SlideShare a Scribd company logo

Evil Twin Demonstration

Eric Goldman
Eric Goldman

A technical demo presentation showing an Evil Twin attack in action. The demo shows the attack from the victim, attacker, and evil twin perspectives. Background information is available. Full report is available at http://www.ericgoldman.name

Technology
1 of 13
Eric Goldman: http://www.ericgoldman.name presents
I. Overview & Purpose of Attack II. Equipment & Software Used III. Attack Demonstration IV. Comments & Thoughts V. Questions More presentations & reports: http://www.ericgoldman.name 2
 What is an Evil Twin attack?  The Evil Twin is a Rogue AP Attack  Pretend to be Real AP, trick users into connecting  Not required, but can DoS attack the Real AP  What does this attack accomplish?  All user connections to network through Evil Twin  Can now redirect traffic, filter traffic, and do any of a number of Man in the Middle Attacks More presentations & reports: http://www.ericgoldman.name 3
 How does it work?  We can create a fake AP using airbase-ng (part of aircrack-ng suite) and a compatible Wi-Fi interface  Using another wireless or wired interface, all user traffic is routed back to regular network/Internet  Windows XP will often automatically switch to a better connection without asking user  Untrained user may even connect to Fake AP manually because the SSID looks correct More presentations & reports: http://www.ericgoldman.name 4
 Real AP: Linksys WRT54Gv5  Standard Firmware, Version 1.02.5  Fake AP: IBM t42 Laptop  Running Backtrack 4 Beta Live CD  Monitor/Capture: IBM t42 Laptop  Running Backtrack 3 Live CD  Victim: IBM t42 Laptop  Running Windows XP SP3  Windows managed Wi-Fi More presentations & reports: http://www.ericgoldman.name 5
 Wireless Capturing  Aircrack-ng suite* (airmon-ng, airodump-ng)  Wireshark used for post-capture analysis  Fake AP  Access Point Functionality ▪ Aircrack-ng suite (airmon-ng, airebase-ng)  Client services provided by ▪ ISC dhcpd3, Netfilter’s iptables *http://www.aircrack-ng.org More presentations & reports: http://www.ericgoldman.name 6
Overview Information  Client MAC Address: 00:0E:9B:6E:28:7D  Real AP MAC Address: 00:14:BF:CF:C3:AE  Fake AP MAC Address: 00:0E:9B:BF:AA:B2  Real AP Subnet: 129.168.1.0/24  Fake AP Subnet: 10.0.0.0/24 More presentations & reports: http://www.ericgoldman.name 7
Real AP Configuration  The Real AP is a Linksys WRT54G-v5  No special settings  SSID: “Group5Test”  Channel: 2 (2.147 GHZ) Video is on the next slide More presentations & reports: http://www.ericgoldman.name 8
3rd Party Attack Capture  Used airodump-ng to capture traffic  Terminal on Left: Real AP Filtered  Terminal on Right: Fake AP Filtered  Notice how the client connects to the Fake AP soon after it is brought up See is on the next slide More presentations & reports: http://www.ericgoldman.name 9
Fake AP View of Attack  Terminal on Right: Launching Fake AP with airebase-ng, mimicking Real AP settings  Terminal on Left: Scripted DHCP and routing for client setup run after Fake AP started  Watch for Client authentication (right terminal), then DHCP change (left terminal) See is on the next slide More presentations & reports: http://www.ericgoldman.name 10
Victim View of the Attack  Victim is already connected to the Real AP  The Fake AP is started, and the victim switches to the Fake AP without any user intervention  Watch for the connection to go down, then for DHCP information to change: Originally 129.168.1.100, Fake AP gives 10.0.0.100 Video is on the next slide More presentations & reports: http://www.ericgoldman.name 11
 The Fake AP mimics settings of the real AP  The Fake AP provides stronger signal with the same settings, client automatically switches  The client still has outside connection, and the SSID is the same, hard to tell they have been switched to a rogue AP  Now all traffic is going through the Fake AP, can use Fake DNS or do other Man in the Middle attacks on the Victim More presentations & reports: http://www.ericgoldman.name 12
 Preventing Evil Twin Attacks  Deploy Wireless Intrusion Prevention System  Use low-level authentication (LEAP, etc)  Perform regular site-surveys to find rogue APs  Do not allow client workstations to automatically select and connect to Wi-Fi networks More presentations & reports: http://www.ericgoldman.name 13

