T2 04 Evil Twin with Wifiphisher - George Chatzisofroniou

exced to be here very first um today I'm I'm going to talk to you about uh the presentation is called getting the most um so something about me I want a sensus census is a great company that provides specialized Security Services to customers uh I'm mostly ontography bying we security I'm involved in some academic research mostly privacy providing protols uh I am the lead author of Wi-Fi viser uh a tool that involves High Wi-Fi hiking with p uh Wi-Fi Vis was first introduced last year besid London um so this presentation now is the Contin of the presentation that I did last year um so the four main topics that this presentation rols around is first of all

D that um what it is and how it perform get kind of networks then we're going to talk about the service Wi-Fi uh this is complimentary for the um after that we're going to talk about some special fing scenarios that fing ATT that can mount that make very much sense to do and uh finally we're going to see um some new features on Wi-Fi on Wi-Fi viser and um yeah how exactly Works um after a year so uh Lael uh La is very easy to explain actually so you actually use a ro access point the will use a ro access point um is very legitimately so in order to GA personal dat so for example if right

now we have a I think a Wi-Fi go besides uh what aner can do is set up with his Wi-Fi rter or example uh he can set up u a network called besides happens the same ID and with that way he can get big things connected to his Network and he will have an easy money this is a very common Vector WiFi environment uh most setups are vulnerable by default there is no easy user oriented method that mitigates from this attack uh and this diagram here actually shows you the attacker is bottom left so the attacker is actually tries to convince the victims that uh uh he is the actual legit access point and at the same time

he's trying to be authenticate using denial service attacks he's trying to kick the victims out of the leg Network so he can get him connected to the RO um so the first thing uh when it comes to evil is uh getting the right equipment this is a very important step because when it comes to attack and the Rog Sports in general what you want to do is to have victims connected with your your network and uh the most important factor for this is probably the signal that you have so getting the Run equipment is very essential step the the the Golden Rule here is that the the more power game that you have the better that's

very simple so uh ideally in the best case scenario the attacker will have two attack points so if the attacker targets an infrastructure for example uh he will use one at a point that will be from inside the infrastructure um and uh he will spawn the Rob point from inside infrastructure and U he will use probably an only directional an this so we can broadcast the access point all around uh of course it should be well he for frying ice and has L WEA um so yeah it could be raspberry or WiFi for example uh and the other attack point should be from using a dire like from outside outside the building so you have two other points

one for sping the one for the service but there are cases that you can use the same attack point and still the attacker can have very good results so uh there's something called the auto connect FL uh this is what is happening whenever you connect to a Wi-Fi and uh then you go away and then you come back to that Wi-Fi uh and your device automatically connects to the to the same Wi-Fi this is because of the aut connect FL I'm pretty sure you're familiar with this uh this is uh enabled by it's a typical usability security feature um and uh what we're trying to do people in most of the times is that we're trying to uh exploit this this

plan and make use of this so right here down here is a setting this is I think from network manager and yes it's black enabled by so let's see see whenever you whenever you turn on your Wi-Fi picture your device there's an algorith that uh actually chooses the the the the network that your device will connect to uh and the algorithm is pretty simple um they want uh first of all he will look for an es ID es ID is the network name right he will look for an es ID that already exists in its prepared network list the pnl is a database that stored in the device it has all the networks that it

has connected to so it will look first for a network that it has already connected to in the past that's the first thing but if there are more than one there are like five networks that this device was connected to in the past uh the device will choose the one with the best uh signal that offers the best signal um so what the the attack course want to make the automat automatic association with the the victims right so these are the two uh things that you want to to achieve the first one is the second one first of all is to have a good signal we already talked about this how he can get a good equipment for this uh about the

first one he wants to have something that already exists in the vics pnl prepar list uh so in order to a number one we need to understand what exactly the devices are adding the network maners are adding to to this bnls this is actually an association of the es ID the networ name and thetion type so for example if I now connect to the besides that we have here um I think is a wb2 protective Network so my device will store to hnl um an association that is besid s the SSID and uh the encryption will be wb2 that means that in order to connect to it again automatically it will need to find a

network with these two parameters should be and the encryption should be the same uh so that's what the attacker needs to do uh let's see how people works against open networks uh first of all many of you may wonder why would I want to Target an open network U the thing is that this is way to get money in the middle for example AR aring is another way but sometimes there are mitigations get this there limitations Network protections so uh sping a Rob Spa is a some penetration tests it's easier for having the victims connected to you uh so the open networks are usually employed along with C portal mechanism something like that down there uh you

