« prev :: next »


Now that the system is up-to-date and configured for SSH, we can log in from our main system (as long as they’re on the same network). Open a terminal and login to the system:

haxys@straylight:~$ ssh root@192.168.1.2
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
ECDSA key fingerprint is SHA256:V0zr5abt6HcXUD4YKkz0HqivdMwy8Eg0E0xhqTjq3FE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (ECDSA) to the list of known hosts.
root@192.168.1.2's password:
Linux kali 4.19.81-Re4son-v7+ #1 SMP Wed Nov 6 10:16:47 AEDT 2019 armv7l

Red-Team Drop Box: BOX-001
Property of Pentest Company Incorporated
Last login: Wed Dec  4 21:13:52 2019 from ::1
root@kali:~#

Our next goal is to set up the drop box to host a WiFi access point, which will provide access to the drop box as long as we’re within range of its wireless signal. This might not help us if we’re outside the building, but it can be useful when initially planting the drop box within the target environment, in case there is any special configuration necessary to get the device connected to the local network.

  1. To start, install hostapd and dnsmasq:
    apt install hostapd dnsmasq -y
    
  2. Stop both services:
    systemctl stop hostapd
    systemctl stop dnsmasq
    
  3. Create the /etc/hostapd/hostapd.conf file, using vi or nano, with the following contents (change the ssid and wpa_passphrase to your own values):
    interface=wlan0
    driver=nl80211
    ssid=MAINTENANCE_DB1
    hw_mode=g
    channel=7
    wmm_enabled=0
    macaddr_acl=0
    auth_algs=1
    ignore_broadcast_ssid=0
    wpa=2
    wpa_passphrase=!SuperSecretPassword!
    wpa_key_mgmt=WPA-PSK
    wpa_pairwise=TKIP
    rsn_pairwise=CCMP
    
  4. Edit /etc/default/hostapd and change the following line:
    #DAEMON_CONF=""
    

    Replace it with this line:

    DAEMON_CONF="/etc/hostapd/hostapd.conf"
    
  5. Edit /etc/dnsmasq.conf, adding the following to the end of the file:
    no-resolv
    interface=wlan0
    bind-interfaces
    dhcp-range=10.0.0.50,10.0.0.100,255.255.255.0,12h
    

    This tells dnsmasq to bind to wlan0 and provide DHCP to clients. As specified, connected clients will be assigned IPs between 10.0.0.50 and 10.0.0.100.

  6. Edit /etc/network/interfaces, adding the following lines at the end:
    auto wlan0
    allow-hotplug wlan0
    iface wlan0 inet static
    address 10.0.0.1
    netmask 255.255.255.0
    

    This tells the system to assign a static IP of 10.0.0.1 to the wlan0 interface.

  7. Set dnsmasq and hostapd to start on boot:
    systemctl unmask hostapd
    systemctl enable hostapd
    systemctl unmask dnsmasq
    systemctl enable dnsmasq
    
  8. Reboot the system:
    shutdown -r now
    

Once the drop box comes back online, you should see the WiFi access point come online as well. Attempt to connect to it using the SSID and password you set in the /etc/hostapd/hostapd.conf file. If everything works right, you should be connected, and you should be able to ping the drop box:

haxys@straylight:~$ ping -c3 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=19.1 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=12.0 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=1.99 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.991/11.018/19.056/7.001 ms

If you have any problems, revisit the previous steps and ensure you followed them correctly.

Congrats! You can now access the drop box via WiFi. Next, we’ll set up Nebula.


« prev :: next »