Monday, August 01, 2011

Observations On Evil Access Points

This is not a HOWTO. There are gazillions of those on the Interwebs, which is how I got started into this. BT5's intro in April really boosted the interest in wireless hacking, especially considering Vivek Ramachandran's Megaprimer on SecurityTube, which leveraged the fuck out of BT5.

This brings me to my first observation: it only works on BT5. Now, before you protest and tell me about your wonderful experience with Aircrack-ng on Ubuntu or Fedora, let me explain. I've done a lot of custom kernels in my time chasing new features in netfilter only to find that I broke something else that ran just fine with a stock distro kernel. Mea culpa.

The first thing I bumped up against was a kernel bug that sets the WiFi channel to 255 when you try to create an access point with airbase-ng. This doesn't happen with BT5's "2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux" kernel, so stick with BT5.  I hope it doesn't break in BT5 R1.

Another curiosity: BT5's implementation of wicd can't see access points made with airbase-ng. This is what I get (entry at top is the evil access point):

I haven't found a work-around for that, but Windows 7 sees the AP just fine, as does NetworkManager in Linux Mint LXDE.

Which brings up another point: do not try to make an access point on any box that uses NetworkManager! Personally, I despise NetworkManager, and generally remove it whenever possible. I learned this from the Mint box, so stick with BT5.

The Mint box did surprise me as a client, though. Evidently ndiswrapper has come a long way from whenever the last time I used it was (2006? 2007?). There's even a gui, ndisgtk, for painless installation of drivers.

If you can find them. Case in point: the NetGear WG111v1 wireless USB NIC I've had since 2005. I knew I had them somewhere but I thought it would be quicker to hit NetGear's site to download them. Nope. No way am I going to register with a company I have no intention of ever doing business with again. But luckily I found the original drivers buried deep on a dusty old hard drive. I installed the drivers and the damned thing actually worked. I never got that damned thing to work on Linux before! It's not perfect and a lot of features just aren't there, but for basic functionality in a pinch you can't beat it.

Which brings up another observation: there's no ndiswrapper in BT5. You can download all the tools, but the kernel module isn't there (I had the exact same problem with JFS in BT4). You really wouldn't want it for making an AP, but if you're short a NIC, ndiswrapper would be nice to have around.  If they do add support for ndiswrapper and you need it, you're stuck in 32-bit land, which is not always a bad place to be.

Eventually I had three useless access points hanging off my BT5 laptop. Useless because I didn't have a DHCP server. ISC's dhcp3d is fine, but I settled on udhcpd because it's simpler and it's in BT5's software repository.

Here comes another observation: udhcpd is broken. Well, that's not entirely true. The manual page is broken. The date on the man page is "2001-09-26", so that should be a dead giveaway that it just ain't right. It states that "option namesvr" is the setting for DNS in the config file but oddly... it doesn't work! A quick Google search and you'll find the real setting is "option dns". As long as you take the man page with a grain of salt you'll be OK.

Another "gotme" was the "subnet" line in the config file. The man page says:

subnet ADDRESS

But they meant...

subnet MASK

Jeez. Woe betide the literal-minded. "" is not an "address", people!

Oh, and speaking of man page fuck-ups, the airbase-ng option for the BSSID is not --bssid or -b, it's -a! Fucking -a! -b and --bssid do nothing. That was a real WTF moment. I quote then man page:
If the BSSID is not explicitly specified by using "-a  ", then the current MAC of the specified interface is used.
-b and --bssid are "Filter Options", which are never clearly explained in the man page.  Some HOWTOs out there make the same mistake, so beware.

So much for RTFM.

You need to assign an address to the atx adapter airbase-ng pulls out of its ass and make that the gateway ("option router"), enable IP forwarding in the kernel and set up iptables to forward everything from your DHCP scope out to the Internet.

Once you have all that in place, you're ready to rock and/or roll. The first thing you'll notice is it's a damn slow access point. But it gets the job done.

Put everything into scripts so it'll all be there when you need it. I would hate to have to do this cold on a spur of the moment assignment. Your victim/suspect would drink his coffee and be out the door before you got your first packet.


  1. Anonymous12:55 PM

    You seem to be pretty smart with Bt5 maybe you can help me out with wicd?? I can sometimes see wireless networks and sometimes not :-/. I have tried tutorial after tutorial and I cannot get an answer. I have been running airodump for a lil while now and I have noticed that it scans the channels and picks up nearby AP's and then all the sudden they disappear. I am running on a Sony vaio vgn-n320e. Could it be a driver issue? And if so where is the repository for the wireless drivers? Thanks in advance :-)

  2. I would suspect a driver issue as well. Personally, I prefer wireless NICs based on RAlink chipsets, at least the older ones. Intel NICs seem to work well, too.

    And I would go with a 32bit version of BT5 just to keep things simple.

    BT5r1 came out last week, You might want to check it out, but frankly I don't see a huge difference or improvement over "BT5r0".