Wi-Fi Hacking for Web Pentesters

Greg Foss Sr. Security Research Engineer @heinzarelli

Greg Foss

Sr. Security Research Engineer

OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT

# whoami

*I am not liable for what you do with any of this information*

Section 638:17 House Bill 495 - US rules against wireless hacking

http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States

DISCLAIMER

Not a ‘Wi-Fi Security Expert’ nor a Lawyer

Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…

Not Discussing Wi-Fi Security Basics

• 802.11

• WEP Cracking - ridiculously easy, google it

• WPA / WPA2 Attacks - Reaver

• WPS Attacks - Reaver

• PEAP, LEAP, etc. - Out of Scope

Agenda…

it’s everywhere…

enough free WiFi that it’s almost not worth the time it takes to infiltrate

unless free internet’s not the goal…

Bypassing is easy…• Sometimes Tor or a VPN will simply be allowed

through the captive portal, no joke

• Try appending ?.jpg or ?.png to the URL

• Look for Open Redirect flaws, iFrames, etc.

• Tunnel out over DNS!

• Same tricks work if your ISP suspends your internet access, depending on the ISP of course…

Bypassing is easy…

• On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access.

• De-auth existing clients and/or DoS access points:

• Aireplay-ng or Airdrop

• http://www.aircrack-ng.org/

• MDK3

• https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode

Bypassing is easy…

• Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match

• Works on just about any open access point, especially captive portals

• CPSCAM by Josh Wright will do this for you:

• http://www.willhackforsushi.com/code/cpscam.pl

Hijacking is also easy…

The Evil Twin…

source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html

How to clone and weaponize captive portals

1. Connect to the access point and wait for the splash page to pop-up.

2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https).

3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary.

4. Change the UA string and grab the mobile version as well if it exists.

5. Replace the form processor to write a log file and pass the client through to a legitimate landing page.

6. Modify the page HTML to point to your form processor and modify parameters as necessary.

7. Deploy the captive portal (will discuss this shortly)

8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.

Mobile Cloning

Mobile Cloning• HTTrack: http://www.httrack.com/

Mobile Cloning

• VT View Source:https://play.google.com/store/apps/details?id=com.tozalakyan.viewsource&hl=en

How to Deauthenticate Clients and DoS Access Points

• Aireplay-ng using the —deauth flag

• file2air - deauth packet injection flood tool by Josh Wright

• http://www.willhackforsushi.com/code/file2air/1.1/file2air-1.1.tgz

• Spoof AP MAC, send deauth requests to clients

• Target a single user, all users, or AP itself

• MDK3 Deauth Amok Mode to take out all WPA AP’s

How to Deauthenticate Clients and DoS Access Points

source: https://github.com/sophron/wifiphisher

How to Deauthenticate Clients and DoS Access Points

https://github.com/sophron/wifiphisher

source: https://www.isecpartners.com/blog/2013/july/man-in-the-middling-non-proxy-aware-wi-fi-devices-with-a-pineapple.aspx

Wi-Fi Pineapplehttps://wifipineapple.com/

Generic Splash Page

Pineapple Configuration

/etc/nodogsplash/htdocs/splash.html

Landing Page

Pineapple Configuration - JavaScript Necessities

/www/[directory]/index.html

PHP Form Processor

Pineapple Configuration

Easier than using IPTables

/www/[directory]/auth/login.php

A word of caution w/ the Pineapple…

A word of caution w/ the Pineapple…

Existing RouterIdeally one supporting guest mode…

DDWRT

• Flash with DDWRT, then you can use NocatSplash to configure a captive portal.

• Many other ways to go about this… DDWRT is just one of the easier options.

• http://www.dd-wrt.com/site/index

• http://sourceforge.net/projects/nocatsplash/

Laptop Hotspot and/or Proxy

• Kali Linux

• http://www.kali.org/

• Can do just about anything to connecting clients

• Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios

Laptop Hotspot and/or Proxy

• Makes hacking Wi-Fi even easier!

• https://github.com/SilverFoxx/PwnSTAR

PwnStar - By SilverFoxx

Demo

Deploy Malware

Combine Pineapple portability with the versatility of Kali Linux

• http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/

BeagleBone Black + Alfa Wi-Fi Card

http://beagleboard.org/black http://www.alfa.com.tw/

BeagleBone AP Deployment Options

get creative…

Going Mobile!

• Nexus Device with Kali NetHunter

• https://www.kali.org/kali-linux-nethunter/

• Pwnie Express Pwn Phone/Pad

• https://www.pwnieexpress.com/product/pwn-phone2014/

Going Mobile!

Going Mobile!

MITM Basic Tools• AirSSL

• AirJack

• Airsnarf

• Dsniff

• Cain

• void11

• Ferret

• SSLStrip

• Wireshark

• AirPwn

• Ettercap

• Etc…

You don’t even need to authenticate to attack clients

Fun with MITM• Snapception - https://github.com/thebradbain/

snapception

• Love Thy Neighbors - http://neighbor.willhackforsushi.com/

• AirPWN - http://airpwn.sourceforge.net/Airpwn.html

• Intercepter-NG - http://intercepter.nerf.ru/

• Many, many more…

Demo

Client Defense…• Always use a VPN/VPS/SSH Port Forwarding/

etc. when connected to an open access point.

• Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’.

• Hotspot not served up over HTTPS and other generally suspicious behavior.

• Beware duplicate networks with different encryption.

Client Defense…

• Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit.

• Turn off Wi-Fi on devices when traveling.

• Exercise caution when connections suddenly drop, especially if it happens for everyone on the network.

• If it just ‘doesn’t feel right’ then trust your instincts…

Resources• http://www.willhackforsushi.com/code/cpscam.pl

• http://neighbor.willhackforsushi.com/

• http://www.aircrack-ng.org/

• http://www.dd-wrt.com/

• https://github.com/SilverFoxx/PwnSTAR

• http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/

• http://beagleboard.org/black

• http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/

• http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via-os-x/

• https://github.com/thebradbain/snapception

• http://airpwn.sourceforge.net/Airpwn.html

• http://intercepter.nerf.ru/

Thank You!

Questions?

https://github.com/gfoss/misc/Wireless/Captive-Portals/

Greg Foss Senior Security Research Engineer

greg.foss[at]LogRhythm.com @heinzarelli