Rogue Access Point Detection/Mitigation
This is the article relating to my 2011 MUM presentation.
I was trying to think of something fun and different for this year’s MUM, so I came up with rogue access point detection/mitigation. The project surrounds having a Mikrotik probe connect to any open access points it can find. It then trys to access a resource that exists only inside your LAN. In this case the resource is a special web page. It then alerts you and allows you to track them down. Watch the video below for the full presentation: This is an iframe from the tiktube page.
Config Files
ignore-list.txt
1 2 | #MAC address~SSID #00:12:17:DA:09:2G~linksys |
This file lists the MAC address followed by the ~ symbol and finally the SSID.
This holds any APs that should be ignored from processing.
probes.txt
1 | #192.168.88.1~user1~user1 |
This file holds the connection information for our Mikrotik probes we will be testing with.
IP address of probe, then ~, then username, then ~ and finally password.
settings.txt
1 2 3 4 5 6 7 8 9 10 11 12 | #duraction to run the scan for in seconds 15 #IP of server to pull the rogue page from 192.168.1.2 #path to the rogue file /index.html /rogue.html #email address to send alerts to. Some smtp servers require <> around email addresses. [email protected] #IP of mail server to relay through 127.0.0.1 #port of smtp server 25 |
This file holds the general settings for the program.
Duration is how long the probe will scan for open APs.
“IP of server to pull” is the IP address of the “internal only” web server we will be trying to get the HML page from.
“path” will be the full http path to append to the IP address listed above.
[email protected] should be replaced by your email address.
Relay server IP should be that of your mail relay.
Port is the SMTP port to use.
Binary
Here’s the download of the compiled exe, source, and config files: MTKRogue.zip (1538 downloads)
Source
Current Source code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 | #Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseX64=n
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#cs ----------------------------------------------------------------------------
AutoIt Version: 3.3.6.1
Author: Greg Sowell
Script Function:
This script controls putty to connect to mikrotik APs and check for rogues on your network.
#ce ----------------------------------------------------------------------------
; Script Start - Add your code below here
;autioit includes
#include <file.au3>
#include <Array.au3>
;open the settings file
Dim $aSettings
If Not _FileReadToArray(@ScriptDir & "\settings.txt",$aSettings) Then
MsgBox(4096,"Error", " Error reading log to Array error:" & @error)
Exit
EndIf
;set variables
$Duration = $aSettings[2];duration to do the scan
$serverIP = $aSettings[4];ip address of the webserver
$serverPathFile = $aSettings[6] & """";path to check file
$EmailAddress = $aSettings[8];email address variable
$szIPADDRESS = $aSettings[10];;email server IP address
$nPORT = $aSettings[12];25 ;email server port
$ClipContents = "" ;setup clipboard variable
$waiting = 0 ;variable for time checking
$HostIP = ""
$userN = ""
$passW = ""
$ssid = ""
$mac = ""
$puttyPID = ""
;#cs ----------------------------------------------------------------------------
;open hosts file
Dim $aHosts
If Not _FileReadToArray(@ScriptDir & "\probes.txt",$aHosts) Then
MsgBox(4096,"Error", " Error reading log to Array error:" & @error)
Exit
EndIf
;main program loop. Loop through each host.
for $h = 1 to $aHosts[0]
if StringInStr("---" & $aHosts[$h],"#") < 1 Then
;not a comment, lets go!!!
