Introducing wifiphisher, a tool for automated WiFi phishing attacks

All right. Can everybody hear me in the back? Cool. So, my name is George. I'm here to talk to you about Wi-Fi phishing attacks and then I'll introduce you a tool of mine I wrote some months ago called Wi-Fi Fisher. So, something about me. I work as a security engineer at Census. Census is a very cool Greek company that provides IT security services to its customers. You can check my interests. I have also done some academic research mostly designing privacy enabling and anonymity providing protocols. And I'm the lead author of the tool I'm planning to present to you today. So, Okay, here's the agenda. We'll start with some boring stuff that we need to cover.

IEEE 802.11 specification and we'll then see the issues of the specification. We'll later discuss about issues that exist in operating systems specifically in network managers. Uh So, then I'll be able to explain to you Evil Twin and Karma attacks, two very popular attacks in Wi-Fi networks. After that, we can talk about Wi-Fi Fisher, how it works. And finally, we'll talk about countermeasures against Wi-Fi Fisher and of course Evil Twin and Karma attacks in general. And then we'll have our Q&A. So, wireless communication. I guess most of you may be connected to a Wi-Fi network right now. There's a rapid growth in recent years. People can access the internet anywhere. I mean, even in planes or trains or

almost anywhere and anytime. And here's a funny fact. 75% of Americans said that a week without Wi-Fi would leave them grumpier than a week without coffee. And so you can see there's an addiction to the internet, hence there's an addiction to Wi-Fi networks. to Wi-Fi. So, yes, it's a big deal. Okay, the boring stuff. IEEE 802.11 This is the specification for the wireless LAN communication. That means that all the rules that happen between your mobile device whenever you connect to an access point, all these rules are defined by the specification. There are two basic entities. First one is the station. That could be your mobile device, for example, or whatever has a wireless card and act as a client.

Your laptop, for example. And the other entity is the access point. The access point is, for example, your wireless router back in your home. And the access point is identified by a service set identifier, also known as ESSID. I guess that most of you have already set up a wireless network for your home, so you know what an ESSID is. It's the actual name for the wireless network. So, that's easy. Let's talk about the management frames. The management frames are the messages that enable stations to establish and maintain communications with an access point. So, management frames is all the communication that happens whenever our device wants to connect to an access point. Our device will be like, "Hey, access

point, I want to connect to you." And the access point will be like, "Okay, feel free to join my Wi-Fi services." So, there are two very common management frames. Beacon frames and probe request frames. The beacon frames are transmitted by the access point to announce its presence. That means that if I set up an access point, the access point will shout to everyone around it and will say, "Hello, everyone. I am access point with ESSID mumble or whatever. Feel free to join me." Okay? The probe request frames, on the other hand, are transmitted by the station, for example, your mobile device, and it's asking information from a specific access point. So, it's like your mobile device shouting in the air

because like love is in the air, Wi-Fi is also in the in this in the air. So, your mobile device will shout in the air, "Hey maybe the Wi-Fi with ESSID mumble is around. If so, please give me some information, for example, transmission rates or encryption and stuff like that." So, we have these two ways to establish communication, beacon frames and probe request frames. And the network card will send a probe request to determine which access points are within range. It will ask, "Hey, maybe access point mumble is there, for example." Okay, let's go to the more interesting part, the issues that we have here. You see, we only had a couple of slides about IEEE 802.11 specification, but we

can already see some issues. There is no real qualification on the case where multiple available access points are around with the same ESSID. Okay. That means right now there is a a Wi-Fi network called Security Besides, something like that, in the air. What will happen if I set up a network a wireless network with the exact same ESSID? What will happen? The specification doesn't tell us what how the stations need to deal with it. So, it's up to the software developers to decide and make a solution for this. What most clients do, what most software do does, is they choose the access point with the best signal. That's not the best solution though because let's say that

