Welcome back, my dear hackers!
We’re going to continue our series dedicated to cracking Wi-Fi passwords, where we will focus on creating an invisible access point, an access point that is not authorized by IT staff and which can be a significant vulnerability for a company’s security. To remember! As I said in another article, cracking wireless networks is not just about Wi-Fi passwords.
In this scenario, we will investigate an oil company. The company we are investigating removed stone and sandstone from under the earth’s surface, using a technique that injects sand, water and underground chemicals in order to release oil and gas.
The inhabitants of the area are starting to get sick
Lately, several inhabitants got sick and one has died. Residents suspect that the chemicals the oil company uses in their solution have poisoned groundwater, leading to various diseases and eventually death.
The oil company denies any role in causing disease or death, claiming that the chemicals they inject into the ground are harmless.
Although we do not know for sure, we have heard rumors that the oil company uses toluene, a very toxic substance. If this is true and has been released into groundwater, more deaths will be caused.
We help to discover the truth, using a Rogue AP
We are determined that this will not happen again and we decide to work with a company that aims to protect the environment, but also with other hackers to try to find out if the company uses toluene.
We need the archives of the group of engineers to prove that the company lied to us, and they continue to poison the water around us.
Because a company employee is on our side, we teach him to launch a Rogue AP, which will bypass the company’s firewall and IDS (intrusion detection system), which will be invisible to the IT team, and provide us unlimited access to the network and company records.
Why a Rogue AP isn’t detected?
In the United States, the FCC regulates the wireless industry and technologies and has decided to use only channels 1-11. In Romania, the most used channels are channels 1 – 12, as far as I noticed. Other nations use 1-14.
An access point that communicates on channels 12, 13 or 14 would be completely invisible to wireless adapters built to capture only channels 1-12. If we could make our Rogue AP communicate on channel 13 or 14, for example, it would be invisible to IT employees at the oil drilling company or any other company. Of course, we should set our wireless adapters to communicate on channel 13/14 so we can connect.
Step 1: Changing the regulatory range of the wireless adapter
Because Japan allows channels 1-14, we will need to set our access point to use the Japanese regulatory area in order to be able to communicate on channels 13 and 14.
We can do this through the following commands:
- iw reg set JP
- iwconfig wlan0 channel 13
Step 2: Let’s put the wireless adapter in monitor mode
After that, we put the wireless adapter in monitor mode.
- airmon-ng start wlan0
Step 3: We are launching our access point
The aircrack-ng suite contains a tool called airbase-ng for creating an AP from our wireless adapter. We can use it by typing:
- airbase-ng -c 13 mon0
- -c 13 indicates that it will communicate on channel 13
- mon0 indicates the wireless adapter used to launch the AP
Step 4: Let’s connect our AP to their network
Now that we have created an AP, we need to connect it to the oil company’s internal network. In this way, AP’s traffic will go directly to the corporate internal network and pass through its security, including any firewall or intrusion detection system.
First, we open a new terminal, make a connection and call it “Blackweb-Bridge”. We do this by introducing:
- brctl addbr Blackweb-Bridge
- apt install bridge-utils (if we do not have the utility installed)
Step 5: We add interfaces to the connection
After making the connection we will have to connect both interfaces, one for the internal network, eth0 and the other from the virtual interface of our AP, at0, to our connection. We can do this by typing:
- brctl addif Blackweb-Bridge eth0
- brctl addif Blackweb-Bridge at0
Step 6: Activate the interfaces
We need to activate the interfaces:
- ifconfig eth0 0.0.0.0 up
- ifconfig at0 0.0.0.0 up
Step 7: Enable IP forwarding
Linux has a special feature for redirecting traffic or redirecting IP to the kernel. We can do this by:
- echo 1 > /proc/sys/net/ipv4/ip_forward
Step 8: We surf the internal network
When we and those who work with us connect to the invisible AP (channel 13 must be activated on the wireless adapter), we will have access to the entire internal corporate network.
In this way, we can get the information we need from the engineering department to prove if the solution used contains toluene and if the company is responsible for poisoning the community’s drinking water.
Be sure to check our Wi-Fi hacking series all the time as more wireless hacks will be posted! If you have any questions, please comment below, and we’ll try to help.