Wi-Fi Hotspot Attacks
9 likes10,459 views
The document is a presentation on Wi-Fi hacking techniques aimed at web pentesters, discussing various attacks such as WEP cracking, WPA/WPA2 attacks, and man-in-the-middle strategies. It provides methods for bypassing captive portals, deauthentication of clients, and hijacking techniques, while also warning that many techniques demonstrated are likely illegal and not advisable against unauthorized targets. The document includes resources and tools for testing and defending against potential Wi-Fi security threats.
![Landing Page
Pineapple Configuration - JavaScript Necessities
/www/[directory]/index.html](https://image.slidesharecdn.com/wifi-hotspot-attacks-141026103248-conversion-gate02/85/Wi-Fi-Hotspot-Attacks-38-320.jpg)
![PHP Form Processor
Pineapple Configuration
Easier than using IPTables
/www/[directory]/auth/login.php](https://image.slidesharecdn.com/wifi-hotspot-attacks-141026103248-conversion-gate02/85/Wi-Fi-Hotspot-Attacks-39-320.jpg)
![Thank You!
Questions?
https://github.com/gfoss/misc/Wireless/Captive-Portals/
Greg Foss
Senior Security Research Engineer
greg.foss[at]LogRhythm.com
@heinzarelli](https://image.slidesharecdn.com/wifi-hotspot-attacks-141026103248-conversion-gate02/85/Wi-Fi-Hotspot-Attacks-73-320.jpg)
Wi-Fi Hotspot Attacks
- 1. Wi-Fi Hacking for Web Pentesters Greg Foss Sr. Security Research Engineer @heinzarelli
- 2. Greg Foss Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
- 4. *I am not liable for what you do with any of this information* Section 638:17 House Bill 495 - US rules against wireless hacking http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
- 5. DISCLAIMER Not a ‘Wi-Fi Security Expert’ nor a Lawyer Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
- 6. Not Discussing Wi-Fi Security Basics • 802.11 • WEP Cracking - ridiculously easy, google it • WPA / WPA2 Attacks - Reaver • WPS Attacks - Reaver • PEAP, LEAP, etc. - Out of Scope
- 7. Agenda…
- 9. it’s everywhere… enough free WiFi that it’s almost not worth the time it takes to infiltrate unless free internet’s not the goal…
- 10. Bypassing is easy… • Sometimes Tor or a VPN will simply be allowed through the captive portal, no joke • Try appending ?.jpg or ?.png to the URL • Look for Open Redirect flaws, iFrames, etc. • Tunnel out over DNS! • Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
- 11. Bypassing is easy… • On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access. • De-auth existing clients and/or DoS access points: • Aireplay-ng or Airdrop • http://www.aircrack-ng.org/ • MDK3 • https://forums.kali.org/showthread.php?19498- MDK3-Secret-Destruction-Mode
- 12. Bypassing is easy… • Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match • Works on just about any open access point, especially captive portals • CPSCAM by Josh Wright will do this for you: • http://www.willhackforsushi.com/code/ cpscam.pl
- 13. Hijacking is also easy…
- 16. The Evil Twin… source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
- 25. How to clone and weaponize captive portals 1. Connect to the access point and wait for the splash page to pop- up. 2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https). 3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary. 4. Change the UA string and grab the mobile version as well if it exists. 5. Replace the form processor to write a log file and pass the client through to a legitimate landing page. 6. Modify the page HTML to point to your form processor and modify parameters as necessary. 7. Deploy the captive portal (will discuss this shortly) 8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
- 28. Mobile Cloning
- 29. Mobile Cloning • HTTrack: http://www.httrack.com/
- 30. Mobile Cloning • VT View Source: https://play.google.com/ store/apps/details? id=com.tozalakyan.view source&hl=en
