Access Point Hijacking... what the heck is this you ask? Well I'm not entirely sure if the name exactly fits, I just came up with the concept this afternoon.
I've been playing about and experimenting with wireless lately - a couple of access points, multiple chipset cards and various antennas to be exact... and it got me thinking (and bear with me on this).
The following is going to sound very off topic but trust me it does have a connection.
Pirate radio stations, they work by some k-rad garage MC setting up a quite powerful transmitter and broadcasting illegally on the FM wavelength. Now, the word 'powerful' means everything. Imagine this scenario. Mr Bob (not Marley) is sitting at home listening to his local classical radio station on 93.4 FM. MC Kiddie-Viperfoo decides he wants to blast out some "tunnnnessss" for his posse. He grabs a transmitter off of ebay with his mum's credit card and off he asks his friends who are studying GCSE Electronics at school to solder it up for him. Now he's sorted and ready to go. He jumps in his Nova and parks up the road from Mr Bob where all his posse hang out. He hooks it up to his car battery and starts transmitting on 93.4 FM. Meanwhile, Mr Bob's Mozart suddenly turned into the jungle remix of Ready or Not by the Fugees. Mr Bob makes a remark about the BBC abusing his licence fee and turns the radio off.
Now... lovely story I know but this does have a meaning.
Why was Mr Bob's radio transmittion interrupted? Well, 93.4 FM is the wavelength that is legally used by the Classical radio station that he was listening to. Transmitters are locally and/or regionally (depending on the size of the radio station). Either way, there is a base station or transmitter local to Mr Bob, transmitting on 93.4 FM. Now MC Kiddie-Viperfoo was up Mr Bob's road and was also transmitting on this frequency. However, MC Kiddie-Viperfoo's signal 'appeared' more powerful than the Classical radio station's signal. I say 'appeared' because obviously in reality it isn't but when we are discussing it in the context of 'Mr Bob', 'Classical radio station' and 'MC Kiddie-Viperfoo' then it is. This is because a new entity in the equation is brought in; distance!
Radio waves pick up noise over distance and go to shit. MC Kiddie-Viperfoo was nearer to Mr Bob than the radio station was, therefore the radio waves had less distance to travel to get to Mr Bob's radio receiver. The illegal transmitter overpowered the legal for a very small area (Mr Bob's street).
Now this got me thinking as I was putting another piece of ham into my mouth. This isn't all that different to wireless you know... and maybe I can apply the same concept.
I know software already exists such as the likes of HostAP, FakeAP, etc. to impersonate access points and to send de-auth packets but this is a bit different. We are not going to be sending any packets, nor connecting to the access point. What we do is essentially along the same lines however we are going to overpower their access point's signal, not try and get it to connect to a pre-defined access point in their preferred list (see HostAP/FakeAP, etc.).
This is how the concept works.
Bob is sitting downstairs surfing the internet using his laptop which is communicating with his wireless access point upstairs. His wireless access point (with an essid of "BAH") is a bog standard one so has an internal antenna, maybe even an external, say ~5dBi. If we are near enough to Bob's house it is possible to pick up Bob's access point. I say 'pick up' because it will probably be sending out beacons by default to let clients know its alive. Even if its not sending out beacons we can still find it via using something like Airodump and look at unassociated devices or even sniff raw packets with ethereal.
Anyhow, let's assume we can see the access point that is "BAH" from outside Bob's house. Now between Bob sitting downstairs and his access point upstairs it is picking up noise and will drop in signal slightly. Imagine we are sitting near Bob's house with an access point. We set the name of our AP to "BAH" and attach a 18dBi yagi antenna to it. We aim it towards Bob's house. Suddenly the original "BAH" access point's signal is drowned out and our new "BAH" access point is picked up by Bob's laptop. We make sure WEP/WPA and any type of MAC association is off just to make it all work out fine. Now Bob's laptop is now associated with our access point. Forward packets onto another interface and off to the internet and Bob wouldn't even know the difference. It would then be 100% possible to sniff the connection not to mention full access to Bob's laptop shares, etc. as his firewall on his access point would usually block this.
Wait! This wouldn't work I hear you say... Bob's laptop would only connect to the "BAH" access point if it had the same MAC address. Nope - wrong! Windows XP doesn't enforce this or even check this... it goes on the ESSID name alone, nothing else... madness! If it did that wouldnt be that much of a problem... hacking the firmware of our access point and changing the MAC address would only take a few minutes and be trivial. Also, even if Bob's original access point had WEP/WPA that wouldn't be an issue if our new access point has it off. XP doesn't complain that WEP/WPA is suddenly turned off, it'll connect happily.
There you have it... access point hijacking which you can't really do a thing about... except get a 18dBi yagi. ;o)
This is a bit of a legal minefield as they are actually connecting to us. Still, you're intentionally sitting outside Bob's house, impersonating his access point name and aiming a big yagi at him... so I very much doubt its accidental. Don't do it but do have some fun with your own access points. This concept I have tested and proved as soon as I came up with it and of course, after I had eaten all of my ham and on my *own* equipment.
