2.6
- Bridge to a network through a rogue Access Point
- The
purpose of this practice is to create a rogue (fake, false) Access
Point at the "kali" attacker machine, whose ESSID will be
"falso", and then to connect any wireless client of the AP
through a bridge to the authorized network.
- So,
the bridge could be used as a backdoor to the network for any
attacker connected to that rogue AP. If achieved that goal, all the
efforts by firewalls and Intrusion Prevention System to protect the
network would render totally useless, because the access would be
free.
- First
of all, using airbase-ng command, it is possible to create a
Rogue AP called "falso", following the same method used at
9.3:
- Now,
brctl addbr command creates a bridge, for instance called
"puente", between the Ethernet interface, which is a part
of the authorized network, and the rogue AP:
- Adding
the Ethernet eth0 and the virtual at0 interfaces to the bridge
"puente":
- Bringing
up the bridge on both interfaces:
- Also,
ensuring that the system is routing forward all received packets:
- Finally,
the client "roch" is connected to the network newly created
"falso":
- For the purpose of demonstrating that the practise is correctly done, it is important to note that the MAC addresss of the connected client "roch"is 28:C6:8E:63:15:6B:
- Now,
at the "kali" attacker machine, it can be verified that the
quoted client whose MAC is 28:C6:8E:63:15:6B (actually "roch")
has associated to network "falso" at 13:37:42, two minutes
later than the rogue AP was created, at 13:35:38:
- What
is the conclusion of the practise? with the creation of: a) the rogue
AP, and b) the bridge between the authorized Ethernet network and the
rogue AP, any wireless client connecting to the AP would be able to
have access to the whole LAN. For instance, from "roch",
connected wirelessly to the AP "false", it is possible to
ping the gateway of the wired network.
- Of
course, once any client has got access to the authorized network,
subsequent attacks could be launched for accessing valuable data and
files. So, this would be just the first step on a full penetration
attack, actually the "wireless" step of the whole potential
attack.
