Re: creating fake APs

[pinowudi <pinowudi () gmail com>]

Using the fakeap driver requires the use of specific hardware that 
support RFmon mode.  See the bottom of this article for some suggestions.

http://remote-exploit.org/research/void11rougeaccesspoint.html



bLiTz wrote:
> Hi thanks for the earlier help. We are now in phase II of the project and need to build a more secure network. I had 
> the following questions:
> 1.  For this I was planning to use fakeap to create a large number of fake APs. But I am not able to configure fakeap after 
> spending hours and hours on it. From what I understand, we need to have hostap inorder to run fakeap. I wasn't able to 
> configure and install it ( I am trying to get this working on Ubuntu and then later if possible on OpenWRT on Linksys wrt 
> 54gl) . It would be great if anybody out there could guide me or point me to some place where it is clearly explained how to 
> get hostap and fakeap working.
> 2.  If there are any other similar tools out there please let me know. 
> 3. Advice on how to monitor our wireless network. Using wids? which WIDS would you guys suggest we use?
>
>
> -----Original Message-----
> From: bLiTz [mailto:blitztrade () yahoo com]
> Sent: Wednesday, April 02, 2008 1:47 PM
> To: Nico Darrow
> Subject: Re: Help for wireless penetration testing game/competition
>
> Theywant us to break into the network in general and we get pointsdepending on what we do. Yes ours is not that 
> advanced a course. Socould just cause DoS at all the APs. Getting the file from the serverwill get us the maximum 
> points. Any idea how we could get to theirserver? Its running on  VMWare.
>
> ----- Original Message ----
> From: Nico Darrow <ndarrow () airdefense net>
> To: <blitztrade () yahoo com>; Nico Darrow <ndarrow () airdefense net>
> Sent: Wednesday, April 2, 2008 11:58:29 AM
> Subject: RE: Help for wireless penetration testing game/competition
>
> EAP-TLSwill require u to pen the client to get the certificates and logincredentials. If there is no server side 
> certifcate verification then ucan MiTM the client and try sniffing the handshake inside the tlstunnel. Remember with 
> newer EAP, the firtst handshake is always fakebut the real one happens inside the tunnel.
>
> Are u sure they want u to break the eap-TLS AP? Thats a little advanced for a classroom project
>
>
> -----Original Message-----
> From:  <blitztrade () yahoo com>
> To: "Nico Darrow" <ndarrow () airdefense net>
> Sent: 4/2/2008 11:01 AM
> Subject: Re: Help for wireless penetration testing game/competition
>
>
> I am sorry I had to write that in a hurry and didn't really think of explaining in a better way. Thanks for the quick 
> reply.
> 1.For this phase we are supposed to leave the DHCP on (the competition isin two phases and this network configuration 
> is supposed to emulate aninsecure network. In the next phase we are allowed to make changes)
> 4. No the EAP method being used is not LEAP. I think they are using EAP-TLS
>
>
>
> ----- Original Message ----
> From: Nico Darrow <ndarrow () airdefense net>
> To:<blitztrade () yahoo com>; "pen-test () securityfocus com" <pen-test () securityfocus com>; wifisec <wifisec () 
> securityfocus com>
> Sent: Wednesday, April 2, 2008 9:17:10 AM
> Subject: RE: Help for wireless penetration testing game/competition
>
> First of all, that was very hard to read and painful.
>
> Things I'd recommend.
> 1.Your open AP, enable MAC filtering, disable DHCP (set your clientsstatic) and change your subnet. This will prevent 
> them from connectingwirelessly, if they still can plug into your AP via a hardline thenignore this.
> 2. WEP, easy. If you're AP has something called "IPisolation"/"PSPF"/"MU-to-MU dissalow", enable this feature, it'll 
> slowthem down depending on their level.
> 3. WPA-PSK, cracking thisdoesn't require traffic, you need the WPA 4-way handshake that happenswith a client associates to 
> the AP. Usually the best way is to DoS aclient off the AP (hard and fast). Make sure you target the clientspecifically and not 
> just do a broadcast deauth, some clients willignore the broadcast deauth or won't be sufficient enough to force ahandshake.
> 4. EAP, you can bet it's going to be LEAP. Take a look atthe asleep tool available (google is your friend). If they've 
> setupanything else (radius backend) then you'll have to do a MiTM or clientpenetration to get certificates and credentials.
> 5. Client penetration, nmap, nessus, metasploit, scapy. 'nuff said.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] 
> Sent: Tuesday, April 01, 2008 3:35 PM
> To: pen-test () securityfocus com; wifisec
> Subject: Help for wireless penetration testing game/competition
>
>  Hi
> I am a student and am taking this course called Wirelesssecurity. Asapart of the course the class is divided into two 
> teamsand we havetohack each other's wireless networks. It works in twophases. Ineedhelp in the first phase.
> We have 4 AP's :
> 1.Openaccesspoint:the opposite team's access point is in our team'sphysicallocation(and ours is in their location). It 
> has DHCP enabledand ifneeded wecan dc it and plug our client and get on thierphysicalnetwork.
> 2. WEP AP:  We have already cracked thier WEP key
> 3.WPAPSK: the problem with getting into this is that for the 1st phasethereisno traffic being generated by the other team so 
> we can'tdeauth itandget the PSK.
> 4. WPA EAP - Not sure what EAP method they are running.
> Thenetworkismanaged by a Windows server 2003 running on VMWare and thereis aPIXfirewall and a switch. The server has 
> two files: one hiddenand oneisthe open.
>
> So the task is now to somehow  get:
> 1. Access to the AP which is not open or launch a DoS
> 2. Get to the server files or corrupt them
> WEcandothe task either wirelessly or through the wired network. Wewerealsoable to take one AP out of the network by ARP 
> poisoningusingscapy. SoI wanted suggestions from you guys out there. I knowthereare loads ofmaterials out there but we 
> don't have time. So anyhelpwill beappreciated.
> Thx
>
>
>
>
>
>
>       ____________________________________________________________________________________
> Be a better friend, newshound, and 
> know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------