Originally Published: April 10th, 2016
I was doing an assessment recently on a piece of hardware and I wanted to sniff the traffic leaving the device over it's wireless interface. In the office we have networking equipment available that would allow me to just capture this traffic off a local switch or router using tcpdump
. This assessment was being done on-site in the client's office though, so that wasn't an option this time around. I decided that the quickest, easiest and least intrusive way to get to the devices wireless traffic would be to setup a wireless access point in Kali and then sniff the traffic as it came across.
I always keep an Alfa Wireless Adapter in my bag. It's a great, cheap adapter that supports promiscuous mode in Linux. I picked a couple up a while ago when I started playing around with mana (which is a great way to set up an EvilAP attack by the way). The basic setup looks like this:
Connect the laptop to the network the device would normally connect to
Plug in the Alfa adapter and pass the USB connection through to the Kali VM
Make sure the Kali VM's network adapter is in bridged mode so it's connected directly to the devices WLAN.
You'll need to figure out what interface the Alfa adapter is showing up as. You can do this by running ifconfig -a
. You'll also need to make sure that the network-manager service isn't managing this interface (it'll cause issues later), you can do that by adding the adapters MAC address to /etc/NetworkManager/NetworkManager.conf
with a line that looks like:
[keyfile]unmanaged-devices=mac:xx:xx:xx:xx:xx:xx
Later in this setup, we'll be giving an IP address to this interface. I ended up using 10.0.0.1
which you will see referenced in the config files below.
Hostapd is used to create access points in Linux. On kali, it can be installed with apt-get install hostpad
Configuration is simple, below is what I ended up using. You'll have to update it to point to the proper interface. The nl80211 driver seems pretty universal. Save this config to hostapd.conf
interface=wlan0driver=nl80211ssid=Monitor-Networkchannel=1macaddr_acl=1accept_mac_file=./allowed_macslogger_syslog=-1logger_syslog_level=2
This config will set up an open wireless access point named "Monitor-Network". While it's certainly not bullet proof, for the purposes of this assessment I just used MAC filtering to make sure no other devices joined the SSID while I had it up. MAC filtering is handled by a white list of MAC addresses stored in allowed_macs
. The contents of the file is just one MAC address per line.
Dnsmasq is going to act as our DNS and DHCP server, it can be installed with apt-get install dnsmasq
. This is another super simple service with an easy to understand config file. Below is what I used, it defines a DHCP range, sets the router and DNS servers as 10.0.0.1 (options 3 and 6) and sets our upstream DNS server to one of Google's public DNS servers (server=8.8.8.8
).
Edit as needed and save the file as dnsmasq.conf
interface=wlan0dhcp-range=10.0.0.10,10.0.0.100,8hdhcp-option=3,10.0.0.1dhcp-option=6,10.0.0.1server=8.8.8.8log-querieslog-dhcp
When we start dnsmasq, we're also going to tell it to use a dns_entries
file for local DNS resolution in addition to the contents of /etc/hosts
. This dns_entries
file is in the format of "[dns name] [ip address]" much like /etc/hosts
.
I'm lazy, so I script out anything I'm going to do more than once. Below is the script I wrote for actually setting up the access point. Some things to note:
OUTPUT_DEVICE
is the device that's connected to the network you're sending traffic out to. For example, the interface that's connected to the internet or, in the case of this assessment, the interface that was connected to the corporate network.
This file is where we set the IP address for our monitoring interface (ifconfig $MONITOR_DEVICE..
)
The iptables
rules set up NATing so that traffic can come in the MONITOR_INTERFACE
and out the OUTPUT_INTERFACE
.
The script starts an instance of tshark
listening on the monitoring interface and dumping packets out to output.pcap
. This pcap file will be overwritten every time the script is run so make sure to save it if you need it.
#!/bin/bash​MONITOR_DEVICE=wlan0OUTPUT_DEVICE=eth0​# Catch ctrl c so we can exit cleanlytrap ctrl_c INTfunction ctrl_c(){echo Killing processes..killall dnsmasqkillall hostapd}​ifconfig $MONITOR_DEVICE 10.0.0.1/24 updnsmasq -C dnsmasq.conf -H dns_entriessysctl -w net.ipv4.ip_forward=1iptables -P FORWARD ACCEPTiptables --table nat -A POSTROUTING -o $OUTPUT_DEVICE -j MASQUERADEhostapd ./hostapd.conf -Btshark -i $MONITOR_DEVICE -w output.pcap -P
Once started, you should see a new SSID named "Monitor-Network" and you should see any traffic on that network come across tshark. Ending the script with ctrl + c
will kill the dnsmasq and hostapd processes. If for some reason the script ends without ctrl + c
, you will have to kill those processes manually.
Most of this was lifted from this great article on setting up APs in Kali. I made some tweaks to the configs and wrote a script, but that's about it.
When I was going through this, I kept running into issues with hostapd not grabbing the interface properly. This answer on AskUbuntu helped with getting the interface omitted from Network Manager.