Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wi-Fi Hotspot Attacks

9,359 views

Published on

Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Wi-Fi Hotspot Attacks

  1. 1. Wi-Fi Hacking for Web Pentesters Greg Foss Sr. Security Research Engineer @heinzarelli
  2. 2. Greg Foss Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
  3. 3. *I am not liable for what you do with any of this information* Section 638:17 House Bill 495 - US rules against wireless hacking http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
  4. 4. DISCLAIMER Not a ‘Wi-Fi Security Expert’ nor a Lawyer Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
  5. 5. Not Discussing Wi-Fi Security Basics • 802.11 • WEP Cracking - ridiculously easy, google it • WPA / WPA2 Attacks - Reaver • WPS Attacks - Reaver • PEAP, LEAP, etc. - Out of Scope
  6. 6. Agenda…
  7. 7. it’s everywhere… enough free WiFi that it’s almost not worth the time it takes to infiltrate unless free internet’s not the goal…
  8. 8. Bypassing is easy… • Sometimes Tor or a VPN will simply be allowed through the captive portal, no joke • Try appending ?.jpg or ?.png to the URL • Look for Open Redirect flaws, iFrames, etc. • Tunnel out over DNS! • Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
  9. 9. Bypassing is easy… • On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access. • De-auth existing clients and/or DoS access points: • Aireplay-ng or Airdrop • http://www.aircrack-ng.org/ • MDK3 • https://forums.kali.org/showthread.php?19498- MDK3-Secret-Destruction-Mode
  10. 10. Bypassing is easy… • Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match • Works on just about any open access point, especially captive portals • CPSCAM by Josh Wright will do this for you: • http://www.willhackforsushi.com/code/ cpscam.pl
  11. 11. Hijacking is also easy…
  12. 12. The Evil Twin… source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
  13. 13. How to clone and weaponize captive portals 1. Connect to the access point and wait for the splash page to pop- up. 2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https). 3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary. 4. Change the UA string and grab the mobile version as well if it exists. 5. Replace the form processor to write a log file and pass the client through to a legitimate landing page. 6. Modify the page HTML to point to your form processor and modify parameters as necessary. 7. Deploy the captive portal (will discuss this shortly) 8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
  14. 14. Mobile Cloning
  15. 15. Mobile Cloning • HTTrack: http://www.httrack.com/
  16. 16. Mobile Cloning • VT View Source:
 
 https://play.google.com/ store/apps/details? id=com.tozalakyan.view source&hl=en
  17. 17. How to Deauthenticate Clients and DoS Access Points • Aireplay-ng using the —deauth flag • file2air - deauth packet injection flood tool by Josh Wright • http://www.willhackforsushi.com/code/file2air/1.1/ file2air-1.1.tgz • Spoof AP MAC, send deauth requests to clients • Target a single user, all users, or AP itself • MDK3 Deauth Amok Mode to take out all WPA AP’s
  18. 18. How to Deauthenticate Clients and DoS Access Points source: https://github.com/sophron/wifiphisher
  19. 19. How to Deauthenticate Clients and DoS Access Points https://github.com/sophron/wifiphisher
  20. 20. source: https://www.isecpartners.com/blog/2013/july/man-in-the-middling-non-proxy-aware-wi-fi-devices-with-a-pineapple.aspx
  21. 21. Wi-Fi Pineapple https://wifipineapple.com/
  22. 22. Generic Splash Page Pineapple Configuration /etc/nodogsplash/htdocs/splash.html
  23. 23. Landing Page Pineapple Configuration - JavaScript Necessities /www/[directory]/index.html
  24. 24. PHP Form Processor Pineapple Configuration Easier than using IPTables /www/[directory]/auth/login.php
  25. 25. A word of caution w/ the Pineapple…
  26. 26. A word of caution w/ the Pineapple…
  27. 27. Existing Router Ideally one supporting guest mode…
  28. 28. DDWRT • Flash with DDWRT, then you can use NocatSplash to configure a captive portal. • Many other ways to go about this… DDWRT is just one of the easier options. • http://www.dd-wrt.com/site/index • http://sourceforge.net/projects/ nocatsplash/
  29. 29. Laptop Hotspot and/or Proxy
  30. 30. • Kali Linux • http://www.kali.org/ • Can do just about anything to connecting clients • Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios Laptop Hotspot and/or Proxy
  31. 31. • Makes hacking Wi-Fi even easier! • https://github.com/SilverFoxx/PwnSTAR PwnStar - By SilverFoxx
  32. 32. Demo
  33. 33. Deploy Malware
  34. 34. Combine Pineapple portability with the versatility of Kali Linux • http://www.offensive-security.com/kali- linux/kali-linux-evil-wireless-access-point/
  35. 35. BeagleBone Black + Alfa Wi-Fi Card http://beagleboard.org/black http://www.alfa.com.tw/
  36. 36. BeagleBone AP Deployment Options get creative…
  37. 37. Going Mobile! • Nexus Device with Kali NetHunter • https://www.kali.org/kali-linux-nethunter/ • Pwnie Express Pwn Phone/Pad • https://www.pwnieexpress.com/product/ pwn-phone2014/
  38. 38. Going Mobile!
  39. 39. Going Mobile!
  40. 40. MITM Basic Tools • AirSSL • AirJack • Airsnarf • Dsniff • Cain • void11 • Ferret • SSLStrip • Wireshark • AirPwn • Ettercap • Etc…
  41. 41. You don’t even need to authenticate to attack clients
  42. 42. Fun with MITM • Snapception - https://github.com/thebradbain/ snapception • Love Thy Neighbors - http:// neighbor.willhackforsushi.com/ • AirPWN - http://airpwn.sourceforge.net/ Airpwn.html • Intercepter-NG - http://intercepter.nerf.ru/ • Many, many more…
  43. 43. Demo
  44. 44. Client Defense… • Always use a VPN/VPS/SSH Port Forwarding/ etc. when connected to an open access point. • Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’. • Hotspot not served up over HTTPS and other generally suspicious behavior. • Beware duplicate networks with different encryption.
  45. 45. Client Defense… • Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit. • Turn off Wi-Fi on devices when traveling. • Exercise caution when connections suddenly drop, especially if it happens for everyone on the network. • If it just ‘doesn’t feel right’ then trust your instincts…
  46. 46. Resources • http://www.willhackforsushi.com/code/cpscam.pl • http://neighbor.willhackforsushi.com/ • http://www.aircrack-ng.org/ • http://www.dd-wrt.com/ • https://github.com/SilverFoxx/PwnSTAR • http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/ • http://beagleboard.org/black • http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/ • http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via- os-x/ • https://github.com/thebradbain/snapception • http://airpwn.sourceforge.net/Airpwn.html • http://intercepter.nerf.ru/
  47. 47. Thank You! Questions? https://github.com/gfoss/misc/Wireless/Captive-Portals/ Greg Foss
 Senior Security Research Engineer
 greg.foss[at]LogRhythm.com
 @heinzarelli

×