Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:58 PM
John H. Sawyer
John H. Sawyer

Using Evil WiFi To Educate Users, IT Admins

For my keynote at Operation WebLock, I was asked to include a demo or two that would leave attendees rethinking some of their current practices. It didn't take a long to come up with a few different possibilities, but I settled on one of my favorite attacks: wireless network- impersonation and connection hijacking.

For my keynote at Operation WebLock, I was asked to include a demo or two that would leave attendees rethinking some of their current practices. It didn't take a long to come up with a few different possibilities, but I settled on one of my favorite attacks: wireless network- impersonation and connection hijacking.Last year, I picked up a couple of La Fonera 2100 wireless routers from Fon. The purpose was to configure them for an upcoming penetration test where I knew I would most likely have the opportunity to hide at least one of them at a client site for internal network access. The La Fonera's are very hackable, like the well-known Linux-based Linksys WRT54G wireless routers.

After the pen-test, I used them for various purposes, one of which was testing the custom Jasager firmware from Digininja that incorporated the Karma tool by Dino Dai Zovi and Shane Macauley. Karma passively detects preferred/trusted wireless networks that wireless clients are trying to connect to. Once it sees a probe for a particular network, it can immediately become that network so the client will connect. And so the evil begins.

Once you get a wireless client to connect to you and believe you are a trusted network, you can do just about anything. Last year, work was done by the Metasploit Project to integrate Karma with the Metasploit Framework. What resulted was a config file that could be fed to msfconsole that would automatically start up listeners for DNS, HTTP, IMAP, SMTP, FTP, and POP3.

As long as you configured the La Fonera to point DNS to a laptop to running with this config, you could essentially become the Internet and respond as any host the victim wireless client asked for. Can you say PWNAGE?

I'd had this setup for about a year, but thought it would still serve as a great demo for my keynote because it's such an effective attack. There was still something I felt I was missing that would make the demo floor people. That's when I remembered a write-up on a similar setup by Ax0n from this summer titled "Evil Wifi". Bingo!!

Ax0n put together a three-part blog series that shows how to build the exact setup I have but goes further in making it more realistic....and EVIL! The first change was putting together a more believable Web page for users to land on when they make a Web request. I had thought of making one more work-specific in the past, but never got around to it. Ax0n put together one that looks like a generic hotel Web portal that tells you to get an access code from the front desk (I actually had a participant come up to me before the presentation asking for the code...oops).

The killer portion of Ax0n's setup was incorporating Hamster and Ferret from Errata Security to perform sidejacking to hijack active Web sessions. This was exactly what I needed to show just how easy it is to take over someone's GMail or Facebook session. After testing that Hamster and Ferret would run properly on my Mac, I tested the setup and it worked perfectly -- just like Ax0n had done under Ubuntu Linux.

Even if you aren't a pen-tester, just being able to set this up and show just how easy it is to impersonate wireless networks and hijack users is huge for getting your IT and management to realize the problems with using wireless for remote access. It might just help you get that extra funding for a Verizon MiFi.

A big thanks to Ax0n for posting that series. The added attack capabilities of Hamster and Ferret to my demo definitely made the audience do a double-take and rethink using wireless anywhere they don't own the network.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
Arbitrary code execution vlnerability in Operation bridge Manager, Application Performance Management and Operations Bridge (containerized) vulnerability in Micro Focus products products Operation Bridge Manager, Operation Bridge (containerized) and Application Performance Management. The vulneravil...
PUBLISHED: 2020-10-27
Code execution with escalated privileges vulnerability in Micro Focus products Operation Bridge Manager and Operation Bridge (containerized). The vulneravility affects: 1.) Operation Bridge Manager versions: 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.63,10.62, 10.61, 10.60, 10.12, 10.11, 10.10 ...
PUBLISHED: 2020-10-27
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
PUBLISHED: 2020-10-27
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
PUBLISHED: 2020-10-27
Check Point ZoneAlarm before version allows a local actor to escalate privileges while restoring files in Anti-Ransomware.