I have been playing a lot with airbase in the lab and one if the things that I first noticed while testing this technique as specified in the karmetasploit wiki is that we are setting the machine to attack any wireless client in the area, this may have legal implications during a valid pentest and may result in criminal actions if one is not careful. There are ways to minimize this risk and this is the way I see it, first we need to assess the are and identify all AP of the client and their SSIDs this cam be done using airodump-ng:
wlanconfig ath0 destroyairmon-ng start ath0
airodump-ng -b bg -a ath0
in the example I'm showing it running with an Atheros card. First we set the card in monitor mode then we are using the "-b" switch so we can scan both b and g and "-a" so we get only a list of only associated clients, the main reason we want associated clients is because we only want to target those that are connected to the access points of the company that we have been contracted to pentest that way we can minimize the risk of attacking the wrong target. The best time I would recommend for this reconoissance is during the early hours in the morning this is when most user will arrive at the office and turn on their laptops, preferably Mondays since it is the day that most mobile workers tend to go to the office. An example output is the following:
CH 14 ][ Elapsed: 2 mins ][ 2008-10-02 00:01 ][ WPA handshake: 00:0C:85:71:6C:2C
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:0C:85:71:6C:2C 78 98 38 0 3 11. WPA TKIP PSK target
00:30:BD:F3:3E:35 -1 0 0 0 11 -1 <length: 0>
BSSID STATION PWR Rate Lost Packets Probes
00:0C:85:71:6C:2C 00:13:E8:80:04:4F 93 11-11 0 28 target
00:0C:85:71:6C:2C 00:21:E9:B0:AC:B2 81 11- 2 50 26 target
00:0C:85:71:6C:2C 00:21:E9:A5:A2:04 79 0- 2 13 93 target,linksys,belking54g
00:30:BD:F3:3E:35 00:1C:B3:BF:61:70 38 0- 5 0 3
as we can see 3 clients are associated to the target ESSID. This are
00:13:E8:80:04:4F
00:21:E9:B0:AC:B2
00:21:E9:A5:A2:04
we place this mac addresses inside a text file one per line. We can call this file targets.txt, once we have them in the text file we will use it as a filter for airbase-ng. the command would be as follows:
airbase-ng -P -C 30 -D /root/targets.txt -e "target" -v ath0
The -P option will create a softap that will respond to all probes regardless of the ESSIDs specified, the -C option will indicate the amount of time that the ESSIDs seen will be beaconed, -D will indicate the file of mac addresses that will be used as filters for the connection and -e will specify an ESSID to broadcast by default and -v will be verbose output followed by the interface that is in monitor mode. This will generate the at0 tun interface that we will use with dhcpd and Metasploit to continue the karmetasploit attack. This same concept can be used for other types of attacks and limit those to approved targets.
One important point when conducting this type of attack against a valid target is to use powerful card with a good antenna so as to assure that your machine will be selected instead of the valid AP, I highly recommend the Ubiquity and the Alfa USB high gain with a good yagui antenna.
Thursday, October 9, 2008 at 12:43PM 