I'll be sad when you finish WLAN megaprimer but I'm sure that next series would have at least the same awesome level xD
Thank you for sharing your knowledge, keep them coming!
Excellent Videos Vivek ive been wacthing your vidoes since the metasploit megaprimer and im amazed each time i watch your new videos. Keep them coming.... I think securitytube as a whole is one of the best security based websites out there. I also think a set of forums would make the site a little better
Another great video Vivek. Two really good points come out in this in addition to everything else. Using the 0.0.0.0 address for an interface (this never crossed my mind, I always made use of a 169.x), and the excellent BRCTL. What a Godsend!
Looking forward to many more of these Vivek and give our thanks to Mrs Ramachandran for allowing you to spend so long in front of the screen making videos!
Barry
@Acebond Looks you are having quite a journey, but IMHO you learn more by making mistakes and working your way around them. Look forward to your video, request you also to add voice if possible.
@Kamel, Zidane, Unai , Chard Thanks guys! Many more videos in this series and many more Megaprimers to come this year :) So stay tuned
@Blackmarketeer Thanks buddy! Couldn't have done it without her co-operation. Also, I recently quit regular work to start my own business. That gives me more flexibility :)
Just posted the sequel to this video! SSL Pwnage! checkout out :)
I've been following this MegaPrimer since video#2, they are great !
even when you think that you know the subject, you can learn some extra stuff !
thanks a lot, looking forward for the next episodes
Same as @Chard, been watching all your primers since Metasploit Megaprimer and yes i learned a lot. Thanks mate Thanks !
Vivek as always your videos are amazing
i have a silly question :- can i consider mon0 and wlan0 two different interfaces; can i do this with the same wireless name interface?
you are so fast :O ,every day i refresh securitytube i see many interesting videos here thank you so much Vivek you are realy great
@TouF, m0ei, behrouz Thanks a ton for all the appreciation guys! :)
@ahmadqdemat Actually thats a very good question. A short answer is that we need to create virtual devices on top of the actual physical device to do various tasks. I will probably discuss in the end of the primer when I touch upon custom drivers and things like that.
Hi man. you are just great. if i win lottery i will donate you half of it for teaching me all this cool stuff. i wish you all the best. thank you for taking your time to do these great videos. keep them comming.
What a fantastic video seroes! really enjoying these videos Vivek and excited to see what the next series is going to be.
Hey Vivek, good video like the 11 before this one.
Though I have some problem when i try this at home.
As I got a wifi card, not usb adapter, i did boot on BT4, and it seems my smartphone (galaxy s on android) try to connect to the fake AP, but cannot get an IP.
My bridge is up and got IP from dhclient. It bridges interfaces at0-eth0.
In the video you said that "the IP adress was allocated by the virtualbox server".
If backtrack is no virtualized, it doesn't allocate IP?
@50cent :) Haha! Thanks my friend :)
@tomfromdelmonte Next series will Metasploit Advanced (ruby programming, meterpreter scripting etc.), then followed by finishing of the Exploit Megaprimer I started a while back.
@EverL0sT Good point. When you run Backtrack using Vmware or Virualbox, the DHCP server service if offered by these software themselves so that NAT can work and hence one does not have to worry about setting it up. If you are running Backtrack as a stand alone OS, then you will have to create a valid dhcpd.conf file and run the dhcpd3 daemon on the interface at0 yourself. This is the only way the victim can get a valid DHCP address from your machine.
"@EverL0sT Good point. When you run Backtrack using Vmware or Virualbox, the DHCP server service if offered by these software themselves so that NAT can work and hence one does not have to worry about setting it up. If you are running Backtrack as a stand alone OS, then you will have to create a valid dhcpd.conf file and run the dhcpd3 daemon on the interface at0 yourself. This is the only way the victim can get a valid DHCP address from your machine."
Whats stopping the victims dhcp request from crossing the bridge and getting a dhcp reply from the hotspot?
I tried some things with dhcpd3 daemon without success.
