• Save
Evil Twin Demonstration
Upcoming SlideShare
Loading in...5
×
 

Evil Twin Demonstration

on

  • 14,869 views

A technical demo presentation showing an Evil Twin attack in action. The demo shows the attack from the victim, attacker, and evil twin perspectives. Background information is available. Full report ...

A technical demo presentation showing an Evil Twin attack in action. The demo shows the attack from the victim, attacker, and evil twin perspectives. Background information is available. Full report is available at http://www.ericgoldman.name

Statistics

Views

Total Views
14,869
Views on SlideShare
10,794
Embed Views
4,075

Actions

Likes
2
Downloads
0
Comments
0

12 Embeds 4,075

http://www.ericgoldman.name 3973
http://192.168.2.100 27
http://translate.googleusercontent.com 26
http://www.slideshare.net 20
http://ericgoldman.name 13
http://translate.yandex.net 5
http://www.ericgoldman.name. 5
http://webcache.googleusercontent.com 2
http://www.google.co.uk 1
https://twitter.com 1
http://www.linkedin.com 1
http://s89341424.onlinehome.us 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Gotta love that graphic right?

Evil Twin Demonstration Presentation Transcript

  • 1. Eric Goldman: http://www.ericgoldman.name presents
  • 2. I. Overview & Purpose of Attack II. Equipment & Software Used III. Attack Demonstration IV. Comments & Thoughts V. Questions More presentations & reports: http://www.ericgoldman.name 2
  • 3.  What is an Evil Twin attack?  The Evil Twin is a Rogue AP Attack  Pretend to be Real AP, trick users into connecting  Not required, but can DoS attack the Real AP  What does this attack accomplish?  All user connections to network through Evil Twin  Can now redirect traffic, filter traffic, and do any of a number of Man in the Middle Attacks More presentations & reports: http://www.ericgoldman.name 3
  • 4.  How does it work?  We can create a fake AP using airbase-ng (part of aircrack-ng suite) and a compatible Wi-Fi interface  Using another wireless or wired interface, all user traffic is routed back to regular network/Internet  Windows XP will often automatically switch to a better connection without asking user  Untrained user may even connect to Fake AP manually because the SSID looks correct More presentations & reports: http://www.ericgoldman.name 4
  • 5.  Real AP: Linksys WRT54Gv5  Standard Firmware, Version 1.02.5  Fake AP: IBM t42 Laptop  Running Backtrack 4 Beta Live CD  Monitor/Capture: IBM t42 Laptop  Running Backtrack 3 Live CD  Victim: IBM t42 Laptop  Running Windows XP SP3  Windows managed Wi-Fi More presentations & reports: http://www.ericgoldman.name 5
  • 6.  Wireless Capturing  Aircrack-ng suite* (airmon-ng, airodump-ng)  Wireshark used for post-capture analysis  Fake AP  Access Point Functionality ▪ Aircrack-ng suite (airmon-ng, airebase-ng)  Client services provided by ▪ ISC dhcpd3, Netfilter’s iptables *http://www.aircrack-ng.org More presentations & reports: http://www.ericgoldman.name 6
  • 7. Overview Information  Client MAC Address: 00:0E:9B:6E:28:7D  Real AP MAC Address: 00:14:BF:CF:C3:AE  Fake AP MAC Address: 00:0E:9B:BF:AA:B2  Real AP Subnet: 129.168.1.0/24  Fake AP Subnet: 10.0.0.0/24 More presentations & reports: http://www.ericgoldman.name 7
  • 8. Real AP Configuration  The Real AP is a Linksys WRT54G-v5  No special settings  SSID: “Group5Test”  Channel: 2 (2.147 GHZ) Video is on the next slide More presentations & reports: http://www.ericgoldman.name 8
  • 9. 3rd Party Attack Capture  Used airodump-ng to capture traffic  Terminal on Left: Real AP Filtered  Terminal on Right: Fake AP Filtered  Notice how the client connects to the Fake AP soon after it is brought up See is on the next slide More presentations & reports: http://www.ericgoldman.name 9
  • 10. Fake AP View of Attack  Terminal on Right: Launching Fake AP with airebase-ng, mimicking Real AP settings  Terminal on Left: Scripted DHCP and routing for client setup run after Fake AP started  Watch for Client authentication (right terminal), then DHCP change (left terminal) See is on the next slide More presentations & reports: http://www.ericgoldman.name 10
  • 11. Victim View of the Attack  Victim is already connected to the Real AP  The Fake AP is started, and the victim switches to the Fake AP without any user intervention  Watch for the connection to go down, then for DHCP information to change: Originally 129.168.1.100, Fake AP gives 10.0.0.100 Video is on the next slide More presentations & reports: http://www.ericgoldman.name 11
  • 12.  The Fake AP mimics settings of the real AP  The Fake AP provides stronger signal with the same settings, client automatically switches  The client still has outside connection, and the SSID is the same, hard to tell they have been switched to a rogue AP  Now all traffic is going through the Fake AP, can use Fake DNS or do other Man in the Middle attacks on the Victim More presentations & reports: http://www.ericgoldman.name 12
  • 13.  Preventing Evil Twin Attacks  Deploy Wireless Intrusion Prevention System  Use low-level authentication (LEAP, etc)  Perform regular site-surveys to find rogue APs  Do not allow client workstations to automatically select and connect to Wi-Fi networks More presentations & reports: http://www.ericgoldman.name 13