have seen that probably hotels or airports or offic this is by default vulnerable to our ad build because both the esid and the encryption type the cryp type is open can be very easily replicated so the only thing that the needs to worry about is a stronger signal as soon as it has stronger signal victims will connect to it automatically uh so yeah most set ups are by R please uh about WPA or wb2 with known compromised prear key this is only conferences right here we have a uh we do have a a network that the pr is disclosed for example um and there are other infrastructure that does this as well do this as well so they have a paper or

something with a the prare key uh and of course because we do have an Authentication many parties and the authenication relies on a single prare key this is a secet that if it's compromised by the one end point the other end points are they may never know they don't have the knowledge that the the pr key has been compromised so this is very common to uh to have uh a network that is compro that the Reser is compromised so if you're in that case that there is a WPA or wp2 protected and you do know that the pr key then again these setups are vulnerable to Queen because again we can replicate both both the

SSID for example here what what the would do is to set up a Wi-Fi network with the esid besides and the encryption gu will be wb2 with a password that everybody knows right now so again here what the have signal this is with uh with not not that much money you can get a very good signal um so uh Corporation you will see that my Corporation will employ W the price this is whenever you don't use a PR of instead of that you're using username and password or a certificate uh this is again vulnerable to people to because the attacker will set up the same es ID and the same in type and he will set up a radio server

as well that he will always say yes okay authenticate him I don't care about the credentials so that's that's the way that he will treat the victims to connect to the ass uh the only case that this is not going to work is whenever the corporation is leveraging Bap or eaps uh when that's the case uh the ATT will fail the victims actually authenticate the access point so this is a pretty good mitigation against uh and if if the certificate is not known to the device the ATT will fail so in the cases that the ad does not fail the the attacker can get can get a man in the middle position of course and he can also capture the

challenge response that is happening in this kind of protocol and you can force that offline later in order to retri credentials and access to the leg network uh so that's probably what what's happening whenever the attacker targeting targets a network that is WP or wp2 then he doesn't have access to the preser he doesn't know the that's probably the most interesting case um and it's a very common scenario uh so what is not going to work we do know the ES ID but we don't we can't replicate the same equation yes we can set up a network with wp2 but we don't know the pr key so if we just put a random resar key there this is not

going to work this will fail because uh the the access point won't be able to decry the packets from the client the CLI will use a different PR key and the association will fail so this is not an option we cannot set up a ro access point that has a a different PR key than the target going so what is common there is to do a downgrade attack um down attack means set up a that has no inion and uh these attacks usually need some Vic victim interaction you just want to push the victims to click on the open network with some way um so there's the the karma that is very well known um so right now we're

actually because there's not an easy way to replicate a network that we don't know the prar key the attacks that we're going to see now are actually oriented to the users themselves so karma is an attack that is uh targeting the the user instead of the access point this is featured by Wi-Fi pinea and uh what it does is listening to proest proquest sprs are the messages that your device is sending every time you turn your Wi-Fi feure on and it's waiting for your device to say I'm looking for access point M I'm looking for access point whatever besides lond besides happens Etc so um what karma is doing is actually listening to this prob request this is a

information link by the way your device does this in case you don't know um so what what what the what wi p and Karma that is doing is listening to this Pro request frames and and uh he can he can determine in a way if these prop we Springs are intended for an open network or a a protective network if they are for an open network they will just own that Network and the automatic Association will happen um if it's not if it's for a close Network it will Den not will keep waiting there as soon as it encounters an open network um of course in order for this to work uh the devices the laptop or the

mobile phone needs to have already stored some open networks in the BNL already connected to open networks so this for examp your laptop is going to ask from now on you have connected to the network and you have the defa settings um and the white if the was open it's not open so very good if it was open uh then the the karma ATT will say yes up here get on the middleway the thing is that Karma ATT is not working as it used to be um that's not surprising because car is was first announced or first uh written like the paper was uh was disclosed 10 years ago uh and the reason that this is not

going to work is that devices will wait for the corre beon frame first before setting the proest what's Theon frame Theon frame is uh the message that the access point is sending um saying information announcing it presents um so that's the correct way so down here you see the correct way the the the device first ways for the access point to say hey something somewh around and then it will say cool okay I have my prep network list now I can with you that's the correct way the other thing that devices are doing I've seen that mostly on Andro devices is that they send Pro if they do send Pro request prms on their own without getting a b PR