Recommended

Evil Twin
Evil TwinEvil Twin
Evil Twinn|u - The Open Security Community
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 

Recommended

Evil Twin
Evil TwinEvil Twin
Evil Twinn|u - The Open Security Community
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection F5 SIRT - F5 ASM WAF - DDoS protection
F5 SIRT - F5 ASM WAF - DDoS protection Lior Rotkovitch
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Uploading certificate with oracle wallet manager and orapki utilities
Uploading certificate with oracle wallet manager and orapki utilitiesUploading certificate with oracle wallet manager and orapki utilities
Uploading certificate with oracle wallet manager and orapki utilitiesÖzgür Umut Vurgun
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issuesVenudhanraj
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 

More Related Content

What's hot

HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Uploading certificate with oracle wallet manager and orapki utilities
Uploading certificate with oracle wallet manager and orapki utilitiesUploading certificate with oracle wallet manager and orapki utilities
Uploading certificate with oracle wallet manager and orapki utilitiesÖzgür Umut Vurgun
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAFAravindan A
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 

What's hot (20)

HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Uploading certificate with oracle wallet manager and orapki utilities
Uploading certificate with oracle wallet manager and orapki utilitiesUploading certificate with oracle wallet manager and orapki utilities
Uploading certificate with oracle wallet manager and orapki utilities
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Advanced security in Barracuda WAF
Advanced security in Barracuda WAFAdvanced security in Barracuda WAF
Advanced security in Barracuda WAF
 
Web application security
Web application securityWeb application security
Web application security
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 

Similar to Evil Twin Demonstration

6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issuesVenudhanraj
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issuesVenudhanraj
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover AttacksEric Goldman
 
System installation in CCTV
System installation in CCTVSystem installation in CCTV
System installation in CCTVhepzijustin
 
How to WRAPS like Snoop Dogg
How to WRAPS like Snoop DoggHow to WRAPS like Snoop Dogg
How to WRAPS like Snoop DoggAlex Kim
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Evento formativo Spring 3 ottobre 2019
Evento formativo Spring 3 ottobre 2019Evento formativo Spring 3 ottobre 2019
Evento formativo Spring 3 ottobre 2019Giorgio Bernardi
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyondamiable_indian
 
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdftips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdfssuser47d3271
 
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchThe waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchLior Rotkovitch
 
Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009Andy d
 
Session Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysisSession Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysischinmaypadhye1985
 
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016Gunawan T Wicaksono
 
CCNA R&S-11-Troubleshooting Ethernet LANs
CCNA R&S-11-Troubleshooting Ethernet LANsCCNA R&S-11-Troubleshooting Ethernet LANs
CCNA R&S-11-Troubleshooting Ethernet LANsAmir Jafari
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 

Similar to Evil Twin Demonstration (20)

6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issues
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
Breakout - Airheads Macau 2013 - Top 10 Tips from Aruba TAC
 
6 understanding aruba rf issues
6 understanding aruba rf issues6 understanding aruba rf issues
6 understanding aruba rf issues
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover Attacks
 
System installation in CCTV
System installation in CCTVSystem installation in CCTV
System installation in CCTV
 
How to WRAPS like Snoop Dogg
How to WRAPS like Snoop DoggHow to WRAPS like Snoop Dogg
How to WRAPS like Snoop Dogg
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Bezpečnostní architektura F5
Bezpečnostní architektura F5Bezpečnostní architektura F5
Bezpečnostní architektura F5
 
Evento formativo Spring 3 ottobre 2019
Evento formativo Spring 3 ottobre 2019Evento formativo Spring 3 ottobre 2019
Evento formativo Spring 3 ottobre 2019
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
 
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdftips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
tips_breakout-airheads-macau-2013-top-10-tips-from-aruba-tac.pdf
 
The waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitchThe waf book intro v1.0 lior rotkovitch
The waf book intro v1.0 lior rotkovitch
 
Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009Containerize vs Virtualize? NGDC 2009
Containerize vs Virtualize? NGDC 2009
 
Session Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysisSession Initiation Protocol - In depth analysis
Session Initiation Protocol - In depth analysis
 
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
Open Mic Webcast: IBM Sametime Audio Video Troubleshooting - 04 May 2016
 
CCNA R&S-11-Troubleshooting Ethernet LANs
CCNA R&S-11-Troubleshooting Ethernet LANsCCNA R&S-11-Troubleshooting Ethernet LANs
CCNA R&S-11-Troubleshooting Ethernet LANs
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 

