Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
4. *I am not liable for what you do with any of this information*
Section 638:17 House Bill 495 - US rules against wireless
hacking
http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
5. DISCLAIMER
Not a ‘Wi-Fi Security Expert’ nor a Lawyer
Just about everything I’m going to demonstrate is probably
illegal, don’t do any of this against unauthorized targets…
6. Not Discussing
Wi-Fi Security Basics
• 802.11
• WEP Cracking - ridiculously easy, google it
• WPA / WPA2 Attacks - Reaver
• WPS Attacks - Reaver
• PEAP, LEAP, etc. - Out of Scope
9. it’s everywhere…
enough free WiFi that it’s almost not
worth the time it takes to infiltrate
unless free internet’s not the goal…
10. Bypassing is easy…
• Sometimes Tor or a VPN will simply be allowed
through the captive portal, no joke
• Try appending ?.jpg or ?.png to the URL
• Look for Open Redirect flaws, iFrames, etc.
• Tunnel out over DNS!
• Same tricks work if your ISP suspends your
internet access, depending on the ISP of
course…
11. Bypassing is easy…
• On time-limited access points, just change your
MAC when the time runs out. Or sniff MACs and
ride on another’s paid access.
• De-auth existing clients and/or DoS access points:
• Aireplay-ng or Airdrop
• http://www.aircrack-ng.org/
• MDK3
• https://forums.kali.org/showthread.php?19498-
MDK3-Secret-Destruction-Mode
12. Bypassing is easy…
• Sniff MAC Addresses and wait for a user to
go idle, then modify your MAC and IP to
match
• Works on just about any open access
point, especially captive portals
• CPSCAM by Josh Wright will do this for
you:
• http://www.willhackforsushi.com/code/
cpscam.pl
16. The Evil Twin…
source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
17.
18.
19.
20.
21.
22.
23.
24.
25. How to clone and weaponize captive portals
1. Connect to the access point and wait for the splash page to pop-
up.
2. Close the splash page, and open your browser. Visit any random
web page (http normally works better than https).
3. When the splash page comes up, save the entire landing page. Use
the splash page and save additional pages as necessary.
4. Change the UA string and grab the mobile version as well if it
exists.
5. Replace the form processor to write a log file and pass the client
through to a legitimate landing page.
6. Modify the page HTML to point to your form processor and modify
parameters as necessary.
7. Deploy the captive portal (will discuss this shortly)
8. Use IPTables to allow the victim’s MAC through to the internet using
the form processor.
32. How to Deauthenticate Clients
and DoS Access Points
• Aireplay-ng using the —deauth flag
• file2air - deauth packet injection flood tool by
Josh Wright
• http://www.willhackforsushi.com/code/file2air/1.1/
file2air-1.1.tgz
• Spoof AP MAC, send deauth requests to clients
• Target a single user, all users, or AP itself
• MDK3 Deauth Amok Mode to take out all WPA AP’s
33. How to Deauthenticate Clients
and DoS Access Points
source: https://github.com/sophron/wifiphisher
34. How to Deauthenticate Clients
and DoS Access Points
https://github.com/sophron/wifiphisher
47. DDWRT
• Flash with DDWRT, then you can use
NocatSplash to configure a captive portal.
• Many other ways to go about this…
DDWRT is just one of the easier options.
• http://www.dd-wrt.com/site/index
• http://sourceforge.net/projects/
nocatsplash/
51. • Kali Linux
• http://www.kali.org/
• Can do just about anything to connecting
clients
• Unlimited attack potential and plenty of
drive space to build elaborate landing
pages and believable scenarios
Laptop Hotspot and/or Proxy
52. • Makes hacking Wi-Fi even easier!
• https://github.com/SilverFoxx/PwnSTAR
PwnStar - By SilverFoxx
57. Combine Pineapple portability
with the versatility of Kali Linux
• http://www.offensive-security.com/kali-
linux/kali-linux-evil-wireless-access-point/
58. BeagleBone Black + Alfa Wi-Fi Card
http://beagleboard.org/black http://www.alfa.com.tw/
70. Client Defense…
• Always use a VPN/VPS/SSH Port Forwarding/
etc. when connected to an open access
point.
• Turn all Wireless devices off when traveling
or in crowded areas, many devices still
connect to wireless networks even when
‘sleeping’.
• Hotspot not served up over HTTPS and other
generally suspicious behavior.
• Beware duplicate networks with different
encryption.
71. Client Defense…
• Use different login details and passwords for
public wifi. Test false-credentials first, if it
lets you through it’s not legit.
• Turn off Wi-Fi on devices when traveling.
• Exercise caution when connections suddenly
drop, especially if it happens for everyone on
the network.
• If it just ‘doesn’t feel right’ then trust your
instincts…