GETTING THE MOST OUT OF EVIL TWIN

Similar documents
Lure10: Exploiting Windows Automatic Wireless Association Algorithm

Wifiphisher Documentation

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

LESSON 12: WI FI NETWORKS SECURITY

WIRELESS EVIL TWIN ATTACK

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Wireless Attacks and Countermeasures

Wifiphisher Documentation

Wireless Network Security

Obstacle Avoiding Wireless Surveillance Bot

Attacks on WLAN Alessandro Redondi

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Section 4 Cracking Encryption and Authentication

Physical and Link Layer Attacks

An introduction to wireless security at home, on the road and on campus. Sherry Callahan and Kyle Crane

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Hooray, w Is Ratified... So, What Does it Mean for Your WLAN?

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Wireless Security and Monitoring. Training materials for wireless trainers

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

VLANs and Association Redirection. Jon Ellch

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

PRODUCT GUIDE Wireless Intrusion Prevention Systems

WIDS Technology White Paper

Man-In-The-Browser Attacks. Daniel Tomescu

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Security of WiFi networks MARCIN TUNIA

Configuring Wireless Security Settings on the RV130W

Cyber Security Guidelines for Public Wi-Fi Networks

Wireless KRACK attack client side workaround and detection

BackTrack 5 Wireless Penetration Testing

Hacking Encrypted Wireless Network

How Insecure is Wireless LAN?

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Many organizations worldwide turn to

Chapter 24 Wireless Network Security

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer


What is Eavedropping?

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications

CIT 380: Securing Computer Systems. Network Security Concepts

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

PMS 138 C Moto Black spine width spine width 100% 100%

ProbeQuest Documentation

Securing Wireless Networks by By Joe Klemencic Mon. Apr

SETTING UP THE LAB 1 UNDERSTANDING BASICS OF WI-FI NETWORKS 26

Wi-Net Window and Rogue Access Points

Securing Internet of things Infrastructure Standard and Techniques

RouterCheck Installation and Usage

GWN7600 Firmware Release Note IMPORTANT UPGRADING NOTE

Configuring Layer2 Security

GWN7600/7600LR Firmware Release Notes IMPORTANT UPGRADING NOTE

Wireless Security Setup Guide

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

VAR11N Datasheet. Shenzhen Houtian Network Communication Technology Co., LTD

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

How To Make Belkin Wireless Router Password Protected

300Mbps Wireless N Gigabit Ceilling Mount Access Point

Wireless Network Security Spring 2016

Network Encryption 3 4/20/17

EAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool. Matt Neely and Spencer McIntyre

GWN7610 Firmware Release Note IMPORTANT UPGRADING NOTE

network security s642 computer security adam everspaugh

5 Tips to Fortify your Wireless Network

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

How to Configure Wireless Internet Access (Wi-Fi) Advanced Settings on the Qwest Standard Modem: Actiontec GT701-WG

Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

FAQ on Cisco Aironet Wireless Security

ETHICAL HACKING OF WIRELESS NETWORKS IN KALI LINUX ENVIRONMENT

FinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes

Wireless Router at Home

Family Structural Overview

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Mobile Security Fall 2013

Securing a Wireless LAN

The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

2013 Summer Camp: Wireless LAN Security Exercises JMU Cyber Defense Boot Camp

Ethical Hacking and Prevention

Wireless Security Setup Guide

Appendix E Wireless Networking Basics

Figure 35: Active Directory Screen 6. Select the Group Policy tab, choose Default Domain Policy then click Edit.

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

HACKING & INFORMATION SECURITY Presents: - With TechNext

This repository. Insights. Projects 0. Join GitHub today

Chapter 1 Introduction

Security: More Than a Thumb and a Blanket

W hy i OS (Android & others) F ail i nexplicably?

Configuring Management Frame Protection

NWD271N. User s Guide. WLAN n USB Adapter. Version /2008 Edition 1

Security Setup CHAPTER

Wireless Network Security Fundamentals and Technologies

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Transcription:

GETTING THE MOST OUT OF EVIL TWIN B-SIDES ATHENS 2016 GEORGE CHATZISOFRONIOU (@_sophron) sophron@census-labs.com www.census-labs.com

> WHOAMI Security Engineer at CENSUS S.A. Cryptography, Wi-Fi hacking, web security and network security Academic research Design of Privacy-enabling / Anonymity-providing protocols Lead author of Wifiphisher First introduced at BSidesLondon 2015

> AGENDA Evil Twin Attack Wi-Fi DoS Attacks Phishing Scenarios Wifiphisher

> EVIL TWIN ATTACK

> Evil Twin A rogue Wi-Fi AP spoofs a legitimate in order to gather personal or corporate data. Common attack vector in Wi-Fi environments