Recently uploaded

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

Evil Twin Demonstration

  • 2. I. Overview & Purpose of Attack II. Equipment & Software Used III. Attack Demonstration IV. Comments & Thoughts V. Questions More presentations & reports: http://www.ericgoldman.name 2
  • 3. What is an Evil Twin attack?  The Evil Twin is a Rogue AP Attack  Pretend to be Real AP, trick users into connecting  Not required, but can DoS attack the Real AP  What does this attack accomplish?  All user connections to network through Evil Twin  Can now redirect traffic, filter traffic, and do any of a number of Man in the Middle Attacks More presentations & reports: http://www.ericgoldman.name 3
  • 4. How does it work?  We can create a fake AP using airbase-ng (part of aircrack-ng suite) and a compatible Wi-Fi interface  Using another wireless or wired interface, all user traffic is routed back to regular network/Internet  Windows XP will often automatically switch to a better connection without asking user  Untrained user may even connect to Fake AP manually because the SSID looks correct More presentations & reports: http://www.ericgoldman.name 4
  • 5. Real AP: Linksys WRT54Gv5  Standard Firmware, Version 1.02.5  Fake AP: IBM t42 Laptop  Running Backtrack 4 Beta Live CD  Monitor/Capture: IBM t42 Laptop  Running Backtrack 3 Live CD  Victim: IBM t42 Laptop  Running Windows XP SP3  Windows managed Wi-Fi More presentations & reports: http://www.ericgoldman.name 5
  • 6. Wireless Capturing  Aircrack-ng suite* (airmon-ng, airodump-ng)  Wireshark used for post-capture analysis  Fake AP  Access Point Functionality ▪ Aircrack-ng suite (airmon-ng, airebase-ng)  Client services provided by ▪ ISC dhcpd3, Netfilter’s iptables *http://www.aircrack-ng.org More presentations & reports: http://www.ericgoldman.name 6
  • 7. Overview Information  Client MAC Address: 00:0E:9B:6E:28:7D  Real AP MAC Address: 00:14:BF:CF:C3:AE  Fake AP MAC Address: 00:0E:9B:BF:AA:B2  Real AP Subnet: 129.168.1.0/24  Fake AP Subnet: 10.0.0.0/24 More presentations & reports: http://www.ericgoldman.name 7
  • 8. Real AP Configuration  The Real AP is a Linksys WRT54G-v5  No special settings  SSID: “Group5Test”  Channel: 2 (2.147 GHZ) Video is on the next slide More presentations & reports: http://www.ericgoldman.name 8
  • 9. 3rd Party Attack Capture  Used airodump-ng to capture traffic  Terminal on Left: Real AP Filtered  Terminal on Right: Fake AP Filtered  Notice how the client connects to the Fake AP soon after it is brought up See is on the next slide More presentations & reports: http://www.ericgoldman.name 9
  • 10. Fake AP View of Attack  Terminal on Right: Launching Fake AP with airebase-ng, mimicking Real AP settings  Terminal on Left: Scripted DHCP and routing for client setup run after Fake AP started  Watch for Client authentication (right terminal), then DHCP change (left terminal) See is on the next slide More presentations & reports: http://www.ericgoldman.name 10
  • 11. Victim View of the Attack  Victim is already connected to the Real AP  The Fake AP is started, and the victim switches to the Fake AP without any user intervention  Watch for the connection to go down, then for DHCP information to change: Originally 129.168.1.100, Fake AP gives 10.0.0.100 Video is on the next slide More presentations & reports: http://www.ericgoldman.name 11
  • 12. The Fake AP mimics settings of the real AP  The Fake AP provides stronger signal with the same settings, client automatically switches  The client still has outside connection, and the SSID is the same, hard to tell they have been switched to a rogue AP  Now all traffic is going through the Fake AP, can use Fake DNS or do other Man in the Middle attacks on the Victim More presentations & reports: http://www.ericgoldman.name 12
  • 13. Preventing Evil Twin Attacks  Deploy Wireless Intrusion Prevention System  Use low-level authentication (LEAP, etc)  Perform regular site-surveys to find rogue APs  Do not allow client workstations to automatically select and connect to Wi-Fi networks More presentations & reports: http://www.ericgoldman.name 13

Editor's Notes

  1. Gotta love that graphic right?