4

I want to try something out, but I wanted to see other opinions from you guys.

What I have:

  • WLAN Access point, with WPA2, ESSID: testing. Home router, I can change the configuration and everything on it.

  • windows computer (victim);

  • backtrack computer (attacker);

The backtrack computer has 2 wireless card, one built-in, and a USB wireless adapter.

The windows computer is connected to the AP, from it's own wireless card. The backtrack computer is connected to the AP, on wlan0 (wlan1, is the usb adapter).

Is it possible, if I change my wlan1 MAC, to the AP MAC, and make a fake access point, with the AP MAC, and also same ESSID. Before creating my fake AP, I can change the ESSID of the router from "testing" to something else, and use the original ESSID on my fake AP, and also set a WPA2 passphrase, the same one that the original AP had.

What will windows do ?

Will it connect to my fake AP, since I have the MAC, ESSID, and same WPA2 password?

Adi
  • 43,808
  • 16
  • 135
  • 167
user1461166
  • 49
  • 1
  • 2

2 Answers2

8

What you are thinking of doing is incredible similar to an existing attack known as the karma attack, made popular by the super fun Wifi Pineapple.

The basic principle behind the attack is for the attacker to setup an AP that responds to the wireless probe packets clients send out when attempting to connect to a previously trusted AP. By responding to each individual packet on an individual basis, the attacker can force the client to connect to their rogue AP.

When combined with a deauthentication attack, this is an incredibly effective tool for performing MITM attacks.

davidtbernal
  • 103
  • 5
  • yep, you're right, the deauthentification attack, should also work on the windows machine, but it has to connect to my fake AP, before it connets to the real one – user1461166 Oct 03 '13 at 13:19
  • @user1461166 Deauth works when a system has connected to the 'real' AP. – schroeder Oct 04 '13 at 15:39
1

By spoofing both the MAC and the ESSID of the router, there would be no easy way for a client to tell the difference between you and the router. The client could connect to you in which case you would have full control of data between the client and the internet.

The one problem with this idea is that if your MAC and ESSID are identical, the router will respond to the client probes as well. This may create a race condition for the authentication of the client. If both the AP and the fake AP respond simultaneously, it could keep the client from connecting to either, or at the very least lower the chance of the attack succeeding.

Keep in mind, though, not all software checks to see if the MAC has changed before connecting to a network. It is possible that if you sent deauth packets to the main AP, you could bump off the client so they authenticate to your fake AP instead, even if you are using a different MAC.

hololeap
  • 261
  • 1
  • 8