SlideShare a Scribd company logo

Evil Twin Demonstration

Eric Goldman
Eric Goldman

A technical demo presentation showing an Evil Twin attack in action. The demo shows the attack from the victim, attacker, and evil twin perspectives. Background information is available. Full report is available at http://www.ericgoldman.name

Technology
1 of 13
Eric Goldman: http://www.ericgoldman.name presents
I. Overview & Purpose of Attack II. Equipment & Software Used III. Attack Demonstration IV. Comments & Thoughts V. Questions More presentations & reports: http://www.ericgoldman.name 2
 What is an Evil Twin attack?  The Evil Twin is a Rogue AP Attack  Pretend to be Real AP, trick users into connecting  Not required, but can DoS attack the Real AP  What does this attack accomplish?  All user connections to network through Evil Twin  Can now redirect traffic, filter traffic, and do any of a number of Man in the Middle Attacks More presentations & reports: http://www.ericgoldman.name 3
 How does it work?  We can create a fake AP using airbase-ng (part of aircrack-ng suite) and a compatible Wi-Fi interface  Using another wireless or wired interface, all user traffic is routed back to regular network/Internet  Windows XP will often automatically switch to a better connection without asking user  Untrained user may even connect to Fake AP manually because the SSID looks correct More presentations & reports: http://www.ericgoldman.name 4
 Real AP: Linksys WRT54Gv5  Standard Firmware, Version 1.02.5  Fake AP: IBM t42 Laptop  Running Backtrack 4 Beta Live CD  Monitor/Capture: IBM t42 Laptop  Running Backtrack 3 Live CD  Victim: IBM t42 Laptop  Running Windows XP SP3  Windows managed Wi-Fi More presentations & reports: http://www.ericgoldman.name 5
 Wireless Capturing  Aircrack-ng suite* (airmon-ng, airodump-ng)  Wireshark used for post-capture analysis  Fake AP  Access Point Functionality ▪ Aircrack-ng suite (airmon-ng, airebase-ng)  Client services provided by ▪ ISC dhcpd3, Netfilter’s iptables *http://www.aircrack-ng.org More presentations & reports: http://www.ericgoldman.name 6
Overview Information  Client MAC Address: 00:0E:9B:6E:28:7D  Real AP MAC Address: 00:14:BF:CF:C3:AE  Fake AP MAC Address: 00:0E:9B:BF:AA:B2  Real AP Subnet: 129.168.1.0/24  Fake AP Subnet: 10.0.0.0/24 More presentations & reports: http://www.ericgoldman.name 7
Real AP Configuration  The Real AP is a Linksys WRT54G-v5  No special settings  SSID: “Group5Test”  Channel: 2 (2.147 GHZ) Video is on the next slide More presentations & reports: http://www.ericgoldman.name 8
3rd Party Attack Capture  Used airodump-ng to capture traffic  Terminal on Left: Real AP Filtered  Terminal on Right: Fake AP Filtered  Notice how the client connects to the Fake AP soon after it is brought up See is on the next slide More presentations & reports: http://www.ericgoldman.name 9
Fake AP View of Attack  Terminal on Right: Launching Fake AP with airebase-ng, mimicking Real AP settings  Terminal on Left: Scripted DHCP and routing for client setup run after Fake AP started  Watch for Client authentication (right terminal), then DHCP change (left terminal) See is on the next slide More presentations & reports: http://www.ericgoldman.name 10
Victim View of the Attack  Victim is already connected to the Real AP  The Fake AP is started, and the victim switches to the Fake AP without any user intervention  Watch for the connection to go down, then for DHCP information to change: Originally 129.168.1.100, Fake AP gives 10.0.0.100 Video is on the next slide More presentations & reports: http://www.ericgoldman.name 11
 The Fake AP mimics settings of the real AP  The Fake AP provides stronger signal with the same settings, client automatically switches  The client still has outside connection, and the SSID is the same, hard to tell they have been switched to a rogue AP  Now all traffic is going through the Fake AP, can use Fake DNS or do other Man in the Middle attacks on the Victim More presentations & reports: http://www.ericgoldman.name 12
 Preventing Evil Twin Attacks  Deploy Wireless Intrusion Prevention System  Use low-level authentication (LEAP, etc)  Perform regular site-surveys to find rogue APs  Do not allow client workstations to automatically select and connect to Wi-Fi networks More presentations & reports: http://www.ericgoldman.name 13

