Setting up a poisoned WIFI hotspot

[BadShovelhead]

This is more suited for the tech forum but this is a Bad Idea.

I'm thinking of what would happen if someone were to configure a laptop or a mini-atx formfactor PC to act as an access point, in a crowded area like an international airport. Most airports have wifi, you just have to pay for it.

The server would have a login / signup page that takes credit cards, at a very competitive rate. It would look legitimate, professional, and have a "Partnered with Paypal" promotion that lets paypal members get $20 cashback to their account if they sign up for a weeks worth of wifi for $5. It doesn't have to make sense, people are greedy and dumb.

Then, after running an algorithm and verifying that the card is legit, they would be passed through to the network and allowed to browse- hopefully signing into paypal as well. Then someone would have access to their card, and their paypal account.

Better yet, it could just decline the card no matter what in the hopes that people try another card, and log the authenticated cards.

With a little work, there's no login that wouldn't be defeated. Just have the server give them a fake page for the login screen, then pass their login details on to the site after they enter them and give them a logged in session if the details work.

All would be stored for later misuse.

Addendum:

There are a number of tools that would let someone completely and totally disrupt all other wifi service in the vicinity, literally forcing people to use the rogue AP.

[maskedwolfpup]

only thing i would wonder is how do you pass them through to the airports network for example? have access to disable the network protections if any exist?

[dudegetalife]

how would you let them get on the internet after they signed up?

good idea btw

[Rory]

VERY good Bad Idea. It's the best I've heard since 2007, honestly. Although I can't advise, I hope to hear more of this.

[Syphilis]

Quote:

Originally Posted by dudegetalife

how would you let them get on the internet after they signed up?

good idea btw

Use a second wireless card to connect to the legitimate network, and share the connections. OK, "share" isn't the best word, but I can't think of a better one.

[kelsokid18]

It is so good to hear it.

[I Kill Null Airtime]

Quote:

Originally Posted by dudegetalife

how would you let them get on the internet after they signed up?

good idea btw

Would it be possible to redirect them to the airport's wifi and use stolen cards to pay to sign in to the airport's wifi?

[Syphilis]

Actually, another idea (again assuming you have a connection to the legitimate network.)

Set up a virtual machine, use one card to create the honeypot wireless network from the VM, and then use internet sharing to share the connection from the other wireless card on the host OS to the virtual machine over the virtualised interface.

[anonym0us]

this is a fantastic idea.
especially if you were able to fake an at&t or t-mobile network or something people trust

[BadShovelhead]

Why bother putting them on a legit network? That just means another layer of crap that you have to make work.

Bombard the existing legit wifi nets to keep dropping their users, and have an error message about the system being offline once they pay and log in. If they ask anyone else who is on the legit net, they'll get the story confirmed.

Otherwise, I guess you could get them online through wifi, by faking an existing hot spot login, waiting for someone to pass a legit login to it, then using that login to provide 1kbps service to the users you put onto your bogus AP, or cracked another wifi if it used WEP, or have an aircard, or an existing land dsl/cable connection.

Thanks for the thanks. I figured it's time to start putting good bad ideas in here again.

ps: http://wirelessdefence.org/Contents/KARMAMain.htm
http://wirelessdefence.org/Contents/Void11Main.htm

Quote:

Void11 Attacks:
Void11 offers three attack mechanisms:

Deauthenticate Clients (default mode):

Floods the WLAN with deauthentication packets - authenticated clients will drop their network connections.

Authentication Flood:

Floods access points with authentication packets (random client MACs), results depend on equipment manufacturer.

Association Flood:

Floods access points with association packets (random client MACs), results depend on equipment manufacturer.

http://en.wikipedia.org/wiki/Linksys_WRT54G_series

[Syphilis]

Aireplay (comes with Aircrack) can also be used to deauthenticate, it's what I usually use, and I'd had plenty of success with it.

[Equinox]

Excellent idea, it's so simple, yet brilliant.

[Syphilis]

Even better, connect to the network, and run Ettercap.

[snuffy]

anyone know how to boost the transmit power of a wifi adapter to above what that max in the settings is?

[Dickhead]

Quote:

Originally Posted by snuffy

anyone know how to boost the transmit power of a wifi adapter to above what that max in the settings is?

What router? I know Tomato firmware allows you to modify the transmit power.

[nostrumfiend]

If you get caught this is almost a guaranteed felony. Airport security is no joke these days.

[kirby]

Wow this is an old scheme; but it needs a revival.

Why would you want to put them on a legitmaite network?
So they don't try to scream for a refund, etc or report it to the Airports IT.

