Rogue AP - Fake Access Points

Most modern devices remember the name of the Wi-Fi network to which they successfully connected at least once, and immediately connect to it if they "see" it on the air. This feature of wireless technology is increasingly used by attackers - they create the so-called rogue AP (fake access point). Such attacks are becoming larger every year, given the ever-growing market for BYOD devices and the amount of critical information contained on them.

Fake wifi

When setting up a wireless adapter to automatically connect to known wireless networks, the user runs the risk of becoming a victim of a man in the middle attack. An attacker could create a trusted Wi-Fi access point. As a result, the client device will automatically connect to such an access point and work through it, and the attacker will be able to intercept “all traffic” from his victim, or attack the device located with him in the same network segment.

To detect access points, a device equipped with a Wi-Fi module scans the radio for the presence of Beacon frames transmitted by the access point, which contain an indication of the known SSID. All channels broadcast Probe-Request frames, awaiting the response of a known access point. In Probe-Request frames, the SSID of the network that the mobile device is looking for may or may not be indicated. In response to a Probe-Request, the access point sends Probe Response frames containing the same information as Beacon packets.

Relying on the received data, such as the network name, signal-to-noise ratios, and supported 802.11 standards, the device makes its own configuration decision to connect to one of the available known networks (access points).

The task of the attacker is to “raise” the network clone, to which the potential victim can be configured to access (both with and without wired). Also, if there is a legitimate access point nearby, an attacker can try to “extinguish” it in order to redirect clients to their access point.

Examples of fake access points:

• router name and / or model: DIR-300, ASUS;
• default name: default,% provider_name%;
• Free Wi-Fi: MosMetro_Free, Beeline_Free_Wi-Fi;
• Access points flashed by the operator: attwifi;
• access points of various establishments:% airport_name_free%, McDonalds_WiFi_Free;
• Access points with no encryption: h0lyava, MaminHackir, blondinka.

After a successful connection to an access point, an attacker implements one or more attack vectors, including using sociotechnical tactics:

• “Classic” Man in the Middle attacks, data interception;
• “Complex” Man in the Middle attacks - sslstrip, HSTS and SSL-pinning bypass, etc .;
• traffic modification (spoofing URL, content);
• access page to the router / web panel for entering the password, captive portal;
• fake Radius to intercept MS-CHAPv2 hashes (many users easily accept a fake or untrusted certificate);
• direct attacks on devices in one network segment.

Attack examples

Avast employees on the eve of the international exhibition Mobile World Congress 2016 conducted a kind of experiment. The day before the opening, several Wi-Fi access points with SSIDs Starbucks, Airport_Free_Wifi_AENA and MWC Free WiFi were deployed at Barcelona Airport. The goal of Avast was to demonstrate how users put themselves at risk when using public Wi-Fi hotspots.

In just four hours, Avast specialists intercepted more than 8 million data packets from more than two thousand users. To maintain user privacy, all data was immediately deleted. The company managed to collect the following statistics during the experiment:

• 50.1% of users used an Apple device, 43.4% - a gadget running Android, 6.5% - devices with Windows Phone;
• 61.7% of visitors visited the Google search and checked their Gmail mail;
• 14.9% used Yahoo search;
• Facebook was installed on 52.3% of devices, and Twitter was less popular - only 2.4%.

As experts noted, many people know that an open Wi-Fi network is fraught with dangers, but nonetheless continue to use them. The success of the experiment is also due to the fact that many airports are roaming and cannot use the mobile Internet, so they are trying to find free networks.

Often attacked by users of the most common networks from hooligan motives:

Hackers hacked the free Wi-Fi network of the Moscow metro around 11:30. As a result of hooliganism, thousands of passengers saw porn on the screens of their phones and tablets instead of the usual start page and invitation to enter the network

When connecting to the WI-FI network, as it became known to REN TV reporters, an obscene inscription appeared on the passengers' mobile phones: “Go to x ... bits and pails! X ... you, not the Internet. "

Ilya Grabovsky, a spokeswoman for MaximTelecom, said the possibility of breaking into their network was ruled out. According to him, one of the passengers created a WI-FI network without Internet access, called it a similar name. Grabovsky noted that one of the citizens mistakenly connected to this network.

What can we say about ordinary users, even if “advanced” visitors to information security conferences become victims of such attacks:

Bo0oM :

Therefore, I handed out a fake Wi-Fi point, but not simple, but with ARP, DNS, NB, ANOTHER SAME-ABBREVIATION-spoofing, certificate substitution, HSTS bypass and other fashionable things.

This allowed all the traffic of connected users to pass through themselves, breaking wings along the way (moving from an encrypted connection to an unencrypted one). Thus, I managed to connect 108 devices. In most cases - mobile phones, a minority - laptops. The standard mail client for iphone perfectly allows MiTM (apparently for this reason it was possible to intercept 6 passwords from gmail accounts), icloud sends the username and password in the header with each request (Basic Auth).

Tools

To date, there are quite a few utilities for conducting these types of attacks, the following is a brief description of the most popular of them.

Important: the use of some of them may be prohibited by law and prosecuted by law.

Mdk3 is a utility that contains several client deauthentication technologies and access point attack techniques, leading to its “freezing” (DoS) or rebooting.

Mana toolkit is a modified hostapd (software access point) and several scripts that allow you to create and use fake access points: KARMA attack; various types of MitM attacks; HSTS bypass cookie hijacking; interception of EAP.

Wifi phisher- Designed for phishing attacks on WiFi networks in order to obtain passwords from the access point and other personal information. This tool is based on a social engineering attack.

Wifi pumpkin - the tool creates a fake Wi-Fi access point, while affecting a legitimate access point (disconnects clients). It can be used to capture credentials using Man in the Middle attacks, and also uses such attacks as (including social-technical ones): DHCP Starvation; phishing Windows Update HSTS bypass transparent proxy, etc.

Linset is a utility that combines a fake access point and a sociotechnical component. The tool is interesting, but requires some modifications.

Bdfproxy- The tool allows you to modify binary files on the fly, for example, to introduce malicious functionality or backdoors. The functionality works great with all sorts of update services that deliver updates in the form of executable files.

Waidps - a means of detecting attacks in Wi-Fi networks. It is a multi-purpose tool designed for network auditing, detecting wireless intrusion (WEP / WPA / WPS attacks) and preventing intrusion (stopping a station from connecting to an access point). In addition, the program collects all the information about the surrounding Wi-Fi networks and stores it in a database.

Protection methods

The most cardinal is to turn off the Wi-Fi adapter.

Preventive - enable “connection confirmation” even to known networks; Use VPN monitor ether to detect anomalies; Do not use critical programs (such as a client bank) in open networks.