So i followed some tuto without success neither.
I found some discussions talking about dhcpd3 issues on bt4r2...
I think i'll try this on bt3...
Amazing video!
Truly the holy grail of attacks...
As a bookmark for myself and a tip to others, I thought I'd post a link to an interesting blog. I'm running BT4 R2 live CD and couldn't get it to work with my built-in wireless (Intel 2200BG). I researched an alternative and found this: hxxp:// adaywithtape. blogspot. com/2009/10/fake-ap-using-airbase-ng.html
The poster gives explicit details of configuring a DHCP server, along with iptables (something that I haven't got my head around yet fully!). He uses a wireless card with a particular IP address but it was trivial for me to change it to use eth0 and my own real DG, rather than 192.168.1.1 that he used.
There were quite a few configurational changes to make so I guess my next challenge is to put the commands into a script!
Wow, I tried this mitm attack with my Allview smartphone. Looking at wireshark, my phone shut down after the second packet received (gratuitious ARP)...guess the phone has a little bug...
Awesome video series. I've watched all of them thus far, and plan to finish. I was able to pull of my first MITM while going over part 12 a 2nd time. It blows my mind how easily it can be carried out, and I chuckle knowing it will remain so for a while yet to come. You really have a gift for simplifying the process for us n00bs. Do you plan to release any videos on GSM? Now that transmitters can be created fairly inexpensively and AT&T seemingly refuses to acknowledge any problems with the weak encryption, I see this as becoming an increasingly hot topic. Keep up the good work!
hope you dont mind, i thought i'd ask a few questions. i was just finishing burning ur vids to dvd and been watching all day mostly. but i had some questions.. forgive me if it's really noobish stuff
------------------------------------------------------------
#1 question: will the roaming client (iphone in your case from the video) still send probe requests for it's default auto-set wireless AP's even after it connects to a hotspot or host AP ?
#2 question: also, do iphones search for hotspots when it gets online ? and connect to whoever is there ? some people i know, have an AP they use almost all the time. would that be like verizon ? also, would i be able to see the traffic he's sending to his AP if he's in my immediate location ? and spoof the verizon AP and route his traffic to me instead ?
#3 question: another thing. im not any real type of security pentester, just to let u know :). im not a noob with computers though..anyway, i have a local server here that im pentesting on. i can sniff it all day and grab my pw's for all the ssh and ftp services on it. however. it's just a basic ubutnu 10 2.6 kernel with all services on default. metasploit doesn't seem to do the job of exploiting any service on it. so i guess if you can't get in the front door you try the back huh ? if i can't sploit any services, i might as well sniff the traffic and just wait and get any pw's or any data from the network. however, alot of different sploits in metasploit dont seem to do the job, i end up finding other ways of accessing the system. am i out of date or somethin ? maybe im just not knowlegable enough to preform any real tasks. so i thought i'd ask you what you thought about it. metasploit and my little bit of knowlege lol. thanks Vivek ;)
very gratefully appreciate all the knowledge you've given to us all. your online courses are just awesome. thanks bro ;)
great video! I just had one question as i dont have the resources to test out right now. After a successful attack, if for whatever reason the victim suspected a mitm attack, would he be able to prove without a doubt he is a victim via checking gateway ip and comparing to his own, or even with a traceroute?
im sure a simple nmap -O against the gateway would show a bit of a red flag but is there any other ways using out of the box tools in windows/osx environment?
ok great video i love it but i have a big problem......eveytime i get to the point where i do "ifconfig mitm up" everything messes up and its frustrating me
when i do that the internet cuts off and the bridge doesne seem to work, i go on the targeted computer and i cant get to the internet
airbase and everything else works literally EVRYTHING works eccept that step and then everything goes down the drain.........
i been testing out to see what i can find and i found out that at0 is he problem, i run the MITMbridge without adding at0 and everything works well
at0 is still down so everything works well
i run the bridge without at0 being added and internet still works......then i add at0 and bring it up and bam everything goes down and the internet doesnt work, im confused and i dont know what to do can i get some help please thank you
Vivek..thanks for all videos....really great...!
