There are a number of tutorials out there for our attack, all of them set after you have done a man in the middle attack. But, they never tell you how to MITM. The reason they don’t is because there are numerous methods of attack, but, most methods require your own source of internet to complete the mitm and forward the traffic on to its proper destination.
Our method of attack uses a modified router and an Eee PC 900 running Backtrack 4 beta to mitm. To begin, we need to get our router. We use a Linksys WRT600N router, but it can just as easily be done with a Linksys WRT54G or any other router that supports the firmware we install, the dd-wrt v24 mega firmware.Once you install the new firmware from www.dd-wrt.org, the fun can begin.
Once the hardware is updated and ready to use, we then find the victim network to mitm. To find a vulnerable network, we start by putting our network card into monitor mode by opening a shell and typing airmon-ng start wifi0 if using an atheros card, if using an intel card, instead use the command iwconfig wlan0 mode monitor. If you are unsure what your wireless card is,open a shell and type iwconfig . Now that the card is in monitor mode, we start to scan by typing airodump-ng -i ath1 If you used wlan0 in the previous step, you will replace ath1 with wlan0.
Now that you have found your target network (which ever network is unencrypted) you are going to configure your router for the attack. We must put our NIC card into managed mode before we can configure the router, to do so, in shell type ifconfig ath1 down then ifconfig ath0 up or iwconfig wlan0 mode managed if you have an intel card, and finally we type NetworkManager start to allow us to connect to a wireless network in BT4 beta. Now with the default settings to the dd-wrt router, we log in and go to the setup tab, and change the ip address to something other than a default address (i.e. 184.108.40.206) and leave everything else alone. Then we move to the wireless tab. In basic wireless settings, we add 2 virtual interfaces, one being a private one for you alone, making sure to disable SSID broadcast and the other the same SSID of the victim network. Now save your settngs, then set your physical interface mode to repeater, and set the SSID again to the victim SSID. Once you apply your settings again, connect to your hidden Access Point. Log back into your router, go back to the wireless settings and go to the wireless security. Be sure to add wpa encryption to your hidden network, apply settings and reconnect to your AP. Now, again, go back to wireless tab. Go to advanced settings and scroll down to TX power and change the value to 251, to boost the power that you are broadcasting at.
Now, sit back for a second, and breathe, all of the hard work is finally done. From any page on the Router’s web access, look at the top right corner, if you have a WAN IP, your job is done, you are connected to the victim network, are rebroadcasting the SSID from your router, and no matter how many users are connected through your router, the victim network only shows 1 “user”. It may seem like alot of work at first, from this point, all you need to do is change the basic wireless setting to any network to create a Rogue AP. This will work on your neighbors, any public hotspot, or any network you can connct to and if the network uses a splash screen to gain access, it will show up to any user connecting, which means that you are nearly invisible. This technique may also be used to extend the range of your own wireless network.