Project: NEMESIS - Rabid Wireless Access Point that attacks malicious clients connecting to it (they have to break WEP to connect)
- sysctl - TCP/IP stack hardening
- arpwatch - Monitor static ARP entries
- iptables - NAT Masquerade, ARP broadcasts, DNS leaks
- ebtables - Filter bridged connections
- hostapd - Wireless Access Point
- hostapd_cli - setup script listener hook for client authenticated
- wpa_supplicant - use WEP encryption, expect only malicious clients
- udev - MAC Spoofing
- gkismet / giskismet - Wireless scanner w/GPS
- gpsd - gps daemon
- sql db - Store kismet data
- ettercap - Man-in-the-Middle Framework: ARP Poisoning, ICMP Redirection, DHCP Spoofing, Port Stealing, Characters Injection, SSH1 MITM
- wireshark / tshark - Network Sniff Layer 2 (Data Link Layer) and Layer 3 (Network Layer)
- honeyd - Virtual Host Honeypot
- msfvenom -
- metasploit -
- evilginx - Man-in-the-Middle Session Hijacking Framework
- snort - IPS / IDS
- ntopng - Network Statistics (what are these malicious clients trying to do?)
- Captive Portal - "Free WiFi" operation, WEP disabled
https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening
net.ipv4.icmp_echo_ignore_all = 1
MAC Spoofing on device hotplug
Layer 2 filtering
Layer 3 filtering
NAT Masquerade
hostapd_cli -a/bin/hostapd_eventscript -B
#!/bin/sh
logger -t $0 "hostapd event received $1 $2 $3"
if [[ $2 == "AP-STA-CONNECTED" ]]
then
echo "someone has connected with mac id $3 on $1"
fi
if [[ $2 == "AP-STA-DISCONNECTED" ]]
then
echo "someone has disconnected with mac id $3 on $1"
fi
https://www.kismetwireless.net/
https://github.com/internetofdongs/IoD-Screwdriver
https://piratefache.ch/mapping-wifi-networks-on-google-maps/
https://medium.com/secjuice/man-in-the-middle-attack-using-arp-spoofing-fa13af4f4633
https://github.com/Ettercap/ettercap
https://wiki.archlinux.org/index.php/honeyd