;run the host processing function
_RunHost()
EndIf
Next
;host processing function
Func _RunHost()
$HostIP = StringLeft($aHosts[$h],StringInStr($aHosts[$h],"~") - 1);pull host IP
$userN = StringMid($aHosts[$h],StringInStr($aHosts[$h],"~") + 1,StringInStr($aHosts[$h],"~",0,2) - StringInStr($aHosts[$h],"~") - 1);Host username
$passW =StringMid($aHosts[$h],StringInStr($aHosts[$h],"~",0,2) + 1);host password
$puttyPID = run(@ScriptDir & "\putty.exe -ssh -l " & $userN & " -pw " & $passW & " " & $HostIP);open putty
;do a check cycle of 10 seconds for putty to start
while $waiting <> 10
If ProcessExists("putty.exe") Then
$waiting = 100
ExitLoop
EndIf
sleep(1000)
WEnd
;check if putty process was found
if $waiting = 10 Then
MsgBox(0,"putty didn't run", "Sorry, but putty didn't open")
Exit
EndIf
_SleepTime(5,"putty");wait 5 seconds for putty to connect and settle
;activate putty
WinActivate($HostIP & " - PuTTY")
WinWaitActive($HostIP & " - PuTTY")
;send the command to start the scan
Send("/int wire scan wlan1 duration=" & $Duration & @CRLF)
_SleepTime($Duration + 2,"scan command") ;sleep for 2 seconds longer than duration
_CopyAll() ;copy everything to clipboard
;delete the existing temp file
FileDelete(@ScriptDir & "\cliptemp.txt")
;write clip contents to a temp file
$AClip = FileOpen(@ScriptDir & "\cliptemp.txt", 1)
; Check if file opened for writing OK
If $AClip = -1 Then
MsgBox(0, "Error", "Unable to open file.")
Exit
EndIf
FileWriteLine($AClip, $ClipContents)
FileClose($AClip)
;#ce ----------------------------------------------------------------------------
;read contents of temp file into an array
Dim $AClipCont
If Not _FileReadToArray(@ScriptDir & "\cliptemp.txt",$AClipCont) Then
MsgBox(4096,"Error", " Error reading log to Array error:" & @error)
Exit
EndIf
local $aSSIDs[1];setup ssid array
$aSSIDs[0] = 0;set the counter to 0
$StartProc = 0 ;processing variable
;start processing the array
For $x = 1 to $AClipCont[0] - 2
;check if the ssid section has been found
if $StartProc == 1 Then
; we need to process the lines here
$BldStrng = StringLeft($AClipCont[$x],3) & "~"
$BldStrng = $BldStrng & stringmid($AClipCont[$x],7,17) & "~"
$BldStrng = $BldStrng & stringmid($AClipCont[$x],25,10)
_ArrayAdd($aSSIDs,$BldStrng)
$aSSIDs[0] = $aSSIDs[0] + 1
EndIf
;find the line just before scan starts
if StringInStr($AClipCont[$x],"address") > 0 Then
if StringInStr($AClipCont[$x],"ssid") > 0 Then
;we have found the start - start processing after this
$StartProc = 1
EndIf
EndIf
Next
;pull ignore list
Dim $aIgnores
If Not _FileReadToArray(@ScriptDir & "\ignore-list.txt",$aIgnores) Then
MsgBox(4096,"Error", " Error reading log to Array error:" & @error)
Exit
EndIf
;start of ssid checking
for $x = 1 to $aSSIDs[0]
$mode = StringLeft($aSSIDs[$x],4);section that has the AP mode
$ssid = stringstripws(StringRight($aSSIDs[$x],10),2);sets ssid
$mac = StringMid($aSSIDs[$x],5,17);sets mac
$ignoreIt = 0;sets ignore variable
for $y = 1 to $aIgnores[0];loops through ignore file seeinf if we have a match
$Imac = StringLeft($aIgnores[$y],17);sets ignore mac
$Issid = stringstripws(StringMid($aIgnores[$y],StringInStr($aIgnores[$y],"~") + 1),2);sets ignore ssid
if $mac == $Imac and $ssid == $Issid Then;checks for ignore
;this is an ignore match, set it to ignore
$ignoreIt = 1
EndIf
Next
if StringInStr($mode,"p") > 0 Then ;check if AP is protected
;this is protected
Elseif $ignoreIt == 0 Then
;not protected and not ignored, try it out
_ConnectToAP();connect to ap and test
EndIf
Next
;kill putty process we started
ProcessClose($puttyPID)
EndFunc
;--------------------------begin functions
func _ConnectToAP()
;connect to AP
;activate putty
WinActivate($HostIP & " - PuTTY")
WinWaitActive($HostIP & " - PuTTY")
send("/int wire set 0 ssid=" & StringStripWS($ssid,2) & @CRLF);set the ssid
_SleepTime(15,"ssid command")
Send("/ip dhcp-client release 0" & @CRLF);reset client dhcp
_SleepTime(10,"dhcp client to pull ip")
send('/tool fetch url="http://' & $serverIP & $serverPathFile & @CRLF);attempt to pull the rogue file
_SleepTime(10,"rogue file to download")
;check status of download
send("q" & @CRLF);send a q for quit just in case the DL needs to be cancled
sleep(1000)
_CopyAll()
if StringInStr($ClipContents,"status: finished") > 0 then
;OMG, we found a rogue...PANIC!
