Using Evil WiFi To Educate Users, IT Admins

For my keynote at Operation WebLock, I was asked to include a demo or two that would leave attendees rethinking some of their current practices. It didn't take a long to come up with a few different possibilities, but I settled on one of my favorite attacks: wireless network- impersonation and connection hijacking.Last year, I picked up a couple of La Fonera 2100 wireless routers from Fon. The purpose was to configure them for an upcoming penetration test where I knew I would most likely have the opportunity to hide at least one of them at a client site for internal network access. The La Fonera's are very hackable, like the well-known Linux-based Linksys WRT54G wireless routers.

After the pen-test, I used them for various purposes, one of which was testing the custom Jasager firmware from Digininja that incorporated the Karma tool by Dino Dai Zovi and Shane Macauley. Karma passively detects preferred/trusted wireless networks that wireless clients are trying to connect to. Once it sees a probe for a particular network, it can immediately become that network so the client will connect. And so the evil begins.

Once you get a wireless client to connect to you and believe you are a trusted network, you can do just about anything. Last year, work was done by the Metasploit Project to integrate Karma with the Metasploit Framework. What resulted was a config file that could be fed to msfconsole that would automatically start up listeners for DNS, HTTP, IMAP, SMTP, FTP, and POP3.

As long as you configured the La Fonera to point DNS to a laptop to running with this config, you could essentially become the Internet and respond as any host the victim wireless client asked for. Can you say PWNAGE?

I'd had this setup for about a year, but thought it would still serve as a great demo for my keynote because it's such an effective attack. There was still something I felt I was missing that would make the demo floor people. That's when I remembered a write-up on a similar setup by Ax0n from this summer titled "Evil Wifi". Bingo!!

Ax0n put together a three-part blog series that shows how to build the exact setup I have but goes further in making it more realistic....and EVIL! The first change was putting together a more believable Web page for users to land on when they make a Web request. I had thought of making one more work-specific in the past, but never got around to it. Ax0n put together one that looks like a generic hotel Web portal that tells you to get an access code from the front desk (I actually had a participant come up to me before the presentation asking for the code...oops).

The killer portion of Ax0n's setup was incorporating Hamster and Ferret from Errata Security to perform sidejacking to hijack active Web sessions. This was exactly what I needed to show just how easy it is to take over someone's GMail or Facebook session. After testing that Hamster and Ferret would run properly on my Mac, I tested the setup and it worked perfectly -- just like Ax0n had done under Ubuntu Linux.

Even if you aren't a pen-tester, just being able to set this up and show just how easy it is to impersonate wireless networks and hijack users is huge for getting your IT and management to realize the problems with using wireless for remote access. It might just help you get that extra funding for a Verizon MiFi.

A big thanks to Ax0n for posting that series. The added attack capabilities of Hamster and Ferret to my demo definitely made the audience do a double-take and rethink using wireless anywhere they don't own the network.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.