I want to mess with my neighbor back in Greece, okay? So, what I can do is I can create a fake access point, okay? With the same ESSID and same encryption type as my neighbor's. And let's say I have a stronger antenna. I have a very strong signal. So, whenever my neighbor wants to connect to his Wi-Fi network, he will connect to mine instead. He will try to connect to mine. If he has protection to his Wi-Fi network, he will fail. Of course, he will fail, but still he will be annoyed because his device will be trying to connect to mine Wi-Fi network instead. So, yes, that's the first issue. Another issue. We talked about management frames that

are the messages for establishing a communication. The thing is that these frames are not protected by cryptography. And this is a big deal. I guess that most of you knows WEP, WPA, WPA2 networks are the most familiar encryption types. So, this kind of networks protect data only after the association has been established. Management frames are clear text. If I set my network card card in promiscuous mode right now, I can read these messages in the air in clear text. And this is vulnerable against eavesdropping. What I said right now, I can easily read all these messages. Modification. I can change these messages, modify them and send them again. Or replay attacks. I can keep sending

the same message that I'm that I'm reading in the air to mess to mess with the communication. Uh Okay. Here is a very interesting attack we are able to do. Please note that we can do this attack without being in the network at all. We don't have to be connected in the network and we can do Wi-Fi jamming. What is Wi-Fi jamming? Wi-Fi jamming means de-authing, de-authenticating the users in a network. So, there is a so-called de-auth frame. De-auth frame is another management frame. We talked about probe request frames and beacon frames before. De-auth frame is another management frame. So, we just said that management frames are transmitted unencrypted, so this is transmitted unencrypted in the air.

And this is being sent when all communication is terminated. So, that's the way for a mobile device to say to an access point, for example, "Okay, I'm done. I don't want to be in this access point anymore. I don't want your Wi-Fi services." And this is the way also for an access point to say to all the clients, "Hey, clients, I want to reboot now. Bye-bye." But this are all these messages are not protected by cryptography. So, the access point, for example, the access point can't cannot verify the sender of the message because of the lack of of encryption. So, I can pretend I can just send a message, broadcast a message in the air, and

pretend I am whoever I want to be. What can I do then? I can kick out a client by crafting my own de-auth frames. I will send one de-auth frame from the access point to the client pretending I am the access point and I will say to the client, "Hey, de-authenticate yourself." I will send one de-authenticate frame from the client to the access point pretending I will pretend I am the client and I will send it to the access point. And if I want to kick out everyone, only if I want to kick out everyone, I can send one from the access point to the broadcast address. I think most access points will ignore this though.

Most implementations will ignore the last one. But still, only with the first two messages, we can deauthenticate a client. And that's a big deal. You can easily deauthenticate everyone, kick out everyone from a Wi-Fi network. You don't need to be part of this network. So this is a big deal. Okay, that was the issues about the IEEE 802.11 specification. Let's see how the network manager deals with that. So, ESSID probing. Modern operating systems and uh specifically modern network managers will probe for every ESSID they have associated with in the past. That's scary. I mean, let's say one of you here was in Santorini island in Greece and he went to a restaurant. Okay? And he wanted to check his email. So, he

connected to the Wi-Fi network there called the Santorini restaurant Wi-Fi. If he's here right now, if he turns on the Wi-Fi feature, then his mobile device will send a probe request frame in the air asking if this Santorini restaurant Wi-Fi is available. Even if he visited Santorini 2 years ago. So, another example. Let's say I really like a girl in Greece. So, I can go outside her house. I can go outside her house, wait for her to turn on her Wi-Fi feature, set my promiscuous my card to promiscuous mode, listen to her probe request frames, and I can know all of the Wi-Fi networks that she has been connected to. For example, I can know

all the restaurants that she has been to. I can bring topics to the table next time I see her and stuff like that. Uh So, yes, this is an information leak. This is a serious information leak. If you care about privacy, you don't want your device to broadcasting this stuff. And of course, because this is probe request frame, this is unencrypted. This is a management frame. This is unencrypted. Another thing. So, it's not only that your device will just keep sending probe request frames, but if it encounters a network without the specific uh name that is looking for, he will connect to it without any warning. For example, to the previous example with the Santorini, if I set up