- 32. How to Deauthenticate Clients and DoS Access Points • Aireplay-ng using the —deauth flag • file2air - deauth packet injection flood tool by Josh Wright • http://www.willhackforsushi.com/code/file2air/1.1/ file2air-1.1.tgz • Spoof AP MAC, send deauth requests to clients • Target a single user, all users, or AP itself • MDK3 Deauth Amok Mode to take out all WPA AP’s
- 33. How to Deauthenticate Clients and DoS Access Points source: https://github.com/sophron/wifiphisher
- 34. How to Deauthenticate Clients and DoS Access Points https://github.com/sophron/wifiphisher
- 37. Generic Splash Page Pineapple Configuration /etc/nodogsplash/htdocs/splash.html
- 38. Landing Page Pineapple Configuration - JavaScript Necessities /www/[directory]/index.html
- 39. PHP Form Processor Pineapple Configuration Easier than using IPTables /www/[directory]/auth/login.php
- 44. A word of caution w/ the Pineapple…
- 45. A word of caution w/ the Pineapple…
- 46. Existing Router Ideally one supporting guest mode…
- 47. DDWRT • Flash with DDWRT, then you can use NocatSplash to configure a captive portal. • Many other ways to go about this… DDWRT is just one of the easier options. • http://www.dd-wrt.com/site/index • http://sourceforge.net/projects/ nocatsplash/
- 50. Laptop Hotspot and/or Proxy
- 51. • Kali Linux • http://www.kali.org/ • Can do just about anything to connecting clients • Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios Laptop Hotspot and/or Proxy
- 52. • Makes hacking Wi-Fi even easier! • https://github.com/SilverFoxx/PwnSTAR PwnStar - By SilverFoxx
- 55. Demo
- 56. Deploy Malware
- 57. Combine Pineapple portability with the versatility of Kali Linux • http://www.offensive-security.com/kali- linux/kali-linux-evil-wireless-access-point/
- 58. BeagleBone Black + Alfa Wi-Fi Card http://beagleboard.org/black http://www.alfa.com.tw/
- 59. BeagleBone AP Deployment Options get creative…
- 61. Going Mobile! • Nexus Device with Kali NetHunter • https://www.kali.org/kali-linux-nethunter/ • Pwnie Express Pwn Phone/Pad • https://www.pwnieexpress.com/product/ pwn-phone2014/
- 62. Going Mobile!
- 63. Going Mobile!
- 66. MITM Basic Tools • AirSSL • AirJack • Airsnarf • Dsniff • Cain • void11 • Ferret • SSLStrip • Wireshark • AirPwn • Ettercap • Etc…
- 67. You don’t even need to authenticate to attack clients
- 68. Fun with MITM • Snapception - https://github.com/thebradbain/ snapception • Love Thy Neighbors - http:// neighbor.willhackforsushi.com/ • AirPWN - http://airpwn.sourceforge.net/ Airpwn.html • Intercepter-NG - http://intercepter.nerf.ru/ • Many, many more…
- 69. Demo
- 70. Client Defense… • Always use a VPN/VPS/SSH Port Forwarding/ etc. when connected to an open access point. • Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’. • Hotspot not served up over HTTPS and other generally suspicious behavior. • Beware duplicate networks with different encryption.
- 71. Client Defense… • Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit. • Turn off Wi-Fi on devices when traveling. • Exercise caution when connections suddenly drop, especially if it happens for everyone on the network. • If it just ‘doesn’t feel right’ then trust your instincts…
- 72. Resources • http://www.willhackforsushi.com/code/cpscam.pl • http://neighbor.willhackforsushi.com/ • http://www.aircrack-ng.org/ • http://www.dd-wrt.com/ • https://github.com/SilverFoxx/PwnSTAR • http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/ • http://beagleboard.org/black • http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/ • http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via- os-x/ • https://github.com/thebradbain/snapception • http://airpwn.sourceforge.net/Airpwn.html • http://intercepter.nerf.ru/
- 73. Thank You! Questions? https://github.com/gfoss/misc/Wireless/Captive-Portals/ Greg Foss Senior Security Research Engineer greg.foss[at]LogRhythm.com @heinzarelli