Download - Wi-Fi Hotspot Attacks
![Page 1: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/1.jpg)
Wi-Fi Hacking for Web Pentesters
Greg Foss Sr. Security Research Engineer @heinzarelli
![Page 2: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/2.jpg)
Greg Foss
Sr. Security Research Engineer
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
# whoami
![Page 3: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/3.jpg)
![Page 4: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/4.jpg)
*I am not liable for what you do with any of this information*
Section 638:17 House Bill 495 - US rules against wireless hacking
http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
![Page 5: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/5.jpg)
DISCLAIMER
Not a ‘Wi-Fi Security Expert’ nor a Lawyer
Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
![Page 6: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/6.jpg)
Not Discussing Wi-Fi Security Basics
• 802.11
• WEP Cracking - ridiculously easy, google it
• WPA / WPA2 Attacks - Reaver
• WPS Attacks - Reaver
• PEAP, LEAP, etc. - Out of Scope
![Page 7: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/7.jpg)
Agenda…
![Page 8: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/8.jpg)
![Page 9: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/9.jpg)
it’s everywhere…
enough free WiFi that it’s almost not worth the time it takes to infiltrate
unless free internet’s not the goal…
![Page 10: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/10.jpg)
Bypassing is easy…• Sometimes Tor or a VPN will simply be allowed
through the captive portal, no joke
• Try appending ?.jpg or ?.png to the URL
• Look for Open Redirect flaws, iFrames, etc.
• Tunnel out over DNS!
• Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
![Page 11: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/11.jpg)
Bypassing is easy…
• On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access.
• De-auth existing clients and/or DoS access points:
• Aireplay-ng or Airdrop
• http://www.aircrack-ng.org/
• MDK3
• https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode
![Page 12: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/12.jpg)
Bypassing is easy…
• Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match
• Works on just about any open access point, especially captive portals
• CPSCAM by Josh Wright will do this for you:
• http://www.willhackforsushi.com/code/cpscam.pl
![Page 13: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/13.jpg)
Hijacking is also easy…
![Page 14: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/14.jpg)
![Page 15: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/15.jpg)
![Page 16: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/16.jpg)
The Evil Twin…
source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
![Page 17: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/17.jpg)
![Page 18: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/18.jpg)
![Page 19: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/19.jpg)
![Page 20: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/20.jpg)
![Page 21: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/21.jpg)
![Page 22: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/22.jpg)
![Page 23: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/23.jpg)
![Page 24: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/24.jpg)
![Page 25: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/25.jpg)
How to clone and weaponize captive portals
1. Connect to the access point and wait for the splash page to pop-up.
2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https).
3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary.
4. Change the UA string and grab the mobile version as well if it exists.
5. Replace the form processor to write a log file and pass the client through to a legitimate landing page.
6. Modify the page HTML to point to your form processor and modify parameters as necessary.
7. Deploy the captive portal (will discuss this shortly)
8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
![Page 26: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/26.jpg)
![Page 27: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/27.jpg)
![Page 28: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/28.jpg)
Mobile Cloning
![Page 30: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/30.jpg)
Mobile Cloning
• VT View Source:https://play.google.com/store/apps/details?id=com.tozalakyan.viewsource&hl=en
![Page 31: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/31.jpg)
![Page 32: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/32.jpg)
How to Deauthenticate Clients and DoS Access Points
• Aireplay-ng using the —deauth flag
• file2air - deauth packet injection flood tool by Josh Wright
• http://www.willhackforsushi.com/code/file2air/1.1/file2air-1.1.tgz
• Spoof AP MAC, send deauth requests to clients
• Target a single user, all users, or AP itself
• MDK3 Deauth Amok Mode to take out all WPA AP’s
![Page 33: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/33.jpg)
How to Deauthenticate Clients and DoS Access Points
source: https://github.com/sophron/wifiphisher
![Page 34: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/34.jpg)
How to Deauthenticate Clients and DoS Access Points
https://github.com/sophron/wifiphisher
![Page 35: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/35.jpg)
source: https://www.isecpartners.com/blog/2013/july/man-in-the-middling-non-proxy-aware-wi-fi-devices-with-a-pineapple.aspx
![Page 37: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/37.jpg)
Generic Splash Page
Pineapple Configuration
/etc/nodogsplash/htdocs/splash.html
![Page 38: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/38.jpg)
Landing Page
Pineapple Configuration - JavaScript Necessities
/www/[directory]/index.html
![Page 39: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/39.jpg)
PHP Form Processor
Pineapple Configuration
Easier than using IPTables
/www/[directory]/auth/login.php
![Page 40: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/40.jpg)
![Page 41: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/41.jpg)
![Page 42: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/42.jpg)
![Page 43: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/43.jpg)
![Page 44: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/44.jpg)
A word of caution w/ the Pineapple…
![Page 45: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/45.jpg)
A word of caution w/ the Pineapple…
![Page 46: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/46.jpg)
Existing RouterIdeally one supporting guest mode…
![Page 47: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/47.jpg)
DDWRT
• Flash with DDWRT, then you can use NocatSplash to configure a captive portal.
