Embed Size (px)
Citation preview
‘Evil Twin’ Wireless Access Point Attack 1
‘Evil Twin’ Wireless Access Point Attack
Submitted to
Dr. Stephan Robila
CSIT 520 Network Security
By
Dan Ginsberg
Department of Computer Science
Montclair State University
Spring 2015
‘Evil Twin’ Wireless Access Point Attack 2
Abstract
‘Evil Twin’ Wireless Access Point Attack discusses a type of maninmiddle attack.
Instead of pursuing a more traditional route, like obtaining access to a network to implement
DNS poisoning, an ‘Evil Twin’ wireless access point broadcasts an enticing or otherwise
misleading WiFi network for unwitting users to join. Once unsuspecting users are connected to
the ‘Evil Twin’ wireless access point (WAP), their traffic can be inspected, modified and logged.
Utilizing ettercap, SSLStrip, and relying on user ignorance, even SSL encrypted traffic falls prey
to this attack. The attack is complex in terms of its complexity, yet it is simple to implement,
and does not require very expensive hardware, only proximity and patience on the part of the
hacker. An overview of the technology, procedures for implementation, and preventive measures
are addressed.
‘Evil Twin’ Wireless Access Point Attack 3
INTRODUCTION
WiFi is a useful technology that has been rapidly expanding for years and is now
prevalent almost everywhere we go. It allows users and their devices to easily and wirelessly
access the internet. Despite the reliance on this technology that has emerged in recent years, the
average user is unaware of how it works and unaware of the many security vulnerabilities they
subject themselves to when using it. While great advances have been made to protect wireless
communications, such as WEP, WPA2, and WPS, the reality is that they are still all breakable.
Further, they only work to secure the information traveling between the user’s device and the
WAP. The ‘Evil Twin’ WAP attack provides the hacker a method for obtaining sensitive user
information. Instead of targeting and hacking a wireless access point to infiltrate a network, the
hacker simply tricks the user into connecting to a malicious network. An average user is
unaware of what occurs when they connect to a wireless network. They know enough to
determine something is wrong if their desired website does not load. However, even if their sites
do not load, they usually assume their hardware is at fault and proceed to restart their routers.
There is ample room to exploit these situations. In practice, it does not take a very elaborate plan
to steal information. Furthermore, suspicion on the part of the user is usually kept at bay. In
addition to uninformed users, WiFi devices are usually configured to autoconnect to open or
known networks. This combination of predictable human behaviour and the use of protocols that
are easily trusted results in a very exploitable attack vector.
‘Evil Twin’ Wireless Access Point Attack 4
BACKGROUND
The objective of this research is to identify a method for obtaining user credentials
through a wireless maninthemiddle attack. During the initial research and development phase,
several tools that simplified the implementation of the maninthemiddle attack were identified,
and the original plan relied heavily on the user being oblivious to security and threats. An
example of one type of threat would be the appearance of a fake version of Facebook at a
192.168.x.x address space or a remembered password field being blank. This would have also
required downloading the latest versions of several common websites like Google, Bing,
Facebook, Twitter, LinkedIn and Fantasy Baseball and then running modified versions of each of
those pages to return the form input to a database running locally through an Apache Web Server
and MySQL. While researching the above implementation, it was discovered that the software,
Ettercap, in conjunction with SSLStrip could more effectively capture the credentials of a victim
from any website they visit, instead of the few sites that would have been modified originally.
These tools also do a far better job of making the entire attack less noticeable and more
transparent to the victim. Even going so far as adding a favicon lock icon to make the users think
the session is secure. Outlined below are the original and implemented “Plan of Attack”.
INITIAL PLAN
1. Find an open network, or crack the password of a secure network using Aircrackng.
2. Broadcast an imposter SSID with the same credentials so users connect to me
unknowingly.
3. Utilize the original router as an internet connection.
‘Evil Twin’ Wireless Access Point Attack 5
4. Redirect desired URLs to my local web server running a fake copy of a login page,
capture username & password.
5. Redirect user to actual desired login page.
IMPLEMENTED PLAN
1. Broadcast enticing ESSID (Ex “Free WiFi”, or one being requested by a nearby device)
using airbaseng
2. Utilize Ettercap and SSLStrip to force a client into http from https and grab plaintext
usernames and passwords from form submits.
3. Connect the clients out to the internet so they do not suspect anything is wrong.
THE TOOLS
These are the key technologies involved in the execution of this ‘Evil Twin’ attack. The
basic purpose of the tools are defined here, details like parameters will be outlined below in the
implementation section.