Would you make a video how to set up MITM-Airbase-ng when We Use 3G Modem and Live USB (No VM or Virtual Box).
Thanks
Dear vivek,
Thanks for this deep demonstration . I am new in SecurityTube
I have some doubts in this part
1, Which DHCP server gave IP address to iphone.?
2, Both AP (SSID:vivek) and client device (iphone) are in same subnet ?
3, is this bridging possible on GPRS / wired scenarios?
If so how clients (Iphone) get the IP address?
Nice Work Vivek! Keep'em coming!
Can't wait to get my Alpha wireless adapter from Amazon. I need to practice it before go deeper with these great videos. Thanks again Vivek! This is a very big help understanding hacking and preparing for my plan of taking CEH training in the near future.
One problem I have had is when I deauth, my client does not automatically reconnect to the spoofed access point. I have to manually connect the client to the spoofed ap. Anyone else having this issue.
I'm using bt5 gnome on my netbook and using an alfa card as wlan1 to creat the rouge AP, but when I try to add my wlan0 (my internet connection)to the bridge using "brctrl addif mitm wlan0" I get an error message saying: can't add wlan0 to bridge mitm: operation not supported. Any workaround this?
Thanks, great video vivek. :)
love the video, and now I'm scared to use wifi....
hi guys i have a ? In part 12 vivek explained about MITM attacks from that how to attack the client with variation 1 based........i mean with same AP, no internet facility for us... please can any one explain me....
im having a problem and hoping somebody could point me in the correct direction. so i watched this video a few times and decided to give it a try i set my router up to have no security on it just for the duration of my test
i went through all the steps and when it comes time to listen on wireshark at at0 I do not get anything coming through
here are the steps i have repeated im sure i missed something but cant seem to find my problem
first i set my vm to use nat
then in backtrack it looks like this
ifconfig
ifconfig wlan0 up
airmon-ng start wlan0
iwconfig wlan0 channel 1
airbase-ng --essid p12test mon0
ifconfig at0 up
brctl addbr mitm
brctl show
brctl addif mitm etho
brctl addif mitm at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig mitm up
dhclient3 mitm &
then start wireshark and wait brows around the net on my iphone and my old crap laptop both which i connected to p12test
so again my question what am i doing wrong? or missing altogether?
@mcmalach is your mitm interface getting an ip address from the dhcp server? Is your instance of bt running in a virtual machine or is it running on a real machine? In the second case you need to run a dhcp server that must provide an ip address to the connecting client.
This is Just Awesome Vivek. I can say its by luck I landed on this site,
But I am trying to get my phone (Android OS-wifi enabled But not iPhone) to act as a USB wireless card, any tips??
Keep the videos coming spread the WORD!!
Cheers
Awesome! Awesome! vivek, keep doing more, and don't be afraid to go deep in theory, I love when you give a lot of background and details, thank you very much!
I have a native installation of backtrack5 r1.
brctl does not support adding wireless interface so i had problems while trying to do this with two wireless cards. However when i tried this using the wired interface to connect to internet it worked perfectly fine.
I wonder what is the workaround to do this with two wireless cards on a native installation.
Here are my notes on this part: http://41j.com/blog/2011/10/securitytube-wireless-lan-security-megaprimer-notes-part-12-a-man-in-the-middle-attack/
Thanks for your great videos! Going through the whole series now.
My android phone can not get an ip if the MAC is spoofed. However, if I do not spoof the MAC everything works. Can Android detect spoofed MAC? I tried with AA:AA:AA:AA:AA:AA and also with a more likely 00:13:10:4A:B6:09, none of them works.
Thanks for the notes new300. Much appreciated as well as Vivek's insanely awesome videos he keeps rolling out. Thank god somebody doesn't mind sharing their knowledge like he does. Were all lucky to have him be our mentor and be able to build our skills up at our own pace with his videos. Vivek you are the bomb! i should be joining the forums this week as I will register shortly. Can't wait!!!!!