> Getting the Right Equipment Essential step for a successful Evil Twin attack Wireless card rule: the more power gain, the better Ideally, two different attack points: One for spawning the rogue AP May be placed inside the target infrastructure equipped with an omnidirectional antenna, well hidden from prying eyes, low battery consumption One for DoS attacks May be from distant using a directional antenna

> AUTO-CONNECT Flag Allows a station to add Wi-Fi networks in its PNL (Preferred Network List) so it can automatically connect to them later Typical usability over security feature Enabled by default in all modern implementations of network managers An effective Evil Twin almost always involve the exploitation of this flag

> AP Selection Stations will automatically associate with the AP that: 1) Broadcasted an ESSID that exists in its PNL 2) From the ones that satisfy (1), the AP offers the best signal What is really added in the PNL is an association of ESSID and Encryption Type PNL += (ESSID, Encryption) Encryption = (Open WEP WPA WPA2) Attacker needs to replicate both

> Against Open Networks Usually employed along with a captive portal mechanism Common in airports, hotels, and coffee shops Vulnerable to Evil Twin by default Both ESSID and Encryption Type (Open) can easily be replicated Assuming stronger signal, victims will automatically connect to the rogue AP

> Against WPA/WPA2 with Known or Compromised PSK Common in conferences or other infrastructures where members are dynamically joining and leaving the network Authentication relies on a PSK Secret is held by all parties. Can be compromised at one end without the knowledge of anyone at the other endpoints. As in open setups, these are vulnerable to Evil Twin Both ESSID and Encryption can be replicated Assuming stronger signal, victims will automatically connect to the rogue AP

> Against WPA-Enterprise Widely used in large corporations When not authenticating the AP, corporate setups are vulnerable to Evil Twin Yes, PEAP/EAP-TLS is not vulnerable Offline brute-force of the captured challengeresponse.

> Against WPA/WPA2 with unknown PSK: By using a different random shared key the connection with a rogue access point won t succeed The access point can t decrypt packets from the client and vice versa Downgrade attacks usually need victim interaction

> KARMA Featured by Wi-Fi Pineapple Listen to probe request frames If the probe request frame is intended for an open network, spawn that network Victims will auto-connect to the rogue network Needs to have already stored open networks in the PNL

> KARMA Most network managers have taken countermeasures: 1) Devices will wait for the correct beacon frame before sending the probe request frame 2) If they do send probe request frames arbitrarily, the destination address will be the broadcast address (i.e. no ESSID leak)

> How about guessing the ESSID? Things are easier if we know an open network that the victim has connected to in the past. E.g. victim had visited BSidesLondon conference. We know that BSidesLondon had an open network called BSidesLondon. Assuming he has the default settings, BSidesLondon ESSID will make him automatically connect to the rogue network.

> Available to all system users flag PNL becomes global across users Increases the attack surface

> WIFI DOS ATTACKS

> Deauthentication Attack Leverage DEAUTH frame (transmitted unencrypted) Sent when all communication is terminated Kick out a client by forging DEAUTH frames 1 from the AP to the client 1 from the client to the AP 1 from the AP to the broadcast address

> Probe Response Flooding After de-authenticating a station, keep answering to probe request frames Answer will be equivalent to Sorry, your PSK is incorrect Victim will stay disconnected Chances are the victim will manually interact with the network manager Useful to downgrade attacks where autoconnections are not possible

> PHISHING SCENARIOS

> Phishing Scenarios Typical phishing scenarios may take place E.g. Captive portals or social network pages using OAuth login mechanism It s more interesting to bridge information from beacon frames to templates Beacon frames can be used for information gathering (think automatic template generation).

> Identifying the Vendor Beacon frames include the MAC address of the AP Display fake messages coming from the router E.g. asking the WPA/WPA2 PSK due to a router firmware upgrade.

> Imitating the Network Manager 1. Show the Connection Failed page. Customize this accordingly based on the User- Agent header 2. Display a network manager asking for the WPA password of the target network Again, User-Agent header may tell us OS details 3. Fill the network manager with around networks

> WIFIPHISHER

> Wifiphisher Automates Evil Twin for different cases Creation of rogue AP + Wi-Fi Jamming Heavily used by Wi-Fi hacking community ~80 downloads per day Current stable release: 1.1 Release 1.2 coming soon!

> Wifiphisher

> Template Customization Phishing page designers provide a config.ini file that may be filled by the user

> Template Customization

> Template Customization

> Wireless cards communication using PyRIC Most Python wireless tools rely on Linux command lines tools Newer iw versions may break the parser PyRIC is a Python library that allows identification and manipulation of the available network cards by communicating with the kernel https://github.com/wraith-wireless/pyric

> New templates Messages sourcing from browser E.g. Plugin updates Imitating the OS Grabbing the PSK OAuth login page

> Development team Mature open source community Contributors: Brian Smith, Leonidas Vrachnis, Dionysis Zindros, Kostis Karantias, Stergios Kolios and many more! Hackathons! Always looking for new members to join the crew

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback