Wednesday, January 7, 2009

The Story of a Newbie Hax0r - Part 2. My Evil AP

This post might make slightly more sense if you have read the intro and Part 1.

Part 2 - Creating My Evil AP

So I have a budget or £500 for this part of my assignment. I've already used a little of it getting the business cards printed and on fuel. I've decided that my next course of action is to get into the targets premises and install a rogue AP that I can connect to from nearby using encrypted WiFi. I also want to pimp out the rogue AP with any tools I might need to do any further tasks.

I'm banking on finding a live ethernet socket when I get in, so that I can connect to it and get an internal IP on the LAN.  As IT Support do not work from this site I'm hoping that they have flood patched a few ports to reduce site visits. 

First thing first, shopping!

I get down to the local superstore and pick up a nice shiny Hacktop (Acer Aspire One) for £250 and I set about prepping it to be my Evil AP.

First I wipe it clean with DBAN and load up a fresh copy of Linux. I get all my favorite tools loaded up, Nmap, Hping, Screen, John, Ettercap, TCPDump, Netcat etc.... oh and a few extras too, but I'll come back to those later.

Next I set about a little hardening. I password protect the BIOS and disable USB bootup. I then set a GRUB bootloader password and remove the rescue mode. I also disable any services that are not required such as Cups, Pulse and the Accessibility services.

I configure my SSH server on the AP to listen on a non-standard port, and only accept connection on the wireless interface. This will go some way to protecting the box from curious wardrivers. I also block any root logins and enter a line in the config file to allow only users of a specific group access to SSH, and that group only contains one very restricted account (bob). This way if someone was to bypass all the other measures they would have to guess the password to a single account which has access to nothing at all and then they would have to bruteforce another more privileged account such as root.

Maybe my paranoia is getting the better of me!

To cover as many eventualities as possible I also want to make sure I can get access to the GUI remotely so I enable shared desktop, which is a front end to VNC, this is moved to a non-standard port (5678) and locked down with ipfilter rules. i'll only be connecting through a SSH tunnel.

Next I configure the wireless network:

ifconfig wlan0 down iwconfig wlan0 mode ad-hoc essid "hpsetup" channel 2 enc on key 123123123

ifconfig wlan0 netmask broadcast up

I have configured the SSID to be the same as those annoying printer SSID's that you see in most offices, and even though I'll be using SSH to control the AP I've applied encryption (if you really want to call WEP encryption that is). I have also configured the network card with a 30 bit network mask, this will allow just the AP and the controller on the network which again raises the bar for anyone with ideas of owning my rogue AP!!!

Now I lock down all ports other than SSH on 7890 with a few Iptable rules, allowing just the controllers IP access.

iptables -I INPUT 1 -i wlan0 -p tcp --dport 7890 -s -j ACCEPT

iptables -I INPUT 2 -i wlan0 -j DROP

iptables -I INPUT 3 -i eth0 -j DROP

iptables -L

I now set about configuring my controller laptop.

ifconfig wlan0 down iwconfig wlan0 mode ad-hoc essid "hpsetup" channel 2 enc on key 123123123

ifconfig wlan0 netmask broadcast up

route add -host wlan0

Brilliant. I have the WiFi working, now I test SSH and the VNC SSH tunnel.

ssh -L 5678:localhost:5678 -p 7890 b0b@

Then I point my remote desktop to localhost:5678

and bingo! I have my remote desktop working over a secure SSH tunnel.

Great, everything seems to be working well. Once I get my hacktop into the targets premises I'll issue the following command to get the wired interface a DHCP address.

dhclient eth0

Now I just have to work on the camouflage and concealment. Back in my army days I would have smothered it in cam cream and taped a bush to the screen, in an office environment I think a standard nondescript box will have to do!

Coming up .............A little grunt work does hurt anyone.


Anonymous said...

Tell me... do all hackers use nano?


SynJunkie said...

I do. But I guess the real hackers use emacs or vi.

Ken Pryor said...

Another great story! Can't wait for the next installment :)

Mike said...


Great job. Keep up the excellent work. And by the way, if you're not using vi, it doesn't count :)

Anonymous said...

Great work when is part 3 coming

SynJunkie said...

Thanks for the feedback guys.

Part 3 will be this weekend i hope. I'm pretty busy on a course so I haven't had too much time.



Anonymous said...

Hey I liked your site alot. Keep up the good job.

BTW, which distro did ya use on your Acer one? I have one, compiled madwifi but I am unable to associate to any AP. It would be nice if you can share or point me in the correct direction.


SynJunkie said...

In this story i used Ubuntu on both the Acer (intrepid) and the controller (hardy).

hope that helps.