Evil Twin Access Points for Dummies

"Evil Twin Access Points for Dummies" [1]

or

"Airsnarf for Windows Mini How-To"
by Beetle

Introduction
Disclaimer
Hardware
Software
Installation
Configuration
Airsnarfing
Links
Notes

Introduction

There's been a good bit of better-late-than-never press regarding "Evil Twin" access points. Google for "evil twin access point" if you don't believe me. Even if I could discard the hilarious fact that rogue AP attacks are WAY old news and that it has taken the media nearly two years to catch on to the applicability / concern of people running Airsnarf (a rogue AP setup utility presented by myself and Bruce Potter at DefCon 11), it is RETARDED to hear this described as a technique deployed by "sophisticated hackers". This is SO easy, a Windows user could pull it off--which brings us to the content below. This document describes how to run an Airsnarf, or so-called-by-the-media "Evil Twin" access point, using Windows XP and a handful of downloads. Nothing "sophisticated" here, I promise.

Disclaimer

The information and instructions contained in this document are provided for educational and proof-of-concept-scare-your-boss-to-death purposes. For the reporters who like to twist that common disclaimer into some evil-hacker agenda, guess what? The sky is NOT falling--it's on the fucking tarmac. The bad guys already know how to do this. So, Mr. Clueless IT Security Reporter that can't seem to get the technical details straight: fuck off, make yourself useful, go wake grandma up, and tell her to stop using the Starbucks hotspot OR her half-ass-secured home wireless network to do her online banking. Again. I am in no way responsible for the way badguys with Windows laptops decide to use this how-to and fuck people over. I am in no way responsible for Windows users that completely hose their machine and can't figure out how to get back on the Interweb again to browse for pr0n.

As always, I don't plan on updating this document. Or fixing it. Or answering questions about it. If you don't find it strangely refreshing to hear this level of honesty from the author of a piss-ant How-To, my apologies.

Hardware

Windows XP SP2 x86-based laptop w/ an integrated wireless card (or other primary Internet connection mechanism)
a SoftAp supported PCMCIA wireless card (see a list of currently supported cards at http://www.pctel.com/softap_supported_cards.html)

Software

SoftAP - http://www.pctel.com/softap.php [2]
TreeWalk - http://ntcanuck.com/DL-kN/TreeWalk.zip
Apache - http://mirrors.isc.org/pub/apache/httpd/binaries/win32/apache_2.0.53-win32-x86-no_ssl.msi
ActivePerl - http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.6.811-MSWin32-x86-122208.msi
Airsnarf for Windows - http://airsnarf.shmoo.com/airsnarf-0.2-win.zip [3]

Installation

Buy, download, and install SoftAP.

Download and install TreeWalk.

Download and install Apache. It doesn't matter what you choose for your domain, servername, or email address.

Download and install ActivePerl, choosing "c:\usr" as the installation directory.

Download and unzip Airsnarf for Windows. There should be three files: index.html, airsnarf.jpg, and airsnarf.cgi. Copy index.html and airsnarf.jpg to the "c:\Program Files\Apache Group\Apache2\htdocs\" directory. Copy airsnarf.cgi to the "c:\Program Files\Apache Group\Apache2\cgi-bin\" directory.

Configuration

Make sure you can use the Internet with your integrated wireless card while running SoftAP for your SoftAP-supported PCMCIA wireless card [4]. That means, make sure you can connect to the Internet with one card, while having wireless clients connect to your SoftAP at the same time. Once you have that working, from the SoftAP status window, select "Tools", "Options", and the "Devices" tab. Make sure "Share my network connection" is checked and that the "Mode" is set to "MS Internet Connection Sharing" [5]. By doing all this, you're creating a working wireless network that provides Internet access to clients that associate to you. More importantly, you are giving out IP addresses for clients that are associating to you, and with that information, letting them know you are their default route and primary DNS nameserver.

Run TreeWalk and make sure YOU are your primary DNS server. TreeWalk should set this up for you automatically. To test this out, from a command prompt, type "ipconfig /all". The first DNS server you should see listed for each adapter should be "127.0.0.1". And when you type "nslookup", your "Default Server" should be "localhost". By doing this, YOU will be able to provide custom responses to DNS queries by associated clients--thereby "controlling" what websites they go to.

Open up the file "c:\Program Files\Apache Group\Apache2\conf\httpd.conf" and add "ExecCGI" to the line that reads "Options Indexes FollowSymlinks", so that the line reads "Options Indexes FollowSymLinks ExecCGI". Save the file and close it. Start Apache. Using your web browser, go to "http://localhost". You should see the Airsnarf splash screen. Enter a username and password and click "Login". You should get redirected to the "Thanks for letting us own you!" page. Check your C:\ drive--there should be a website name, password, and username logged.

Now that everything runs, the fun begins...

Airsnarfing

This is so simple and ghetto that it's hilarious. Basically, we're just going to do some local DNS cache poisoning--MANUALLY. Use the TreeWalk control panel to stop TreeWalk. Open up the file "c:\WINDOWS\system32\dns\etc\named.cache". Add the following two lines to the end of the file:

;local
www.paypal.com        155000    A    192.168.0.1

In this case, the website we want to resolve as us is www.paypal.com and the IP address is the address of our SoftAP-capable PCMCIA card. Save the file. Restart TreeWalk again. DNS cache poisoning complete. heh. Check to make sure everything works by opening up a web browser and going to "http://www.paypal.com"--you should see the Airsnarf splash screen. If you go to other websites, they should appear just fine [6]. The same should apply to any unsuspecting clients that wander on to your access point. SoftAP is kind enough to pop up a balloon from the status bar every time a client joins your network. Enjoy.

From here, how this can TRULY be abused is an exercise left for the reader. Needless to say, one can be pretty hateful and tricky with a legitimate looking copy of a target website, Apache's virtual hosting, and some extra Javascript or CGI. [7]

Links

Airsnarf Website - http://airsnarf.shmoo.com

Notes

[1] A media-whoring title if ever there was one. EVIL!
[2] Yes, I know there's no direct link to download SoftAP. That's because you have to buy it. It's $20. Until there's some sort of Windows open-source or freeware equivalent, it's worth it. Do NOT be a cheap bastard and try to pirate this one, guys.
[3] Joke's on me. There's really no Airsnarf for Windows. This is just a zip file with a subset of modified files from the original Airsnarf for Linux. It's easier than trying to tell Windows users to extract a tarball and edit a CGI script.
[4] Real badasses don't need another wireless network or hotspot for Internet access--they have it in their hip pocket via EVDO or GPRS. This allows you to set up an Airsnarf anywhere you have cell phone coverage. Thwacka!
[5] Make sure you are in ICS mode NOT bridged! Bridged mode will allow the upstream AP or service to give out the IP and DNS information instead of you. NOT what you want, if you're trying to control what "sites" people visit.
[6] Good or bad? I dunno. Your choice. With Airsnarf for Linux, nifty firewall rules redirected all DNS and hence web requests to your default "gimme your password" screen, but the Internet proper was not bridged. With Airsnarf for Windows (oh lordy that sounds the suck), you have to be targetted at which sites you plan on snarfing usernames and passwords for, but the Internet generally still works off the back end.
[6] With virtual hosting in Apache, you can have different websites ready to respond to different requests--a Hotmail website for www.hotmail.com requests, a PayPal website for www.paypal.com requests, and so on. With some Javascript or CGI, you can have users seamlessly passed off to the real sites, eg. "http://login.passport.net/uilogin.srf?id=2" for Hotmail. And that's all I have to say about that.