first uh they will they will uh put in the destination address the broadcast address so there's no yes ID link there the attacker can't know the broadcast add means that they this this message one is intended for everyone around so there's no information is ideally there so karma is going to fail again um from my experience Karma works good against uh Apple devices but uh not for example Windows 10 or Android uh no work um so what what something that we can do when some people don't actually realize this is that an Ador can guess the uh so right now we don't Target a network again we target a specific user uh if the attacker has a knowledge

that the victim has connected to an open network for example if someone was in besid London conference and there was an open network there I can assume that the victim connected to that Network it's very easy to go um outside of the victim's house set up a network besides vitim will if I have a strong signal the V will connect to me um so yeah it's very important to know with networks we are connecting this is a very easy to do ATT um there's another ATT that makes this even easier there's a flag apart from the FL there's another FL uh that makes this is also enabled by on mod Network managers and this actually

makes the network that you that you're connecting available to all system users so that means that for example in a corporate laptop that more than one people are using um someone may someone may profile or Target uh the other system user and by getting the information for example that other system user went besides logo you can Target all the the rest of system users uh by getting this noted all right um let's see some things about the service that we can do the most common is the authentication so there's a a frame called the old frame this is transmitted anded in the air and is sent when the the access point wants to remove or a it

will send that to all the stations claiming that you guys need to disconnect now and it's also one the device sending whenever you leave the network uh but because there's no encryption there anyone can CFT messages send them to the air and um he can kick out L that way by sending three one from the point to the one from the to the point one from the broad address do make make sure um so yeah of course uh this is this is this is a good adap that is working of course we can do physical juming as well we can play with the radio frequencies to do physical Zing I like this better because you don't need

a special device or or something you can do that from your Linux your for example um so I told you earlier that if you do a downgrade if you set up an open network there won't be an automatic Association because the encryption dipe will be different so in that case you actually need some user interaction you want the user to see his device his network manager click on the the network so to do that you actually this that you're targeting a victim again you're not targeting the point what can you do is actually as soon as you authenticate the station first of all with the prev of that what is happening is that you will

be authenticate the victim but you will geted again because of the autoconnect unless you have a stronger uh but this will keep happening right this will be annoying for the victim but we can also what probably be better if we want fin interaction is to set up a network with the same exact um encryption settings so we set a random resar key as we said we won't have automatic Association we won't have automatic connection there uh what's going to happen is that the V will try to connect to our Network so we're actually going to respond to Pro to Pro request RS this is the same thing as setting up the same network just with a different res key

and what is going to happen is that if you have a strong signal the the victim will try to connect as soon as he gets authenticated with the first exam that uh the victim will gr to authenticate to our Network and because we don't know their PCR key uh we will say sorry your psk is incorrect but with that way we have the big thingss disconnected and not disconnected and connected to the correct Network disconnected connected we'll keep them disconnected that way and this is probably better if we want them to manually interact with the network monitor um all right we can see some pieing scenarios and then we can proceed to some more interesting stuff Wi-Fi P that we have

implemented so we can of course as soon as the as soon as the attacker gets money the Middle with the the RO point with a you can perform many attacks can s for sensitive data he can infect the victims with malware U something very cool is the fing because of many reasons that he can do a lot of different kind ofing for example he can put cop portals he can the cop portals and put his own he can U uh he can set up three Wi-Fi Rob access point that he will for the victims to use their all credal their Facebook credal to L in and he can get Facebook that way uh these are all cool scenarios

there there are some scenarios though that are very interesting and they have to do with breeding information from the air from the bit of pH uh to the template these are very interesting because uh these are actually something that you can do manually Wi-Fi feure the tool that I oll does this in an automatic way and it's very hard to do manually so uh what we're doing is getting information from the beon frames the beon frames again are the messages that the ACC point is sending and uh we're using this information to make an automatic template generation so let's see these scenarios more deta the first thing that we can do is to identify the vendor with

the MK address of the access point and uh then display Fake Messages coming from the router but for example asking for credit for the WBA or wb2 PR key uh but by getting the math address we can determine the the vendor of the access if system for example and we can make this uh much more realistic we'll see that we'll see that is very simp uh the other thing that we can do and it's pretty cool is that uh we can ifate the network manager we can show the first thing that we will do is show a connection fail page so first of all we can we can we can keep doing internet connection right

we have a r at this point who can give a Val internet connection to the um and at some point we can drop a connection fail page like the the one that browsers are showing whenever you don't have internet and uh we can't know what browser the user is using because you can get that from the user agent there so the first thing that we're doing is after a while after some browsing on internet we will throw this page the second thing that we will do is to display network manager asking for the WBA password but we will display this network manager on the browser we will display that with our own HTML and the J

