Full Report
In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the content on rogue/spoofed access points. What we mean by this are access points under your control, that you attempt to trick a user into connecting to, rather than the “unauthorised access points” Bob in Marketing bought and plugged into your internal network for his team to use. I’ll discuss how to quickly get a rogue AP up on Kali that will allow you to start gathering some creds, specifically mail creds. Once you have that basic pattern down, setting up more complex attacks is fairly easy.
Analysis Summary
# Tool/Technique: Rogue/Spoofed Access Points (Generic Setup using Kali Tools)
## Overview
This summary describes the setup and execution of a Rogue/Spoofed Access Point (AP) using tools commonly available in the Kali Linux distribution. The primary goal illustrated is to trick users into connecting to an operator-controlled AP to harvest credentials, specifically focusing on mail credentials, often leveraging a setup that mimics popular network names (KARMA mode) or specific SSIDs.
## Technical Details
- Type: Technique / Tool Integration
- Platform: Linux (Kali/BackTrack)
- Capabilities: Wireless card manipulation, MAC address randomization, soft AP creation, network probing response (KARMA), DHCP/DNS/Mail service spoofing (implied by goal of credential gathering).
- First Seen: Article published July 12, 2013.
## MITRE ATT&CK Mapping
The techniques described primarily fit under Initial Access and Credential Access tactics:
- **TA0001 - Initial Access**
- **T1483 - Exploit Public-Facing Application** (When considering external exploitation, though here it focuses on user interaction)
- **T1191 - Accessing Information via Infrastructure Modification** (Setting up the rogue infrastructure)
- **TA0006 - Credential Access**
- **T1078 - Valid Accounts** (Attempting to capture credentials)
- **TA0011 - Command and Control** (Implied by needing to listen for captured data, though the setup itself is local)
## Functionality
### Core Capabilities
The setup relies on stringing together several components:
1. **Wireless Card Preparation:** Using a compatible wireless card (e.g., Alfa AWUS036H) capable of injection/monitor mode.
2. **Wireless Preparation:** Downing the interface, randomizing the MAC address (`macchanger -r`), setting high transmit power (`iwconfig wlan0 txpower 30`), and setting the regulatory domain (`iw reg set BO`).
3. **Soft AP Creation:** Using `airbase-ng` to create a software access point on the monitor interface (`mon0`).
4. **Spoofing/Impersonation:**
* **KARMA Mode (`-P`):** Responding to all probe requests, tricking devices looking for previously connected open networks (like "Internet") into joining the rogue AP.
* **Targeted Spoofing (`-e "SSID"`):** Pretending to be a specific known network.
### Advanced Features
- **Credential Harvesting:** The ultimate goal involves running services (DHCP spoofing, DNS spoofing, mail spoofing) that redirect traffic from connected clients, often leading to credential capture, potentially utilizing modules from Metasploit (e.g., for SSL relay/strip or certificate interception).
- **Persistence via OS Behavior:** Exploiting the tendency of operating systems (especially Apple products) to automatically reconnect to previously probed open networks, even accepting self-signed/fake certificates after initial dismissal.
## Indicators of Compromise
*Note: No specific file hashes or C2 servers were provided in this instructional overview, as the focus is on utilizing standard Kali tools.*
- File Hashes: N/A (Relies on standard, installed binaries)
- File Names: `airmon-ng`, `airbase-ng`, `macchanger`, `iw`
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on local network control via fake BSSID/ESSID).
- Behavioral Indicators:
* Detection of a Wi-Fi interface forced into monitor mode (`airmon-ng start`).
* Creation of a "soft AP" interface behaving erratically or aggressively responding to probe requests (`airbase-ng -P`).
* Traffic redirection often associated with known MITM frameworks (implied use of Metasploit/sslstrip).
## Associated Threat Actors
The article discusses offensive techniques used in wireless penetration testing and training (specifically BlackHat courses), not attributing them to specific clandestine threat groups.
## Detection Methods
- **Signature-based detection:** Unlikely for generic AP setup unless specific AP software behaviors (like `airbase-ng` starting up) are blacklisted.
- **Behavioral detection:** Monitoring for devices connecting to highly suspicious, high-power, open SSIDs that are actively probing on behalf of clients (KARMA behavior).
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Don’t join “open” wifi networks:** These networks are saved to the Preferred Network List (PNL) and will be probed for automatically.
- **Remove open wifi networks from remembered device networks:** Manually manage saved SSIDs, as OSes like iOS make this process difficult.
- **Use SSL and validate the *exact* certificate you expect:** Configure clients to strictly enforce certificate trust; if the expected certificate is not presented (as in a fake setup), the connection should fail without user prompt override.
## Related Tools/Techniques
- `aircrack-ng` suite (used for interface monitoring and AP creation)
- `hostapd` (Mentioned as an alternative, potentially used with Karma patches like DigiNinja's)
- Metasploit framework (Implied use for credential capture services)
- `sslstrip`/`sslsniff` (Suggested extensions for broader credential capture)
- Other wireless auditing tools mentioned in related research (e.g., Taddong's RootedCon talk).