Post on 03-Jul-2015
description
Wi-Fi Hacking for Web Pentesters
Greg Foss Sr. Security Research Engineer @heinzarelli
Greg Foss
Sr. Security Research Engineer
OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT
# whoami
*I am not liable for what you do with any of this information*
Section 638:17 House Bill 495 - US rules against wireless hacking
http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
DISCLAIMER
Not a ‘Wi-Fi Security Expert’ nor a Lawyer
Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
Not Discussing Wi-Fi Security Basics
• 802.11
• WEP Cracking - ridiculously easy, google it
• WPA / WPA2 Attacks - Reaver
• WPS Attacks - Reaver
• PEAP, LEAP, etc. - Out of Scope
Agenda…
it’s everywhere…
enough free WiFi that it’s almost not worth the time it takes to infiltrate
unless free internet’s not the goal…
Bypassing is easy…• Sometimes Tor or a VPN will simply be allowed
through the captive portal, no joke
• Try appending ?.jpg or ?.png to the URL
• Look for Open Redirect flaws, iFrames, etc.
• Tunnel out over DNS!
• Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
Bypassing is easy…
• On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access.
• De-auth existing clients and/or DoS access points:
• Aireplay-ng or Airdrop
• http://www.aircrack-ng.org/
• MDK3
• https://forums.kali.org/showthread.php?19498-MDK3-Secret-Destruction-Mode
Bypassing is easy…
• Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match
• Works on just about any open access point, especially captive portals
• CPSCAM by Josh Wright will do this for you:
• http://www.willhackforsushi.com/code/cpscam.pl
Hijacking is also easy…
The Evil Twin…
source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
How to clone and weaponize captive portals
1. Connect to the access point and wait for the splash page to pop-up.
2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https).
3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary.
4. Change the UA string and grab the mobile version as well if it exists.
5. Replace the form processor to write a log file and pass the client through to a legitimate landing page.
6. Modify the page HTML to point to your form processor and modify parameters as necessary.
7. Deploy the captive portal (will discuss this shortly)
8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
Mobile Cloning
Mobile Cloning
• VT View Source:https://play.google.com/store/apps/details?id=com.tozalakyan.viewsource&hl=en
How to Deauthenticate Clients and DoS Access Points
• Aireplay-ng using the —deauth flag
• file2air - deauth packet injection flood tool by Josh Wright
• http://www.willhackforsushi.com/code/file2air/1.1/file2air-1.1.tgz
• Spoof AP MAC, send deauth requests to clients
• Target a single user, all users, or AP itself
• MDK3 Deauth Amok Mode to take out all WPA AP’s
How to Deauthenticate Clients and DoS Access Points
source: https://github.com/sophron/wifiphisher
How to Deauthenticate Clients and DoS Access Points
https://github.com/sophron/wifiphisher
source: https://www.isecpartners.com/blog/2013/july/man-in-the-middling-non-proxy-aware-wi-fi-devices-with-a-pineapple.aspx
Generic Splash Page
Pineapple Configuration
/etc/nodogsplash/htdocs/splash.html
Landing Page
Pineapple Configuration - JavaScript Necessities
/www/[directory]/index.html
PHP Form Processor
Pineapple Configuration
Easier than using IPTables
/www/[directory]/auth/login.php
A word of caution w/ the Pineapple…
A word of caution w/ the Pineapple…
Existing RouterIdeally one supporting guest mode…
DDWRT
• Flash with DDWRT, then you can use NocatSplash to configure a captive portal.
• Many other ways to go about this… DDWRT is just one of the easier options.
• http://www.dd-wrt.com/site/index
• http://sourceforge.net/projects/nocatsplash/
Laptop Hotspot and/or Proxy
• Kali Linux
• http://www.kali.org/
• Can do just about anything to connecting clients
• Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios
Laptop Hotspot and/or Proxy
• Makes hacking Wi-Fi even easier!
• https://github.com/SilverFoxx/PwnSTAR
PwnStar - By SilverFoxx
Demo
Deploy Malware
Combine Pineapple portability with the versatility of Kali Linux
• http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
BeagleBone Black + Alfa Wi-Fi Card
http://beagleboard.org/black http://www.alfa.com.tw/
BeagleBone AP Deployment Options
get creative…
Going Mobile!
• Nexus Device with Kali NetHunter
• https://www.kali.org/kali-linux-nethunter/
• Pwnie Express Pwn Phone/Pad
• https://www.pwnieexpress.com/product/pwn-phone2014/
Going Mobile!
Going Mobile!
MITM Basic Tools• AirSSL
• AirJack
• Airsnarf
• Dsniff
• Cain
• void11
• Ferret
• SSLStrip
• Wireshark
• AirPwn
• Ettercap
• Etc…
You don’t even need to authenticate to attack clients
Fun with MITM• Snapception - https://github.com/thebradbain/
snapception
• Love Thy Neighbors - http://neighbor.willhackforsushi.com/
• AirPWN - http://airpwn.sourceforge.net/Airpwn.html
• Intercepter-NG - http://intercepter.nerf.ru/
• Many, many more…
Demo
Client Defense…• Always use a VPN/VPS/SSH Port Forwarding/
etc. when connected to an open access point.
• Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’.
• Hotspot not served up over HTTPS and other generally suspicious behavior.
• Beware duplicate networks with different encryption.
Client Defense…
• Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit.
• Turn off Wi-Fi on devices when traveling.
• Exercise caution when connections suddenly drop, especially if it happens for everyone on the network.
• If it just ‘doesn’t feel right’ then trust your instincts…
Resources• http://www.willhackforsushi.com/code/cpscam.pl
• http://neighbor.willhackforsushi.com/
• http://www.aircrack-ng.org/
• http://www.dd-wrt.com/
• https://github.com/SilverFoxx/PwnSTAR
• http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/
• http://beagleboard.org/black
• http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/
• http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via-os-x/
• https://github.com/thebradbain/snapception
• http://airpwn.sourceforge.net/Airpwn.html
• http://intercepter.nerf.ru/
Thank You!
Questions?
https://github.com/gfoss/misc/Wireless/Captive-Portals/
Greg Foss Senior Security Research Engineer
greg.foss[at]LogRhythm.com @heinzarelli