I've been playing about and experimenting with wireless lately - a couple of access points, multiple chipset cards and various antennas to be exact... and it got me thinking (and bear with me on this).
The following is going to sound very off topic but trust me it does have a connection.
Pirate radio stations, they work by some k-rad garage MC setting up a quite powerful transmitter and broadcasting illegally on the FM wavelength. Now, the word 'powerful' means everything. Imagine this scenario. Mr Bob (not Marley) is sitting at home listening to his local classical radio station on 93.4 FM. MC Kiddie-Viperfoo decides he wants to blast out some "tunnnnessss" for his posse. He grabs a transmitter off of ebay with his mum's credit card and off he asks his friends who are studying GCSE Electronics at school to solder it up for him. Now he's sorted and ready to go. He jumps in his Nova and parks up the road from Mr Bob where all his posse hang out. He hooks it up to his car battery and starts transmitting on 93.4 FM. Meanwhile, Mr Bob's Mozart suddenly turned into the jungle remix of Ready or Not by the Fugees. Mr Bob makes a remark about the BBC abusing his licence fee and turns the radio off.
Now... lovely story I know but this does have a meaning.
Why was Mr Bob's radio transmittion interrupted? Well, 93.4 FM is the wavelength that is legally used by the Classical radio station that he was listening to. Transmitters are locally and/or regionally (depending on the size of the radio station). Either way, there is a base station or transmitter local to Mr Bob, transmitting on 93.4 FM. Now MC Kiddie-Viperfoo was up Mr Bob's road and was also transmitting on this frequency. However, MC Kiddie-Viperfoo's signal 'appeared' more powerful than the Classical radio station's signal. I say 'appeared' because obviously in reality it isn't but when we are discussing it in the context of 'Mr Bob', 'Classical radio station' and 'MC Kiddie-Viperfoo' then it is. This is because a new entity in the equation is brought in; distance!
Radio waves pick up noise over distance and go to shit. MC Kiddie-Viperfoo was nearer to Mr Bob than the radio station was, therefore the radio waves had less distance to travel to get to Mr Bob's radio receiver. The illegal transmitter overpowered the legal for a very small area (Mr Bob's street).
Now this got me thinking as I was putting another piece of ham into my mouth. This isn't all that different to wireless you know... and maybe I can apply the same concept.
I know software already exists such as the likes of HostAP, FakeAP, etc. to impersonate access points and to send de-auth packets but this is a bit different. We are not going to be sending any packets, nor connecting to the access point. What we do is essentially along the same lines however we are going to overpower their access point's signal, not try and get it to connect to a pre-defined access point in their preferred list (see HostAP/FakeAP, etc.).
This is how the concept works.
Bob is sitting downstairs surfing the internet using his laptop which is communicating with his wireless access point upstairs. His wireless access point (with an essid of "BAH") is a bog standard one so has an internal antenna, maybe even an external, say ~5dBi. If we are near enough to Bob's house it is possible to pick up Bob's access point. I say 'pick up' because it will probably be sending out beacons by default to let clients know its alive. Even if its not sending out beacons we can still find it via using something like Airodump and look at unassociated devices or even sniff raw packets with ethereal.
Anyhow, let's assume we can see the access point that is "BAH" from outside Bob's house. Now between Bob sitting downstairs and his access point upstairs it is picking up noise and will drop in signal slightly. Imagine we are sitting near Bob's house with an access point. We set the name of our AP to "BAH" and attach a 18dBi yagi antenna to it. We aim it towards Bob's house. Suddenly the original "BAH" access point's signal is drowned out and our new "BAH" access point is picked up by Bob's laptop. We make sure WEP/WPA and any type of MAC association is off just to make it all work out fine. Now Bob's laptop is now associated with our access point. Forward packets onto another interface and off to the internet and Bob wouldn't even know the difference. It would then be 100% possible to sniff the connection not to mention full access to Bob's laptop shares, etc. as his firewall on his access point would usually block this.
Wait! This wouldn't work I hear you say... Bob's laptop would only connect to the "BAH" access point if it had the same MAC address. Nope - wrong! Windows XP doesn't enforce this or even check this... it goes on the ESSID name alone, nothing else... madness! If it did that wouldnt be that much of a problem... hacking the firmware of our access point and changing the MAC address would only take a few minutes and be trivial. Also, even if Bob's original access point had WEP/WPA that wouldn't be an issue if our new access point has it off. XP doesn't complain that WEP/WPA is suddenly turned off, it'll connect happily.
There you have it... access point hijacking which you can't really do a thing about... except get a 18dBi yagi. ;o)
This is a bit of a legal minefield as they are actually connecting to us. Still, you're intentionally sitting outside Bob's house, impersonating his access point name and aiming a big yagi at him... so I very much doubt its accidental. Don't do it but do have some fun with your own access points. This concept I have tested and proved as soon as I came up with it and of course, after I had eaten all of my ham and on my *own* equipment.