ALFA AWUS036NHA USB WiFi ADAPTER
This piece of hardware is renown throughout the security and penetration testing industry
for its affordable price, robust feature set, and Linux driver compatibility. This is also one of the
few wireless cards on the market capable of both Monitor mode and Master mode. Monitor mode
allows inspection of wireless traffic without being associated with the access point; this is useful
for packet sniffing. Master mode is the key feature needed for our Evil Twin attack. It allows the
adapter to act as wireless access point and provide network services to clients that connect.
‘Evil Twin’ Wireless Access Point Attack 6
AIRBASENG
“Airbaseng is multipurpose tool aimed at attacking clients as opposed to the Access
Point (AP) itself.” [1] This is used to broadcast the ESSID the clients will connect to. It will
create a tap interface (at0) that is used to receive decrypted packets and send encrypted ones.
This is a “loud” application which can interfere with other networks on the same channel. As
such, it has features to filter and limit its activity to better suit individual environments and
requirements.
ETTERCAP
“A powerful and flexible tool for maninthemiddle attacks. It supports active and
passive dissection of many protocols (even ciphered ones) and includes many features for
network and host analysis.”[5] This is the tool that will be responsible for credentials as they
come through as well as passing the https traffic to SSLStrip for decryption.
SSLSTRIP
This is one of the most pivotal elements of the attack, “sslstrip is a MITM tool that
implements Moxie Marlinspike's SSL stripping attacks.” [6] This tool forces HTTPS sessions to
HTTP which in turn causes otherwise encrypted private form submissions to be exposed. It also
adds the lock favicon associated with an HTTPS session to the URL bar to make users think the
session is secure.
IMPLEMENTATION
This section will provide commentary along with screenshots detailing each step of the
attack from initial configuration to obtaining usable results. The first step is to identify the
‘Evil Twin’ Wireless Access Point Attack 7
environment: both what is being broadcasted in the air as well as what hardware is available for
use.
In this case the guest OS, Kali Linux, has access to the internet via gateway 192.168.1.1
on the virtual bridged interface, eth0.
Running airmonng will display the available wireless adapters. The Alfa USB Antenna
is available as interface wlan0.
Here the DHCP server is configured. This configuration will be used by the victims
connecting to the ‘Evil Twin’ WAP.
‘Evil Twin’ Wireless Access Point Attack 8
The next step is to place the wireless interface into monitor mode. This allows the
interface to see all traffic sent from a wireless network, even without being associated with a
WAP.
‘Evil Twin’ Wireless Access Point Attack 9
Above, errors are encountered. After some time troubleshooting, the value of reading
warnings is learned. The above message about processes that could cause trouble proves
accurate. Below, NetworkManager is killed airbase launches successfully.
Airbase is used to broadcast a wireless network. In this example, a single ESSID of
“freewifi” is set to broadcast on channel 11 via mon0.
‘Evil Twin’ Wireless Access Point Attack 10
My ifconfig & iptables configuration, passing the connection to the appropriate interface
to allow SSLStrip to receive it.
In order to launch the DHCP server, first a configuration needs to be binded to an
interface. Use cf to point it to the configuration file created earlier. Then use pf to bind it to the
at0 interface process. It will report back that it is listening and sending data.
Then, start the actual DHCP server.
‘Evil Twin’ Wireless Access Point Attack 11
Configuring SSLStrip, enable the replacement favicon with a lock picture (this tricks
users) with f. The p parameter enables logging of only SSL POSTs, and k 10000 defines
which port for SSLStrip to listen on.
p disables promiscuous mode, this narrows ettercaps filtering and only looks at packets
traveling over the defined interface.
u Prevents Ettercap from disabling kernel IP Forwarding.
T Text format, dumps everything formatted with printf
q Quiet mode; don’t display everything, write it to a log file.
i Specify an interface, in this case, the tap interface at0
‘Evil Twin’ Wireless Access Point Attack 12
Airbase reports that a device has connected to the the ESSID set earlier, “freewifi”
The DHCP server then reports that a device has requested an address, and it is given a
valid IP from the pool.
When the victim submits a form on a website, SSLStrip sees the submission and displays
the username and password. They have been blurred out for anonymity, however these results
are in cleartext and valid. The victim has now submitted their credentials for what they believed
was a secure website login. Their credentials are now passed to the website and they are
successfully logged in, unaware of any Maninthemiddle interference.
PREVENTATIVE MEASURES
The most valuable preventative measure is user education and awareness. Once users
know ‘Evil Twins’ exist and understand how they work, they will be better able to defend
themselves against the attacks. WiFi devices utilize passive and active listening to conveniently
and automatically connect to known networks; in order to do this, these devices ask send request
beacons by name. An attacker can see these beacon requests and customize the ‘Evil Twin’ to
answer with the correct SSID. As such, users should disable devices from automatically
‘Evil Twin’ Wireless Access Point Attack 13
connecting to known networks. Users should also be vigilant and not intentionally connect to a
known network when outside that networks range; like a home network when on vacation. Never
assume a public wifi hotspot is safe; they could just as easily be ‘Evil Twins’ as well. When
using these networks, be cautious about sending sensitive information. In addition to these
awareness factors, there are tools that can aid in protection. Here are two solutions that should be
easy enough to implement. They may result in a less seamless user experience when under
attack, but that is an acceptable price to pay for a chance at protecting sensitive credentials.
