Introduction
In pentests, connecting devices to your own network can be very useful. This enables you to analyze the network traffic and use a transparent proxy to intercept and inspect data transmitted between the devices and servers. This approach helps finding potential security weaknesses in applications and network communications.
In order to make this process easier, I created a script that starts a new WiFi that can be used to analyze the network traffic of the connected clients.
Script
The script can be found on GitHub: 802.11evil. The usage of the script is explained in the help and is quite simple:
$ ./802.11evil -h
Usage: 802.11evil [OPTION ...]
Program:
Create evil WiFi access point.
Options:
-l LAN interface (default: eth0)
-a Access Point interface (default: wlan0)
-i Access Point IP address (default: 192.168.42.1)
-s Access Point SSID (default: 802.11evil)
-p Access Point password (default: password)
-r Redirect on/off (default: off)
-f Redirect ports from (default: 80,443)
-t Redirect ports to (default: 8080)
Example Usage
Before the script can be started, the infrastructure has to be setup correctly. One network interface of your notebook has to be connected to an upstream network (e.g. a network with Internet connection) and the other network interface should be an unused WiFi interface that will be used to serve the new WiFi network.
Example command:
sudo ./802.11evil -l eth1 -a wlan1 -s mywifi -p hunter2 -f 80,443,8443 -f
Explanation:
- The command must be run as root, because network configuration is changed and services are started on privileged ports.
- The notebook is connected to an upstream network with Internet access on the interface
eth1
. - The unused WiFi interface
wlan1
will be used to create the new WiFi network. - This command creates a new WiFi network with the name
testwifi
and the passwordhunter2
- All all traffic from the connected clients to port
80
,443
and8443
is redirected to port8080
on the testing notebook.- On this port, a transparent proxy is running (like Burp Suite or mitmproxy) which can be used to intercept the network traffic. For this, the proxy CA has to be installed on the clients (or the applications to be tested must be hooked in order to bypass TLS certificate verification).
- Alternatively, a tool like certmitm could be used to test if clients correctly verify certificates at all.
The script will now automatically configure the network interfaces using the ip
command, enable IP forwarding using sysctl
and configures NAT using iptables
so that the notebook acts as a router and that the clients can access the upstream network. To redirect the ports to the transparent proxy, iptables
is used as well. To assign IP addresses to the clients via DHCP and to resolve hostnames via DNS, dnsmasq
is used. The WiFi hotspot is created using hostapd
. All configuration is done within the script and no external configuration file is required.
When the job is done, the script can be terminated using ^C
(Ctrl-C). This will stop all started services and restore the previous configurations of IP addresses, the iptables
firewall and IP forwarding.
References
- NAT using iptables: https://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-9.html
- hostapd: https://w1.fi/
- Dnsmasq: https://thekelleys.org.uk/dnsmasq/doc.html
- Burp Transparent Proxy: https://portswigger.net/burp/documentation/desktop/tools/proxy/invisible
- Certmitm: https://github.com/aapooksman/certmitm