a wireless network with ESSID Santorini restaurant Wi-Fi, the guy who went to Santorini will be auto connect to my network without even knowing. Okay? Okay, he will see just the you know, the the the the the usual message box connected to that Wi-Fi network. But he may not see it because he has his Wi-Fi feature on, but left his uh his device in his pocket. So, he may not realize it at all. And this flag, the auto connect flag, is is enabled by default on Ubuntu 06 and Windows Vista. Windows 7. So, um this is a typical usability versus security case. We all know that usability and security uh can't go good together. So, you see that network managers prefer

usability uh over security. Now, I can explain to you evil twin attack. Evil twin attack In evil twin attack, we create two we spawn two processes. The one process will keep crafting deauthenticate packets to disrupt existing connections. That's the jamming thing that we explained earlier. So, we will just kick out people from the Wi-Fi network that you are targeting. Okay? We are targeting a specific When we are doing evil twin attack, we are targeting a specific network. So, we start by crafting deauthenticate packets and kicking people out of the network. The second process will create a fake access point with the same ESSID as the one we target. What will happen? People will get deauthenticated will will get kicked out

from the network and they will connect to the fake access point. It depends. We'll see We'll see It depends on many things though. But that's the main idea. To have our for the attacker to have the victims connected to his network. Here is an image of the attack. The attacker is bottom left here. So, you see he's deauthenticating the victim. He's telling the access point to deauthenticate the victim. Okay, for this to be entirely correct, we are also sending as we explained earlier, we are also sending a deauthenticated message to the victim by the access point, but we are not showing that here, but we are doing this. And we are creating a fake access point

uh with the same ESSID as the target access point. So, the victim will connect to us uh after he after it gets kicked out for from here from the from the legit network. Okay. How this attack works against open networks. If I perform this attack against an open network, all clients will just connect to the fake access point. Simple as that. If I perform this attack, everyone will get will get disconnected from the legit network and will connect to my fake one. Uh so, someone might say, "Yeah, what's the big deal? Why would I want to target an open network?" It is a big deal because there are open networks that work using captive portals. Captive portals uh Do

you know what a captive portal is? Captive captive portal is uh whenever you are in an in the airport, for example, or in a hotel, when you connect to a to a free Wi-Fi network, to an open network, sorry, and uh then you are you are displaying you are getting displayed by a an HTML page, a web page, that you need to type credentials, for example. So, this is a very typical case against captive portals. What will happen if we use evil twin against an encrypted network? You see, we can uh the attacker cannot create uh an encrypted network as well. They will do it cannot be encrypted as well because the attacker doesn't know

the pre-shared key. Doesn't know the the password. So, what the attacker can do is create an open network instead. Okay? If he creates a an encrypted network, what will happen is that the victim will get deauthenticated. It will try to connect to the fake one, but it will fail because the the pre-shared key password will be will be different. So, the attacker will create an open network instead. The devices most devices though will not know the difference in encryption and will not connect automatically to it. What will happen? Ubuntu, for example, you will have to manually select it. You will get deauthenticated. This is the original access point called besides. Uh you will get deauthenticated from

this one. And you will see that exists another one called besides uh and it is open. And the victim will have to manually connect to to the open network. The victim will do that as well because he's getting deauthenticated and he he will do everything to get to to have his internet connection back. So, victims without knowledge without IT knowledge will do this as well. So, this is the Android behavior. It's the same It's the exact exactly the same. It requires a manual connection to the unencrypted network. You see, this is the original access point and this is the evil twin here. So, the victim again will keep getting deauthenticated. Okay, imagine he's playing Counter-Strike or a StarCraft game and

he's getting deauthenticated all the time. He's getting annoyed. He really wants to connect to Facebook, for example. So, yes, he will connect to the open Wi-Fi and do everything there to to to get the internet back. So, what Windows will do, Windows will connect after providing a warning that the network has changed. So yes Windows behavior is the worst. And uh okay, that was evil twin attack. Now, we can talk about Karma attack. In Karma attack, the first step is exactly the same as the evil twin. We are keep crafting deauthenticate packets and kicking out everyone from the target access point. But this time, we also create a fake access point. But this time, this