• Many other ways to go about this… DDWRT is just one of the easier options.
• http://www.dd-wrt.com/site/index
• http://sourceforge.net/projects/nocatsplash/
![Page 48: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/48.jpg)
![Page 49: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/49.jpg)
![Page 50: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/50.jpg)
Laptop Hotspot and/or Proxy
![Page 51: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/51.jpg)
• Kali Linux
• http://www.kali.org/
• Can do just about anything to connecting clients
• Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios
Laptop Hotspot and/or Proxy
![Page 52: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/52.jpg)
• Makes hacking Wi-Fi even easier!
• https://github.com/SilverFoxx/PwnSTAR
PwnStar - By SilverFoxx
![Page 53: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/53.jpg)
![Page 54: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/54.jpg)
![Page 55: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/55.jpg)
Demo
![Page 56: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/56.jpg)
Deploy Malware
![Page 57: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/57.jpg)
Combine Pineapple portability with the versatility of Kali Linux
• http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
![Page 58: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/58.jpg)
BeagleBone Black + Alfa Wi-Fi Card
http://beagleboard.org/black http://www.alfa.com.tw/
![Page 59: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/59.jpg)
BeagleBone AP Deployment Options
get creative…
![Page 60: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/60.jpg)
![Page 61: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/61.jpg)
Going Mobile!
• Nexus Device with Kali NetHunter
• https://www.kali.org/kali-linux-nethunter/
• Pwnie Express Pwn Phone/Pad
• https://www.pwnieexpress.com/product/pwn-phone2014/
![Page 62: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/62.jpg)
Going Mobile!
![Page 63: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/63.jpg)
Going Mobile!
![Page 64: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/64.jpg)
![Page 65: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/65.jpg)
![Page 66: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/66.jpg)
MITM Basic Tools• AirSSL
• AirJack
• Airsnarf
• Dsniff
• Cain
• void11
• Ferret
• SSLStrip
• Wireshark
• AirPwn
• Ettercap
• Etc…
![Page 67: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/67.jpg)
You don’t even need to authenticate to attack clients
![Page 68: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/68.jpg)
Fun with MITM• Snapception - https://github.com/thebradbain/
snapception
• Love Thy Neighbors - http://neighbor.willhackforsushi.com/
• AirPWN - http://airpwn.sourceforge.net/Airpwn.html
• Intercepter-NG - http://intercepter.nerf.ru/
• Many, many more…
![Page 69: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/69.jpg)
Demo
![Page 70: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/70.jpg)
Client Defense…• Always use a VPN/VPS/SSH Port Forwarding/
etc. when connected to an open access point.
• Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’.
• Hotspot not served up over HTTPS and other generally suspicious behavior.
• Beware duplicate networks with different encryption.
![Page 71: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/71.jpg)
Client Defense…
• Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit.
• Turn off Wi-Fi on devices when traveling.
• Exercise caution when connections suddenly drop, especially if it happens for everyone on the network.
• If it just ‘doesn’t feel right’ then trust your instincts…
![Page 72: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/72.jpg)
Resources• http://www.willhackforsushi.com/code/cpscam.pl
• http://neighbor.willhackforsushi.com/
• http://www.aircrack-ng.org/
• http://www.dd-wrt.com/
• https://github.com/SilverFoxx/PwnSTAR
• http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
• http://beagleboard.org/black
• http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/
• http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via-os-x/
• https://github.com/thebradbain/snapception
• http://airpwn.sourceforge.net/Airpwn.html
• http://intercepter.nerf.ru/
![Page 73: Wi-Fi Hotspot Attacks](https://reader031.vdocument.in/reader031/viewer/2022013121/55959c971a28ab60748b46f1/html5/thumbnails/73.jpg)
Thank You!
Questions?
https://github.com/gfoss/misc/Wireless/Captive-Portals/
Greg Foss Senior Security Research Engineer
greg.foss[at]LogRhythm.com @heinzarelli