MULTIFACTOR AUTHENTICATION
The RSA SecurID is a formidable tool designed to combat against these attacks. Of
course, credentials will still be compromised, but access to their respective pages will not
necessarily be breached. This will defend against an ‘Evil Twin’ passively logging credentials
for use at a later point, however if a hacker is actively watching and waiting, or produces a script
that is, they will capture the RSA fixed interval authentication code, and could access the
account immediately and possibly remove the multifactor authentication.
HTTPS EVERYWHERE
This browser plugin is another great tool to try to enable a secure browsing session. It
forces HTTPS whenever a website offers it as a service, and can be configured to not transmit
data if the secure link is compromised or never established. This will ultimately prevent Evil
Twin MiTM attacks that are using SSLStrip. Due to the nonstandard nature of the internet, some
pages may not load as desired, and whitelist rules may need to be added for others.
‘Evil Twin’ Wireless Access Point Attack 14
FUTURE RESEARCH
My personal research has already exceeded the initial scope of my project and I have now
modified my focus. My initial goal of serving a fake login page via an apache server quickly
developed into using ettercap and SSLStrip, a much more elegant approach. I will now continue
my research utilizing a WiFi Pineapple by Hak5. It is a very powerful device that ties together
some of the most renown hardware in the hacking and penetration testing community. Frankly,
the Pineapple takes these tasks outlined in my research, expands upon their functionality, and
trivializes the implementation of attack. They are also compact, can function off a portable
battery pack, are inconspicuous and can easily be used with a high gain YAGI omni directional
antenna for implementing these and other attacks from a distance. Future research will involve
experimenting with the other possible maninthemiddle attacks utilizing the WiFi Pineapple.
CONCLUSION
An ‘Evil Twin’ attack does not require expensive nor highly specialized hardware, and
the software is opensource and freely available. The large community that is made up of
security specialists and penetration testers have been developing and fine tuning these tools for
several years. There are also hundreds of pages of support documentation available. That is to
say, this attack is a very real threat in malicious hands, as well as very easy to implement.
Therefore, it does not require years of specialized training. Users should think before they
connect to free or open networks. Users should also be cautious about connecting to known and
secure WAPs. Again, WEP and WPA2 are easy to crack. Those same credentials can be used on
an ‘Evil Twin’ to further convince a user the network is safe. 802.11 WiFi is an effective
technology for easy and wireless access to IP based networks. However, this convenience comes
‘Evil Twin’ Wireless Access Point Attack 15
at the cost of security, and often leads to user complacency. This ‘Evil Twin’ exploits
complacent and uneducated users by tricking them into connecting to the wrong network. This
attack sidesteps the requirement of cracking a secure network. Once a user is connected, the use
of SSLStrip breaks the HTTPS encryption process and allows for the capture of sensitive user
information like passwords and even credit card numbers. Efforts have been made in protecting
wireless communications by securing the information traveling between a user’s device and the
WAP and between the user’s browser and a web server. The ‘Evil Twin’ WAP attack easily
circumvents both of these aspects of security. The rapid growth and implementation of WiFi
across networked devices, including everything under the title, The Internet of Things further
exacerbates the situation. Users transmit sensitive and personal information from their devices
constantly. They need to become educated about the dangers associated with wireless
technologies and remain vigilant when using them.
‘Evil Twin’ Wireless Access Point Attack 16
REFERENCES
[1] "Aircrackng." Airbaseng N.p., n.d. Web. 10 May 2015. from
http://www.aircrackng.org/doku.php?id=airbaseng
[2] "Evil Twin Tutorial." Information Treasure. N.p., 25 July 2014. Web. 10 May 2015. from
https://informationtreasure.wordpress.com/2014/07/25/eviltwintutorial/
[3] J. Broad, A. Binder. (2003). “Hacking with Kali: Practical Penetration Testing Techniques”
[4] "Maninthemiddle Attack." Wikipedia. Wikimedia Foundation, Web. 10 May 2015. from
http://en.wikipedia.org/wiki/Maninthemiddle_attack
[5] “Manual Reference Pages ETTERCAP”, Web. 10 May 2015 from
http://www.irongeek.com/i.php?page=backtrack3man/ettercap
[6] "Moxie0/sslstrip." GitHub. N.p., n.d. Web. 10 May 2015. from
https://github.com/moxie0/sslstrip