Recommended

Evil Twin
Evil TwinEvil Twin
Evil Twin
n|u - The Open Security Community
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
Tomasz Jakubowski
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
The FatRat
The FatRatThe FatRat
The FatRat
AjilSunny
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
Vi Tính Hoàng Nam
 
Aircrack
AircrackAircrack
Aircrack
MuhammadHanzalah6
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 

Recommended

Evil Twin
Evil TwinEvil Twin
Evil Twin
n|u - The Open Security Community
 
The Indicators of Compromise
The Indicators of CompromiseThe Indicators of Compromise
The Indicators of Compromise
Tomasz Jakubowski
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
The FatRat
The FatRatThe FatRat
The FatRat
AjilSunny
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
Vi Tính Hoàng Nam
 
Aircrack
AircrackAircrack
Aircrack
MuhammadHanzalah6
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
Securité des applications web
Securité des applications webSecurité des applications web
Securité des applications web
Marcel TCHOULEGHEU
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
Emil Tan
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
n|u - The Open Security Community
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護
Nicolas su
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
OSCP.pdf
OSCP.pdfOSCP.pdf
OSCP.pdf
Camuss Sofi
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
Amandeep Singh
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Peter R. Egli
 
When To Use Ruby On Rails
When To Use Ruby On RailsWhen To Use Ruby On Rails
When To Use Ruby On Rails
dosire
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issues
Venudhanraj
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 

More Related Content

What's hot

Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
Mauricio Velazco
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護
Nicolas su
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 

What's hot (20)

Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
 
Securité des applications web
Securité des applications webSecurité des applications web
Securité des applications web
 
Honeypot 101 (slide share)
Honeypot 101 (slide share)Honeypot 101 (slide share)
Honeypot 101 (slide share)
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
議題二:Web應用程式安全防護
議題二:Web應用程式安全防護議題二:Web應用程式安全防護
議題二:Web應用程式安全防護
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
OSCP.pdf
OSCP.pdfOSCP.pdf
OSCP.pdf
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
When To Use Ruby On Rails
When To Use Ruby On RailsWhen To Use Ruby On Rails
When To Use Ruby On Rails
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
 

Similar to Evil Twin Demonstration

Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
How to WRAPS like Snoop Dogg
How to WRAPS like Snoop DoggHow to WRAPS like Snoop Dogg
How to WRAPS like Snoop Dogg
Alex Kim
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
amiable_indian
 
Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009
Andy d
 
Session Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysisSession Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysis
chinmaypadhye1985
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 

Similar to Evil Twin Demonstration (20)

6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issues
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issues
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover Attacks
 
System installation in CCTV
System installation in CCTVSystem installation in CCTV
System installation in CCTV
 
How to WRAPS like Snoop Dogg
How to WRAPS like Snoop DoggHow to WRAPS like Snoop Dogg
How to WRAPS like Snoop Dogg
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Bezpečnostní architektura F5
Bezpečnostní architektura F5Bezpečnostní architektura F5
Bezpečnostní architektura F5
 
Evento formativo Spring 3 ottobre 2019
Evento formativo Spring 3 ottobre 2019Evento formativo Spring 3 ottobre 2019
Evento formativo Spring 3 ottobre 2019
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
 
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdftips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
 
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchThe waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitch
 
Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009
 
Session Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysisSession Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysis
 
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
 
CCNA R&S-11-Troubleshooting Ethernet LANs
CCNA R&S-11-Troubleshooting Ethernet LANsCCNA R&S-11-Troubleshooting Ethernet LANs
CCNA R&S-11-Troubleshooting Ethernet LANs
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Evil Twin Demonstration