Hi Vivek, absolutely brilliant videos, using linksys wireless-G USB network adapter with Rangebooster + BT3, so far so good, not had a problem thus far :-) ... however, I have a 4 PC network, 3 x XP Pro, 1 X BT3 bootable CD using linksys, (rausb0) could you please tell me using BT3 how to achieve the 'bridging process'. Many thanks ;-)
Hi Vivek, cancel the above, all the commands work fine ;-) ...
hi vivek!!!
the video was seriously awesome and i really like your megaprimers very much...
i was wondering if we could use cain and abel to sniff around automatically and if we can can u show me how can we achieve it
I am addicted. I was on video 1 this time yesterday.
Good Job :) Thankx for it
1. why did u set the IPs of at0 and eth0 after creating the mitm interface ? - Any specific reason !
2. in my case, i was able to connect to internet before creating mitm interface. But after that my connection is lost. what would be the issue ?
Vivek - fantastic job!!!! I love those videos and I'm going to buy your book as well soon. Additionally I hope I will have this opportunity to see you on BH in Amsterdam on March.
I've got a question - is it possible somehow to do the bridging between two wlans (2xAlfa Wlan or Ath5 + Alfa) to use wireshark or similar? Brctl does not allow to add wlan device unless it's not in master/monitor mode but in this mode it's not possible to ffwd the traffic. What would you suggest - ip_forward + iptables or something else? Thanks and best regards!!!!
I am going through each video and by the time I get home from work I can only do a few a night but made it to this one tonight. I am loving each one and thank you for taking your time to make them.
Great Great JOB!
Vivek - I've thoroughly enjoyed and learned a whole lot from all your videos in this series and in your exploit series. You make such great contributions and I just want to thank you for that.
To anyone who can help - I'm running BT4R1 from a bootable USB drive since I am having all sorts of issues with BT5R1 on VirtualBox. This setup is working great for me except I cannot get DHCP to work. I've seen in other comments here and elsewhere that I need to setup DHCP myself for at0. I've followed several different blogs and I just can't seem to get DHCP to work. I have MITM working if I manually assign the victim a valid IP, but I'm still stuck on getting DHCP to assign the victim an IP for me. Anyone have any ideas? Thanks!
DEAR VIVEK SIR,
i tried booting macbook with bt5 live cd , and it worked and both packet sniffing and packet injection was also working.
Sir , when i try to hack my college wpa base wifi network , i didn't get any data packet , nor deauthintication works , i saw the ap in my college was transmitting beacon frames but my teachers laptop were connected to ap by ethernet , sir then how to deauthicate them and grab data packets and crack wpa by dictionary .
Hello.
Using dhclent doesnt work for me. I have Bt 5R2 installed. I bring up all interfaces, the essid is broadcasted, however dhclient will not assign an IP address to MITM interface. Any ideas?
a video on setting up this attack with an installed version of backtrack instead of virtual instance would be very helpful as im having trouble getting the dhcp daemon setup.
I have bridge the interfaces and everything and have gotten no error messages. I have also managed to connect my phone to the soft AP, but I am not getting any internet connectivity. When I open wireshark it is just doing Broadcast ARPs. Any ideas on what I have done wrong all interfaces are up and bridge and every once in a while I will get an ICMP through wireshark
i had a rush of much videos today. this is the first real serious video. mitm, great job! yet i could redo all stuff by my own, here i get stuck, as the victim didnt get a ip adress via dhcp. well, i will sleep a few hours and give it a try again. thanks so far.
@waba I gave up on using a native installation after similar failures as well as trying to do this with iptables (its messy!). If use VirtualBox inside of Ubuntu and it works just dandy! If you end up using Ubuntu and you are using a usb wireless card like Vivek, make sure you add yourself to the "vboxusers" group otherwise VirtualBox won't recognize the wireless card.