Also alot of airports IT department scan regularly for this and will find you. You'll have better fucking luck going to fucking panera bread or a busy area. Airports will take you down especially if you don't know what you're doing which a majority of people here don't know and want a free script to acomplish this.

#2 if anyone of you are planning on using an rouge AP, how the fuck do you think you're going to power it? ac adapter? good idea but using more then one jack is a bit obvious. Backpacks are #1 things airports look for; specially if someone is deauthnicating users and scrambeling the other networks; you're right then acting as the airports competitor and then right so it wouldn't confuse anyone in the IT. Plus it's not that fucking hard to "tune in" and look for the rogue wireless networks "source".

To the person who said using a virtual machine; you really don't have any idea do you? Why would you run VMware to waste your battery life and lag your system when you can arrange all that thru normal OS options?

It's a good idea, sure but don't label it as "ingenious" people have been doing this and have been caught at it as well as this scheme has been aired on places like fucking CNN and techTV. And for the newbies in this thread who don't even know much about wireless then besides going through menus and clicking connect don't even try to attempt this. you will fail.

Etc. Really alot of misinfomation latley posting on this forum it's a bit depressing.

[BadShovelhead]

I doubt that IT staff in an airport has their shit together that well.

Looking for backpacks? In an airport?

Needle, meet haystack. Let's make it even harder and easier on the attacker for transport:

[kirby]

Quote:

Originally Posted by BadShovelhead

I doubt that IT staff in an airport has their shit together that well.

Looking for backpacks? In an airport?

Needle, meet haystack. Let's make it even harder and easier on the attacker for transport:

IT security has been liven up; how do you think they can activley check whose passport is legit, whose isn't for international flights? how about your boarding pass? how about your identity?

Airports have wireless terminals for this kind of operation; as well as gate boarding, etc. As well as other wireless terminals for whatever operations they need, hell theres even IP cameras from Pelco which operate off wireless and report the images they see via wirelessly.

Since you don't know the numbers of "Civilans" which are just using the wireless for leisure, checking emails..etc it's a bit impossible to limit this as airport internal services (sad to say pathetic) may also be using the same network; therefore it can be seen as an internal attack on the infrastructure of the airport, and an in and out attack of airport security with no "target" known for them. therefore they will take the retroactive apprach and will isolate the area which this "rogue" signal is coming from and then take a more hands on approach. Wireless signal can be "Triangulated" in a sense by using netstumbler and looking for signal intergerity for a crude; very crude example.

I used to have several documents of Airport IT security and it's services; I would love to have posted them but I've lost them. But I can cite to you IT security has taken a untrivial turn and locked down most of this. It can still be done; but you better make sure you don't attack other services in the airport. etc etc.

I would be more happy to help ya if ya need info via pm.

[BadShovelhead]

I'm not saying it isn't possible, but the only service being interfered with would be third party commercial wifi access. Airports don't operate their own wifi, at least in my experience. Sometimes they have an "official" blanket signal, but it's just a branded third party provider.

There's directional wifi guns but they're not exactly common or cheap. I can't really see the TSA running around with netstumbler to ghetto triangulate.

The stuff like passport and boarding pass authentification is all RFID, if it's operational at all. Not 802.1b.

[Crashwangdoodle]

I came across a scam like that a couple of years ago in india. This would work in any other country as long its not africa/asia etc. Anyway my dad was like fuck no, im not falling for some scam like that. Then he aptly pointed out that there was a different company (TATA) which had a kiosk where you payed cash so i used that. But I think you idea will work wonders with those fucking Amrikans

[kirby]

Quote:

Originally Posted by BadShovelhead

I'm not saying it isn't possible, but the only service being interfered with would be third party commercial wifi access. Airports don't operate their own wifi, at least in my experience. Sometimes they have an "official" blanket signal, but it's just a branded third party provider.

There's directional wifi guns but they're not exactly common or cheap. I can't really see the TSA running around with netstumbler to ghetto triangulate.

The stuff like passport and boarding pass authentification is all RFID, if it's operational at all. Not 802.1b.

Passports infomation is transmitted to the reciver via RFID; then how do you think it's verified? It's usually transmitted via wired network + encrypted or over wireless + encrypted..etc. The problem is no encryption is 100% uncrackable.

Airports need to protect their infomation; a IT budget for moderate/big airports are quite huge and are in the hundred thousand range, a wifi "gun" would be no exception. Plus each airport has FBI and other goverments usually on site for funfun detection. usually all the hard work will be done by the IT staff; then handed off and it'd become an affadavit and evidence then the goverment officals do their job.

I never said it's possible; I'm just letting you know the risks of this stuff.

[Syphilis]

Quote:

Originally Posted by kirby

To the person who said using a virtual machine; you really don't have any idea do you? Why would you run VMware to waste your battery life and lag your system when you can arrange all that thru normal OS options?