fake access point won't be modeled by the target, but it will based on the probe request frames. Reminder, probe request frames are the messages that the device is sending asking about previous networks that it has been connected to. So, when an attacker performs a Karma attack, he will keep listening for probe request frames. When the attacker found a probe request frame frame that is intended for an open network, he will create that open network and then deauthenticate the victim. So, what will happen? The victim will auto reconnect to the open network. In For example, what what will the victim see in his device? He will see a deauthenticated from beside for example network and then connected to Santorini

Wi-Fi network. But he may not see anything because he may have left his device somewhere else and he's not taking it at the moment. So, uh victims will auto reconnect without warning in every device. This happens in every device. And but but this attack is effective only if the victim has stored open networks. If the victim has not connect to an open network at all, this attack will fail. Okay? Now, we talked about these two. Let's see uh which one is better. Uh it really depends on the target. If we have to do with open networks with no encryption, then the attacker should use uh evil twin attack because the victim will auto reconnect to the evil twin.

But if we are talking about individuals that are connected to a protected network, Karma is probably better. Only if they have stored open networks because they might have not open stored open networks. Okay? We can use both at the same time, but this may raise suspicion. For example, it's different to see your device getting deauthenticated and then connected to the same network. The victim will probably say, "Okay, probably the access point restarted or something like that." But it is different if he sees deauthenticated from the current network, but authenticated to a previous network that he has connected to in the past. This will raise suspicion. So, against open networks, it's better for the attacker to use the evil twin

attack. Uh and another thing is that someone might use Karma for an individual and then if Karma fails because the victim has not connected to an open network in the past, then he can use evil twin. Okay. Both of these attacks aim the attacker to achieve a man-in-the-middle position. Man-in-the-middle position means that the attacker is in the middle of the communications. And there are a lot of things that the attacker can can do from here. For example, he can do data sniffing. He can sniff for sensitive information like passwords or credit card numbers and stuff like that. He can uh uh he can also modify this data. He's connected The victim is connected to his network, so he can infect the

victims with malwares. And the last one is the fishing part. He can present fake pages and ask the user to provide credentials and stuff. Uh I really like the last one, so that's why I created Wi-Fi Phisher. Wi-Fi Phisher automates the process of evil twin. For now, only evil twin. And also perform a fishing attack uh afterwards. Uh so, Wi-Fi Phisher I released the tool uh on January and uh it took a lot of attraction. Uh I mean, I checked it yesterday at it has uh a daily number of 60 clones on GitHub, if I remember correctly. Uh what I really like about this attack is that it requires no internet connection. You require no internet connection. You

don't have to be connected to the victim's network and you can still get man-in-the-middle and get credentials. Of course, it works on Kali Linux. There are people who have made it work on Ubuntu and Debian-based systems. Uh it requires two wireless network adapters. The one network adapter will be responsible for the jamming part, for deauthenticating the users, and the other one will be for creating the evil twin. Uh there are a lot of uh There are a lot of network adapters that work better for injection. I think Alpha cards are better for deauthenticating victims. But of course, the stronger the signal, the better the attack. This is how the tool looks like and uh You see, there are three sections. The

first one is about the jamming, the first process. You can see that we are targeting a network called with ESSID Airson that is on channel 9. And you see pairs of MAC addresses. That means this is the communication between the access point, that is this is the MAC address of the access point, and a client. That can be a mobile device, whatever. So, we are deauthenticating uh the access point and these two devices. And that means that we also trying to deauthenticated sending the the authenticated frames to the to the broadcast address as well. So, this is the first section about the jamming. The second section is about DHCP leases. Wi-Fi Phisher will employ a