Hello all i need some assistance
Well the setup is like this , Lets say the legitimate AP has an Essid of XYZ and it is encrypted with WPA2 - PSK , and i even have the password (By penetration testing results or by any means)
In that case while using airbase-ng what is the other option needs to be set so that the user who is authenticated using the wifi WPA2 passkey will conncect to my fake made Essid using airbase and alfa card ?
Meaning user has set the passkey on his PC now if i will connect the user to my soft AP . what is the option through which i could give the original passkey
so that even if a user connects to my soft AP he will be asked for the passkey and when he entered the legitimate passkey he will get access . ??
Please send me the solution ASAP .
Well my statement was confusing
let me re-frame it
ORIGINAL :
ESSID =XYZ
Key authentication = WPA2-PSK
I know the password
now while creating soft AP what has to be set for giving the password ? so that user has to give a password .
Need some very urgent help
After creating the softAP and setting up the bridge and everything
When i connect my Client (cellphone) the airbase ng shows a message but my phone keeps me showing "OBTAINING IP ADDRESS" and does not work, It doesnot even give the APIPA address ,
First time poster.
I have BackTrack 5.2
I am trying to get MITM working. I have two issues. 1 is with Virtual box. I can't seem to get eth0 to work. I don't get an ip address on my BT instance. Annoying, but not the big issue.
Maybe that is my issue:
I see the SSID show up on another PC, but I do not get access though the bridge. E.X.: pings to google.com fail.
This is the script I am using to run/re-run the MITM setup:
#!/bin/sh
echo kill \`pgrep airbase-ng\`
kill `pgrep airbase-ng`
echo kill \`pgrep dhclient3\`
kill `pgrep dhclient3`
echo airmon-ng stop mon0
airmon-ng stop mon0
echo airmon-ng stop mon0
airmon-ng stop mon1
echo airmon-ng stop wlan0
airmon-ng stop wlan0
echo ifconfig eth0 down
ifconfig eth0 down
echo ifconfig wlan0 down
ifconfig wlan0 down
echo ifconfig mon0 down
ifconfig mon0 down
clear
read -p "Everthing should be down. Press [Enter] to continue MITM..."
echo ifconfig wlan0 up
ifconfig wlan0 up
echo Killing dhclient3s
echo airmon-ng start wlan0
airmon-ng start wlan0
echo airmon-ng start mon0
airmon-ng start mon0
kill `pgrep dhclient3`
echo iwconfig wlan0 channel 1
iwconfig wlan0 channel 1
echo iwconfig mon0 channel 1
iwconfig mon0 channel 1
echo airbase-ng --essid SecurityTube mon0 \&
airbase-ng --essid SecurityTube mon0 &
echo ifconfig eth0 0.0.0.0 up
ifconfig at0 up
echo brctl addbr mitm
brctl addbr mitm
echo brctl addif mitm eth0
brctl addif mitm eth0
echo brctl addif mitm at0
brctl addif mitm at0
echo brctl show
brctl show
echo ifconfig eth0 0.0.0.0 up
ifconfig eth0 0.0.0.0 up
echo ifconfig at0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
echo kill \`pgrep dhclient3\`
kill `pgrep dhclient3`
echo ifconfig mitm up
ifconfig mitm up
echo dhclient3 mitm \&
clear
echo "Press [Enter] to shutdown MITM..."
echo
dhclient3 mitm &
read
echo kill \`pgrep airbase-ng\`
kill `pgrep airbase-ng`
echo kill \`pgrep dhclient3\`
kill `pgrep dhclient3`
echo ifconfig mitm down
ifconfig mitm down
echo brctl delbr mitm
brctl delbr mitm
echo airmon-ng stop mon0
airmon-ng stop mon0
echo airmon-ng stop mon1
airmon-ng stop mon1
echo ifconfig at0 down
ifconfig at0 down
echo airmon-ng stop mon0
ifconfig at0 down
echo airmon-ng stop wlan0
airmon-ng stop wlan0
echo ifconfig eth0 down
ifconfig eth0 down
echo ifconfig wlan0 down
ifconfig wlan0 down
echo brctl show
brctl show
Great video Vivek!
