Evil Twin Wireless Access Point Attack (or, Thanks for Your Passwords!) Dan Ginsberg 5/4/2015 What is it? An Evil Twin Attack involves a user broadcasting a wireless network with the same SSID and credentials as another access point nearby in an attempt to have users connect to their device instead of the original, non malicious, network. Why make one? Steal information for exploitation, profit, or fun; once a client connects, all data passes through our machine for inspection, alteration, and capture. Youre just a really nice person who wants to encrypt everyone's connection at the local coffee shop through your VPN to prevent some other malicious user from taking advantage of the situation. Ethical rulings be damned! Oh, and of course since I am such a nice guy, I will keep a copy of all their passwords and credit cards in case they ever forget or lose them while I am at it! The Setup Operation Systems: Host OS: Windows 7 64-bit, 32GB RAM Guest OS: Kali Linux 64-bit, 8GB RAM Hardware: Alfa AWUS036NHA USB WiFi Antenna (guest, to broadcast SSID) Realtek RTL8192CU USB WiFi Antenna (host, to access the internet) The Software The Aircrack-ng suite of Wireless tools, specifically; Airmon-ng - a bash script designed to turn wireless cards into monitor mode Airbase-ng - a multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself The Software Ettercap a powerful and flexible tool for MiTM attacks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many features for network and host analysis SSLStrip - a MiTM tool that implements Moxie Marlinspike's SSL stripping attacks. The Plan Created by Chris Haralson The Implementation First we check our routing table to find the correct gateway to the internet Then we configure our dhcpd file, setting up our IP pool, routes, DNS server, lease info, etc. 11 Next, we have to check to see what network interfaces are available for use. In our case we will use wlan0, which is the Alfa USB WiFi adapter. We start interface, wlan0, which is put into monitor mode, mon0. We are warned about potential process conflicts. 13 Here we ignore the previous errors and run airbase-ng; it gives an error We kill one of the suspect processes and try again; success! We are now broadcasting an SSID of freewifi on channel 11 on mon0 (our Alfa) 17 Now we configure IP routes and our iptables. Through this series of commands we forward our (Alfa freewifi SSIDs DHCP gateway) traffic to (Guest OS network) and direct all web traffic to port 10000, where well configure SSLStrip to listen for it. Bind DHCP to interface at0 28 Start DHCP server Start SSLStrip on port Start ettercap on interface at0 to log the traffic 31 Everything is now set up, time to wait for an unsuspecting client to connect We have our selves a user! They are connected to our SSID, freewifi and have been given a valid IP from our DHCP pool. Now Success! Here is the form submitted to ESPNs Fantasy Baseball Login. I have blurred out the username and password for the purpose of this demonstration, but I assure you they are in cleartext and are accurate. 32 Future Research A combination of its Karma, Dogma and PineAP infusions allow this device to respond to any query beacons from any device and impersonate the response Mass Evil Twins. Be wary of connecting to your home wireless SSID when at Defcon in Vegas, or anywhere other than your home for that matter! Its already here, the WiFi Pineapple takes these tasks, expands upon their functionality and further trivializes the implementation of attack. 32 Precautions The Evil Twin Attack opens multiple attack vectors. A malicious user could simply steal your Fantasy Baseball account, or log everything you submit and every page you view. They could also redirect you to a malicious landing page, exploit a vulnerability, and deploy a payload to your machine. The best way to avoid this attack: use a hard wired connection. However, this obviously is unrealistic 32 Familiarize yourself with OUIs of known vendor specific hacking hardware; be cautious when connecting to networks with those MAC addresses. EX. Alfa Network Inc. 00:C0:CA WiFi devices utilize passive and active listening to conveniently automatically connect to known networks, in order to do this, it asks if any of them are there by name. If you see your home network broadcasting when you are no where near your home, there may be an Evil Twin in action! Disable your devices ability to auto-connect to networks! Precautions 32 Precautions Utilize a browser plugin like HTTPS Everywhere can help ensure you are actually using an encrypted connection when such a service does exist. If you encounter SSLStrip, for example, the session wont work. Multi-factor authentication when a malicious user does steal your credentials, even if they steal the multi-factor input, it will be useless later. Never send private information over a public network like a coffee shop. In fact, always assume someone will see what youre doing. 32 Conclusions I hope youve guessed, or at least have been wondering what the number in the corner of the screen over the past few slides represents is the number of lines of code it took me to successfully configure and deploy an Evil Twin attack. That is less than 2000 characters The tools at work here are very complex, however, the use of them is incredibly simple. WiFi is a convenience technology, this comes at the cost of security. Taking these steps to improve your security may very well result in a less convenient, less seamless experience. Stop blatantly trusting what is in the air around you. More so, dig deeper, learn more, and ask questions about the technology you rely on a every day. 32 The End