Shulou(Shulou.com)06/01 Report--

This article mainly introduces airbase-ng how to establish SoftAP for sniffing, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Using airbase-ng to establish Soft AP, and then using some common tools to sniff, or to analyze packets is an early MITM*** method. There are many articles on the Internet about manual implementation, as well as some automatic implementation scripts. These scripts are usually divided into two categories, one is to let the user enter interfaces, options, and so on step by step, and then run, each startup has to re-enter a lot of data, inefficient and uncomfortable. The second category runs automatically, but there are few options, which does not conform to their own usage habits. Therefore, in the learning process, I wrote an automatic implementation script.

Airbase-ng and hostapd can be used to establish Soft AP, in which the former requires the network card to support monitor mode, which is a common tool, but only supports OPN and WEP, does not support WPA encryption, does not pick the network card, and the common RTL8187L can be used. The second is hostapd, need network card to support AP mode, 8187L can not be used, rt3070 can be used to support the establishment of OPN/WEP/WPA various SoftAP. This article introduces the implementation based on airbase-ng, which is, after all, a lightweight tool with a wide range of hack options.

To establish a soft Ap and sniff, you can take the following four steps:

Establish hotspots in 1.airbase-ng

2.dhcpd starts the dhcp service

3.iptables sets up forwarding rules so that data connected to Soft AP customers can access the Internet normally.

4. Start the sniffer tool to collect information

After the end, you can also carry out subsequent analysis of the crawled package. Of course, DNS hijacking and fake pages for fishing can also be carried out in the middle, which is beyond the scope of this article. Let's talk about it step by step.

Preparatory work:

(1) A laptop with long-lasting power can either install kali linux directly or install kali in VMware.

(2) an 8187L network card, a knockoff is fine, the performance-to-price ratio is high, and the workmanship does not see how it is worse than the original one, as long as the intermediate chip is real. (the photo below is original)

(3) Antenna: it feels that the omni-directional antenna of 7dbi is just the right height, and no matter how large it is, it is inconvenient, and the signal of 9dbi is not enhanced much, but the loss is greater. The directional antenna is also good. The 7db directional antenna is very small and can reach the operating distance of the 10dbi omni-directional antenna in the focusing direction, which is suitable for long and narrow indoor space. Not to mention the ability to penetrate the wall, two reinforced concrete walls, it is basically difficult to receive available signals.

The measured signal strength of 7dbi omni-directional antenna (unoccluded): at 65 meters, the signal is about-35dbm within 10 meters at-85dbm5m. This value is very rough and is for reference only. Generally speaking, the lower limit of normal communication is-90dbm, which is even higher if you surf the Internet. Of course, the signal strength is also related to the antenna of the receiving device, but on the whole, the two antennas of the 8187L plus 7dbi are basically enough to cover a small indoor space in a public place.

(4) Notebook has internet network access, which is used to transfer the information received by Fake AP to internet.

(5) start monitor mode and forge the address of the local network card

Airmon-ng start wlan1ifconfig wlan1 downmacchanger-r wlan1ifconfig wlan1 upifconfig mon0 downmacchanger-r mon0ifconfig mon0 up

First, use airbase-ng to establish the Soft AP of OPN

Airbase-ng is mainly used to establish the AP of OPN, that is, public AP that does not require a password. WEP encryption is rare and does not support WPA encryption. In this step, the most important thing is that AP's ssid,ssid determines the deceptive nature of AP, that is, the possibility of being connected. Now the clients of mobile phones and tablets will automatically record the connected AP information and save it in / data/misc/wifi/wpa_suppliant.conf, and each hotspot will save four messages: ssid, psk (password), key_mgmt (encryption method) and priority (priority). Note that the hardware address of the network card is not included. Therefore, as long as the first three items are aligned, they can be connected automatically.

When the wifi function of the phone is turned on, it will continue to send probe packets containing ssid. You can use airodump-ng to check which ssid has been probe in the current network environment, which can be used for reference when counterfeiting ssid.

Once the name is selected, you can use airbase-ng to establish a Fake AP:

Airbase-ng $FAKE_AP_INTERFACE-e $FAKE_AP_ESSID-c

After airbase-ng runs successfully, ifconfig looks at it and finds that there will be one more at0 interface.

Root@mKL:~# ifconfigat0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xxinet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0... Eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx inet addr:10.10.10.138 Bcast:10.10.10.255 Mask:255.255.255.0...

Start the dhcp service using dhcpd

After the client connects to SoftAP, assign them an IP address. The most important thing here is that the IP address of SoftAP and the IP address of Internet interface cannot be in one segment of the network. For example, if the address of the network card eth0 that connects to the Internet network is 10.10.10.138ax 24, then the address of the at0 cannot be set to the same network segment. Here, it is set to 10.0.0.1 Universe 24.

First, create a dhcpd.conf, which contains the setting parameters for running the dhcp service. The key code is as follows:

Echo-n "[+] now creating dhcpd.conf..." cat > $SESSION_PATH/dhcpd.conf/dev/nullurlsnarf-I $1 | grep http > $SESSION_PATH/url.txttail-f $SESSION_PATH/url.txtdriftnet-I $1-d $SESSION_PATH/

These are the key steps to implementing a Soft AP-based MITM***.

Here is an automatic execution script auto_opnAP.sh. The simplest execution command is:

Auto_opnAP.sh-e xxxx-sud-I mon0-n eth0

The running interface is shown in the following figure:

Thank you for reading this article carefully. I hope the article "how to set up airbase-ng to sniff SoftAP" shared by the editor will be helpful to everyone. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.