Welcome back, my greenhorn hackers!
Continuing with my Wi-Fi hacking series, this article will focus on creating an invisible rogue access point, which is an access point that's not authorized by the information technology staff and may be a significant security vulnerability for any particular firm.
Remember, as I've said before, hacking wireless networks isn't all just cracking Wi-Fi passwords!
In our scenario, we work for a large oil drilling and exploration firm. Our firm has been fracking rock and sandstone beneath the surface of the earth, a technique that injects sand, water, and chemicals underground to release oil and gas.
Lately, a number of residents in the area have fallen sick and one has died. Residents suspect that the chemicals our employer is using in their frack solution has poisoned their ground water, resulting in the illness and death.
Our employer vehemently denies any role in the residents' illness and death, and claims that the chemicals that they inject into the ground are all safe. Furthermore, they claim that none of the fracking solution has leaked into the area's groundwater.
Although you're not a member of the engineering group, you have heard rumors that your employer is using toluene, a highly toxic substance, in its fracking solution. If this is true and it was released into the surrounding ground water, it probably accounts for the illnesses and death and will likely cause more deaths if it gets into the groundwater again.
You are determined that this should not happen again and you decide that in your off-hours, you'll work with environmental groups and hackers to try to disclose whether your employer is actually using toluene in its fracking solution.
They need access to the records of the engineering group's records to prove that the company is lying and keep them from further poisoning the surrounding ground water.
Knowing that you work for the oil company, they ask you to put up a rogue access point that will bypass the firm's firewall and IDS (intrusion detection system), be invisible to the information security team, and yet provide them with nearly unlimited access to the firm's network and records.
In the United States, the FCC regulates the wireless industry and technologies, and has decided that only channels 1-11 are to be used. Many other nations use 1-12 or 1-14.
An access point communicating on channels 12, 13, or 14 would be totally invisible to wireless adapters built to only pick up only channels 1-11 in the states. If we can get our rogue AP to communicate on channel 13, for instance, it would invisible to the information security team at the oil drilling company or any one else. Of course, we would need to set our wireless adapters to communicate on channel 13 to be able to connect to it.
Since Japan allows channels 1-14, if we set our access point to use the Japanese regulatory domain, we will be able to communicate on channels 12, 13, and 14 in addition to the 1-11 allowed in the U.S.
We can do this by:
- iw reg set JP
- iwconfig wlan0 channel 13
Next, we need to put the wireless adapter into monitor mode.
- airmon-ng start wlan0
The aircrack-ng suite of hacking tools contains a tool called airbase-ng for creating an AP from your wireless adapter. We can use it by typing:
- airbase-ng -c 13 mon0
- -c 13 designates that it will communicate on channel 13
- mon0 designates the wireless adapter to use to create the AP
Now that we've created an AP, we need to connect it to oil company's internal, wired network. In this way, traffic through the AP will go directly onto the corporate internal network and bypass all its security, including any firewall or intrusion detection system.
First, open a new terminal, create a bridge, and name it "Frack-Bridge". We do this by typing:
- brctl addbr Frack-Bridge
After creating the bridge, we need to connect both interfaces, one for the internal wired network, eth0, and the other from the virtual interface from our AP, at0, to our bridge. We can do this by typing:
- brctl addif Frack-Bridge eth0
- brctl addif Frack-Bridge at0
We need to now bring up or activate the interfaces.
- ifconfig eth0 0.0.0.0 up
- ifconfig at0 0.0.0.0 up
Linux has a built-in feature for forwarding traffic or IP forwarding in the kernel. We can do this by:
- echo 1 > /proc/sys/net/ipv4/ip_forward
Now, when your colleagues connect to our invisible AP (they will need to enable channel 13 on their wireless adapter), they will have access to the entire, internal corporate network.
In this way, they can get the information they need from the engineering department to prove that the fracking solution did or did not contain toluene, and whether the company is responsible for poisoning the drinking water of the local community.
Make sure to check back on our Wi-Fi Hacking series, because even more wireless hacks are coming! If you have any questions, please comment below or start a discussion in the Null Byte forum and we'll try to help you out.