Code uh but we can make that very realistic so the victim won't really realize that this is this is the web site instead of U the operating system and uh of course Network managers are different the the graphical user interface is different uh we can uh detering which operating system we should be by the user agent header again and uh we can also fill this network manager with information for example the Bon frames that are around this is the breing that I was talking about earlier we do know what networks are around so we can for example Windows if you click on the networ you will see that the networks that are around right so we can we can

do that we can get the networks that are around and we can make a a network manager on the web page so let's see Wii fer Wii does all the RO point and the Wi-Fi it has uh it is very supported by Wi-Fi community and we are having a 1.2 release I'm going a little fast right now because we don't have much time this is how it looks like um so a feature that we have is that the blade customization right now someone may designer can provide a file that can be F by the user and for example if the victim if the user of Wi-Fi feure does know information for example the version somehow from from another

Channel he can use that information uh the designer so we have engine uh a new version of the target access point vendor and this will be rendered like that so here we have a new version of the circle framewor and we got that from the air we got that information from the air this this happen automatically right [Music] and user information so another feature that we have is the a lot of tools are using are ring on I I or commands we're actually using library that uh communicates with the Kel to get this uh this information uh this is a very Co project that is supported by wi is a very new project U and is something that makes

the the d uh very much stable so um the the third feature that we have is that we have some as I told you earlier that are pretending that they are from the user I can show you some of these let's see the

set so here you see uh you got the page that there's no inter collection the this is recognize that I have firks who throw something and this is not M right this is this is the one for ma for targeting a ma and you see this is very M let's say this is very realistic uh you can't see any difference here it looks very valid right and I can show you another one too for this that is currently being this is for Windows 10 so you see it's very very realistic if you see here the volid one is this one we're closing up right we're getting there so um these were actually made by y zos the guy who presented earlier is

sitting right here um

right all right um so yeah that's the last slide um we do have a mature open source Community behind that there are a lot of contributors some of them are around uh we we did our first pone uh a week or two ago it went pretty good we have a lot of fun we're always looking for new members so if you're interested in working on that you can contact me um [Applause] yeah [Applause] questions I want you need to be a member of this open no no that's a cool thing because there's no encryption there you can just this FR and start King out the network management one for each that's the that's the plan right

now we have these two Network managers but the plan is to have everything pleas need some Advanced skills 5 skills yes you said that devices sent out Pro requests from for no points that do you know if there is any effort I think Apple has done somehow to find change the mark address so you don't know who send the prob request right so Windows phone can disable it I think is there any effort from Android or first of all if you connect to a network and you uncheck the remember this network it won't going to ask for for this network again that's the one thing the other thing is that uh I told you that Cara is

not working and the reason that not one of the reason that it's not working is that yes devices are not going to send on their own Pro request frames they will first listen to the bigon frame and then they will send Pro request frame so yeah uh it's a lie to say that all networks all all devices all Network managers are currently sending Pro request Sprints from previously Associated that was through like 5 years ago but now they have counter measures for garma so they're not really doing that that much anymore yes so Wi-Fi feater helps you with the template customization it captures the packets so white does all this I mean it spones the RO point it

kicks Out Lines from the network and it helps you with a right and L right scenario we have lot of scenarios with have scenarios for grabbing the key we have scenarios for uh feeding the victims with malwares due to plugin updates for example we now have the scenar that imate the browser we have many scenarios are many more to so it does all of these that we discussed thank you you told us about the power of network a lot so this crucial sh but especially

EnV so this like a device wi wi connect Rec indeed there are some attacks like the one say for example you can do a an association you can pretend that you have many clients and that they want to connect to this network this is a common attack that you can do and that of course the first thing that the is going to Dy is to have to service completely the access point for this is to pretend that it has many that they want to a very it works in many RS from my knowled in many ACC points but not for everyone so um yes this is a common attack they will try to to service that way if they do have

access to the network that this access point is uh is providing uh they probably can try other exploits depending on the VOR in order to bring this completely down that's the first thing if all these veils I think the attacker is going to drive probably physical Zing if it has the the hardware uh and if it's an Enterprise Network that means in a large corporation physical Z makes sense for a determined attor otherwise he can do the the opening that with the simp the we