  • 2. I. Overview & Purpose of Attack II. Equipment & Software Used III. Attack Demonstration IV. Comments & Thoughts V. Questions More presentations & reports: http://www.ericgoldman.name 2
  • 3. What is an Evil Twin attack?  The Evil Twin is a Rogue AP Attack  Pretend to be Real AP, trick users into connecting  Not required, but can DoS attack the Real AP  What does this attack accomplish?  All user connections to network through Evil Twin  Can now redirect traffic, filter traffic, and do any of a number of Man in the Middle Attacks More presentations & reports: http://www.ericgoldman.name 3
  • 4. How does it work?  We can create a fake AP using airbase-ng (part of aircrack-ng suite) and a compatible Wi-Fi interface  Using another wireless or wired interface, all user traffic is routed back to regular network/Internet  Windows XP will often automatically switch to a better connection without asking user  Untrained user may even connect to Fake AP manually because the SSID looks correct More presentations & reports: http://www.ericgoldman.name 4
  • 5. Real AP: Linksys WRT54Gv5  Standard Firmware, Version 1.02.5  Fake AP: IBM t42 Laptop  Running Backtrack 4 Beta Live CD  Monitor/Capture: IBM t42 Laptop  Running Backtrack 3 Live CD  Victim: IBM t42 Laptop  Running Windows XP SP3  Windows managed Wi-Fi More presentations & reports: http://www.ericgoldman.name 5
  • 6. Wireless Capturing  Aircrack-ng suite* (airmon-ng, airodump-ng)  Wireshark used for post-capture analysis  Fake AP  Access Point Functionality ▪ Aircrack-ng suite (airmon-ng, airebase-ng)  Client services provided by ▪ ISC dhcpd3, Netfilter’s iptables *http://www.aircrack-ng.org More presentations & reports: http://www.ericgoldman.name 6
  • 7. Overview Information  Client MAC Address: 00:0E:9B:6E:28:7D  Real AP MAC Address: 00:14:BF:CF:C3:AE  Fake AP MAC Address: 00:0E:9B:BF:AA:B2  Real AP Subnet: 129.168.1.0/24  Fake AP Subnet: 10.0.0.0/24 More presentations & reports: http://www.ericgoldman.name 7
  • 8. Real AP Configuration  The Real AP is a Linksys WRT54G-v5  No special settings  SSID: “Group5Test”  Channel: 2 (2.147 GHZ) Video is on the next slide More presentations & reports: http://www.ericgoldman.name 8
  • 9. 3rd Party Attack Capture  Used airodump-ng to capture traffic  Terminal on Left: Real AP Filtered  Terminal on Right: Fake AP Filtered  Notice how the client connects to the Fake AP soon after it is brought up See is on the next slide More presentations & reports: http://www.ericgoldman.name 9
  • 10. Fake AP View of Attack  Terminal on Right: Launching Fake AP with airebase-ng, mimicking Real AP settings  Terminal on Left: Scripted DHCP and routing for client setup run after Fake AP started  Watch for Client authentication (right terminal), then DHCP change (left terminal) See is on the next slide More presentations & reports: http://www.ericgoldman.name 10
  • 11. Victim View of the Attack  Victim is already connected to the Real AP  The Fake AP is started, and the victim switches to the Fake AP without any user intervention  Watch for the connection to go down, then for DHCP information to change: Originally 129.168.1.100, Fake AP gives 10.0.0.100 Video is on the next slide More presentations & reports: http://www.ericgoldman.name 11
  • 12. The Fake AP mimics settings of the real AP  The Fake AP provides stronger signal with the same settings, client automatically switches  The client still has outside connection, and the SSID is the same, hard to tell they have been switched to a rogue AP  Now all traffic is going through the Fake AP, can use Fake DNS or do other Man in the Middle attacks on the Victim More presentations & reports: http://www.ericgoldman.name 12
  • 13. Preventing Evil Twin Attacks  Deploy Wireless Intrusion Prevention System  Use low-level authentication (LEAP, etc)  Perform regular site-surveys to find rogue APs  Do not allow client workstations to automatically select and connect to Wi-Fi networks More presentations & reports: http://www.ericgoldman.name 13

Editor's Notes

  1. Gotta love that graphic right?