You would have to use a VM if there are no drivers for your OS for one of the wireless cards (and you wanted to use a setup with two cards.)

It would still be easier and far harder to track if you just connected to the wireless network in the first place, and used ARP poisoning and Ettercap to sniff the traffic. I'd assume airport wireless networks would use WEP for compatibility.

[kirby]

Quote:

Originally Posted by Syphilis

You would have to use a VM if there are no drivers for your OS for one of the wireless cards (and you wanted to use a setup with two cards.)

It would still be easier and far harder to track if you just connected to the wireless network in the first place, and used ARP poisoning and Ettercap to sniff the traffic. I'd assume airport wireless networks would use WEP for compatibility.

Eh; IMO I would avoid wireless cards that you don't have driver for or at the very least NDIS wrapper if you're on linux. Any other os: good luck.

sniffing the traffic is different then what the op is intending for; but can be done in a way to twist it for the op.

As for compability; AP's are of course no security, while any underlying systems will be under WEP or WPA depending on the severity or security.

[Neiromaru]

Regardless of how good an airport's IT department might be, if you are caught you would most likely get in serious shit, you're essentially attacking an airport here, the cops aren't going to go easy on you.

Plus i figure you could get a similar sized audience at say a big city starbucks, or a motel that offers paid wireless. With the added benefit of being able to run the network from outside, and not having to get your gear through airport security.

[BadShovelhead]

Quote:

Originally Posted by Neiromaru

Regardless of how good an airport's IT department might be, if you are caught you would most likely get in serious shit, you're essentially attacking an airport here, the cops aren't going to go easy on you.

Plus i figure you could get a similar sized audience at say a big city starbucks, or a motel that offers paid wireless. With the added benefit of being able to run the network from outside, and not having to get your gear through airport security.

Airport security?

No, no. You do this in the lobby areas, where everything is concentrated, instead of past the security area where it's split up by gate.

I mean, if you're flying, might as well do it everywhere, but no need to go thru security. People who have been to ATL know what I mean.

[maskedwolfpup]

don't forget you could just try and capitalize off peoples greed also, setup a free wifi access point and then figure out how to phish information out of them or whatever. setup a phising page to grab their email passwords, stuff like that?

I'm picturing a page like welcome to <airport here!> wanna check your email? and put a bunch of different email providers on the page to lure them in into a trap of using your page versus going to www.gmail.com or something

[Neiromaru]

Quote:

Originally Posted by BadShovelhead

Airport security?

No, no. You do this in the lobby areas, where everything is concentrated, instead of past the security area where it's split up by gate.

I mean, if you're flying, might as well do it everywhere, but no need to go thru security. People who have been to ATL know what I mean.

ah, sorry, i see what you mean. that would be safer but i hardly ever see more than a few people using their computers there, they usually wait until they get to their gate. Though i supose if you just got a powerful enough broadcast that wouldn't make a difference.

I think my point still stands however that it would be safer, and probably more profitable to do this in say one of those big multi-level coffee shops.

[BadShovelhead]

A coffee shop would be just as good if it had a ton of traffic.

It would be entirely possible to saturate an entire downtown area with a few repeater APs.

[The Cheshire Cat]

Psh, you don't even need to give a fake page to deny the card. Maybe deny the card once then grant them access when they go back and reenter in the information (they will most likely think they fucked up on a number). Thing is you don't have to pay for the wifi because you could just DNS tunnel and route people through to the actual WIFI point that you're exploiting. It's win/win. You route people through, and they have no idea that they just gave up their information.

I'd also like to add that because they are connecting through you, you could have passwords to emails, bank accounts and other great stuff. The sky is the limit when they are sending traffic through you.

[Dfg]

Quote:

Originally Posted by Expl0itz

Psh, you don't even need to give a fake page to deny the card. Maybe deny the card once then grant them access when they go back and reenter in the information (they will most likely think they fucked up on a number). Thing is you don't have to pay for the wifi because you could just DNS tunnel and route people through to the actual WIFI point that you're exploiting. It's win/win. You route people through, and they have no idea that they just gave up their information.

I'd also like to add that because they are connecting through you, you could have passwords to emails, bank accounts and other great stuff. The sky is the limit when they are sending traffic through you.

Actually this. But considering the tools available nowadays to common folks i think you just might get raped btw the airport security or the guy who is running the AP already might pose a bigger problem then you thought.

I would be constantly keep an eye out on my Wifi network if i was the guy running the AP in the first place. and if some unknown AP gets online i would take appropriate action, Also watch out for CCTV cams and what will happen if you get caught?

Good luck btw but i would advise extreme caution.