;send email and then ping
ToolTip("Rogue detected and email/ping started",0,0)
_SendEmail()
Send("/ping " & $serverIP & @CRLF);start pinging our rogue server
Exit;kill the program
EndIf
EndFunc
Func _SendEmail()
Local $ConnectedSocket, $szData
; Start The TCP Services
;==============================================
TCPStartup()
; Initialize a variable to represent a connection
;==============================================
$ConnectedSocket = -1
;Attempt to connect to SERVER at its IP and PORT 33891
;=======================================================
$ConnectedSocket = TCPConnect($szIPADDRESS, $nPORT)
; If there is an error... show it
If @error Then
MsgBox(4112, "Error", "TCPConnect failed with WSA error: " & @error)
; If there is no error loop an inputbox for data
; to send to the SERVER.
Else
TCPSend($ConnectedSocket, "ehlo rogue-check.com" & @crlf)
sleep(1500)
TCPSend($ConnectedSocket, "helo rogue-check.com" & @crlf)
sleep(1500)
TCPSend($ConnectedSocket, "mail from:[email protected]" & @crlf)
sleep(1500)
TCPSend($ConnectedSocket, "rcpt to:" & $EmailAddress & @crlf)
sleep(1500)
TCPSend($ConnectedSocket, "data" & @crlf)
sleep(1500)
TCPSend($ConnectedSocket, "Subject:Rogue Detected on " & $HostIP & @crlf & @crlf)
sleep(1500)
TCPSend($ConnectedSocket, "Rogue detected from "& $HostIP & ", SSID is " & $ssid & "and MAC of AP is " & $mac & ". Getem!" & @crlf)
sleep(1500)
TCPSend($ConnectedSocket, "." & @crlf)
sleep(1000)
TCPCloseSocket($ConnectedSocket)
EndIf
EndFunc
Func _CopyAll()
$ClipContents = "";clear our variable
;activate putty
WinActivate($HostIP & " - PuTTY")
WinWaitActive($HostIP & " - PuTTY")
$PuttyPos = WinGetPos($HostIP & " - PuTTY") ;get current position of putty window
;start the copy process
MouseClick("left",$PuttyPos[0] + 15, $PuttyPos[1] + 15,1,0)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{DOWN}")
Sleep(150)
Send("{ENTER}")
$ClipContents = clipget();populate our clip variable
EndFunc
Func _SleepTime($SleepTime,$DescMsg)
;this function just does the sleep timer
while $SleepTime <> 0
ToolTip("Sleeping " & $SleepTime & " more seconds for " & $DescMsg,0,0)
$SleepTime = $SleepTime - 1
Sleep(1000)
WEnd
EndFunc |
*********************************************************
UPDATE
*********************************************************
I’ve always wanted to be on wikipedia…so I took this opportunity to add myself.
thanks for the awesome trick … thank you also for the shirts it’s so cool .
@Natheer
Thanks for the comment! I figured that if I hounded you guys enough you would post comments 😉
Thanks you also for attending my the MUM and also my presentation. I tried to go with something different and hopefully interesting. Without you guys this blog doesn’t exist, so keep interacting!