Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/26/2009
12:58 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Using Evil WiFi To Educate Users, IT Admins

For my keynote at Operation WebLock, I was asked to include a demo or two that would leave attendees rethinking some of their current practices. It didn't take a long to come up with a few different possibilities, but I settled on one of my favorite attacks: wireless network- impersonation and connection hijacking.

For my keynote at Operation WebLock, I was asked to include a demo or two that would leave attendees rethinking some of their current practices. It didn't take a long to come up with a few different possibilities, but I settled on one of my favorite attacks: wireless network- impersonation and connection hijacking.Last year, I picked up a couple of La Fonera 2100 wireless routers from Fon. The purpose was to configure them for an upcoming penetration test where I knew I would most likely have the opportunity to hide at least one of them at a client site for internal network access. The La Fonera's are very hackable, like the well-known Linux-based Linksys WRT54G wireless routers.

After the pen-test, I used them for various purposes, one of which was testing the custom Jasager firmware from Digininja that incorporated the Karma tool by Dino Dai Zovi and Shane Macauley. Karma passively detects preferred/trusted wireless networks that wireless clients are trying to connect to. Once it sees a probe for a particular network, it can immediately become that network so the client will connect. And so the evil begins.

Once you get a wireless client to connect to you and believe you are a trusted network, you can do just about anything. Last year, work was done by the Metasploit Project to integrate Karma with the Metasploit Framework. What resulted was a config file that could be fed to msfconsole that would automatically start up listeners for DNS, HTTP, IMAP, SMTP, FTP, and POP3.

As long as you configured the La Fonera to point DNS to a laptop to running with this config, you could essentially become the Internet and respond as any host the victim wireless client asked for. Can you say PWNAGE?

I'd had this setup for about a year, but thought it would still serve as a great demo for my keynote because it's such an effective attack. There was still something I felt I was missing that would make the demo floor people. That's when I remembered a write-up on a similar setup by Ax0n from this summer titled "Evil Wifi". Bingo!!

Ax0n put together a three-part blog series that shows how to build the exact setup I have but goes further in making it more realistic....and EVIL! The first change was putting together a more believable Web page for users to land on when they make a Web request. I had thought of making one more work-specific in the past, but never got around to it. Ax0n put together one that looks like a generic hotel Web portal that tells you to get an access code from the front desk (I actually had a participant come up to me before the presentation asking for the code...oops).

The killer portion of Ax0n's setup was incorporating Hamster and Ferret from Errata Security to perform sidejacking to hijack active Web sessions. This was exactly what I needed to show just how easy it is to take over someone's GMail or Facebook session. After testing that Hamster and Ferret would run properly on my Mac, I tested the setup and it worked perfectly -- just like Ax0n had done under Ubuntu Linux.

Even if you aren't a pen-tester, just being able to set this up and show just how easy it is to impersonate wireless networks and hijack users is huge for getting your IT and management to realize the problems with using wireless for remote access. It might just help you get that extra funding for a Verizon MiFi.

A big thanks to Ax0n for posting that series. The added attack capabilities of Hamster and Ferret to my demo definitely made the audience do a double-take and rethink using wireless anywhere they don't own the network.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.