I am also having trouble with my phone(samsung galaxy note) failing to connect due to inability to obtain ip address. Did you have dhcp server running while you made this video? Otherwise how is that your phone can obtain an ip address from your backtrack AP and mine cannot? I also tryed with my desktop computer that has a wifi card installed and behaviour was the same. In a previous video, your device was able to create its' own IP address in a time but mine cannot. Would appreciate any help!
Thanx in advance!
Hi Vivek,, Awesome video with each and every slide nicely explained as always ..I'll been watching your videos for quite a long time...I guess MITM is a subject with lots of practicals..
TY very much .. I enjoyed all of you videos very much esp. this one. :)
Hi Vivek , Thanks for the contributions to wireless pentest , it is a very valuable experience newbies like myself..haha
I have just completed this video tutorial and everything works great. But i need your advice as HOWTO bridge 2 wireless interface?? as in your video , its wired (eth0) and wireless interface (alfa card:wlan0) .
I am trying to bridge my local wireless(wlan0) connected to my 3g portable while the other side is my alfa card(wlan1). The command brctl command does not allow me to bridge at0 (virtual ) and wlan0 (internal wireless). I appreciate that you could point me in the right direction.
Cheers
Max Pang
Singapore
cool video!
i have some Question hope you can answer them :)
1- why we set eth0 0.0.0.0 ?
2- why we sniff on at0 not eth0 ??
3- how to make iPhone connect automatically to my fake AP, as i need to manually reconnect it after send Deauth signal and some time didn't connect ?
finally, as usual great video , thanks
great video vivek!! doing some practical learning and realized this is a great setup for analyzing traffic generated from the apps on my phone. including native iphone apps, and 3rd party stuff. youre the man vivek.
i have setup everything like you Vivek but the connection on my ipad 3 is extremely slow sometimes the connection does not work.
my pc is not connected with wlan it is connected with lan to the internet. what are the settings for lan connection. I'm running backtrack 5 r3 on Vmware
thx in advance
Hehe, 22 videos? Nice calculations, more like 52 it seems ;D
hi viveck i have a problem i am currently trying the above video.
i am on bt5r3 live usb not vmware etc.
i want to bridge to wirless adapter together but it wont let me i have followed the step when you bridge mitm to ath0 and ath0 to eth0.
i want to bridge ath0 to wlan0 but it wont let me could you please show me the syntax you would use please and also as im not in vb or vm i can not use the NAT option to automatically assign's ip so what do i use. you also said you can bridge 3g 4g etc also this would be grate to know how you bridge these. my apologies if i seem newbish but this is the only problem that has occurred.
Great work ! Well done !
Wonderful videos Vivek! I am new to pentesting and look forward to continuing my experience.
Hi Vivek!
I seem to have all the components up and running with the bridge correctly set up however when I open wireshark, at0 has no traffic that runs through it at all and I am not capturing any packets? If anyone has any thoughts or run into this with a work around please let me know. Pardon my ignorance...
Nevermind. I figured out the problem. Thanx thouhg
Is it possible to sniff trafic without MITM attack? I've tryied to sniff trafic using Cain without creating fake hostpot. I sniffed the traffic between a client and the real AP and it worked fine (I was connected to the same AP).
I am talking about HTTP trafic
Hi Vivek, I bought your book: backtrack 5 wireless penetration testing. this book is really great and i'm hoping there is a similar upcomming book for kali linux!
in the backtrack 5 book on page 113 (time for action-rogue AP) you never mention the # ifconfig wifi-bridge up command. This could be between step 5 and 6 and is major important to succesfully do the MITM attack.
friendly regards and a huge handshake!
Ohyeah, mentionning of crunch in the wpa/wpa2 cracking part i believe would also be cool. creating your own wordlists...
anyway, as i said, it's a great book and i'm hoping there will be a next one for kali