DHCP server. Uh this is necessarily necessary for the when we have our uh fake evil twin network up, we need to provide IP addresses, so we need a DHCP server. So, that row here that entry here means that someone connected to our fake network. He got that address. That's the host name, so it's probably an Android device. And the final section is about the HTTP requests that are happening. So, Wi-Fi Phisher will also employ an HTTP server uh so it can present to the victim the fake pages, the fishing pages. So, that means that the victim got offered a fishing page, a get request. And the second one one means that the victim got tricked and provided

credentials and sent credentials in a post request to the to us, to the to the attacker. Okay? Uh in this specific example, Wi-Fi Phisher was able to obtain a WPA password. It used a template for the router configuration that will that we'll see shortly and got the WPA password. So, Wi-Fi Phisher comes with a set of community-built templates for various scenarios. What made me happy when I released the tool was the fact that a lot of people came in and was like, "Hey, I want Why don't you use this template of mine I just wrote?" And uh so, we have we have a list of templates and more to come. And uh the templates differ for

the scenario we want to want to provide. So, there are the router configuration pages that actually fake a firmware upgrade and this is for obtaining WPA or WPA2 passwords. Uh there are the third-party login pages, for example, similar to Facebook or Twitter or LinkedIn or whatever. And there are the captive portals, of course, uh that are being used by hotels or airports. So, whenever you run Wi-Fi Phisher, you can select what scenario you are running and uh which uh template you may use. So, this is an example of a router fishing page. This is the minimal template that is asking the user to provide his WPA password in order to uh to perform a firmware upgrade.

Uh okay, we can't really use the actual fishing pages. For example, I could I could provide a Cisco page, but we can't do that we can't do that due to copyright reasons, so we try to provide our own custom router fishing pages that look as similar as similar as possible. So, uh another nice feature is the fact that we can Beacon frames are a management frame from the access point. As I said earlier, it's the way for an access point to say, "Hey, I'm access point with the ESSID Mumble and I'm here." So, beacon frames uh beacon beacon frames include the ESSID of the network, but also include the MAC address of the network. So,

it is possible This is a management frame, so it's not cryptographically cryptographically protected, so we can grab this message and we can then determine the router manufacturer, the vendor by the MAC address. And if I know the the the vendor of the access point that I'm targeting, I can then customize the fake pages accordingly. So, I can make the fishing part more effective. For example, in this example, I could if I if I know that the access point that I'm targeting is its vendor is Cisco, I can put a Cisco logo there or just write Cisco. And that will make the fishing part more effective. So, what are the success the the success factors for

for for Wi-Fi phishing? First of all, uh the victim's network manager. Is it Windows? If it's Windows, as we saw earlier, it will just prompt a warning and it will connect to my network. Uh the other thing is the effectiveness of jamming, and that has to do with the power of the wireless card that that I'm using for the jamming. And of course, the distance to the target. The closer I am to the to to the victims, the better the success the better the chances to for the victim to get the authenticated. And last but not least, the awareness of the victim. If the victim is an IT guy, he he will know that he doesn't have to

provide a WPA password to to perform a firmware upgrade. Okay? But most people will do anything to get their Wi-Fi up online again. Some technical details. Wi-Fi Phisher requires Python 2.7. It makes use of hostapd, dnsmasq for creating the fake evil twin. It also uses some other Linux utilities like iptables for port forwarding and stuff. Uh it uses its own custom web server using simple HTTP server, and it also has its custom jamming method using Scapy. This is written by Dan McInerney. He's a very cool guy. You should check him out. He has written a lot of cool scripts, Python scripts. Uh it's it's it's a very big deal that we have our own custom jamming method

because the other option would be to use Aircrack-ng, but Aircrack is a big dependency. Uh and that would make a mess for us to make it work uh in operating systems other than Kali. Future work. Uh right now, Wi-Fi Phisher has evil twin attack, but we want to implement Karma attack as well. Another cool feature would be to check if the captured credentials are valid. For example, if if I'm trying to obtain a WPA password, I can check if this WPA password is correct. And only if it is correct, I will stop the attack. Right now, the attack stops whenever the user provides credentials, and these credentials may be wrong. And of course, provide more phishing

pages for different scenarios. So, Wi-Fi Phisher is open source. Uh I can see your excitement, so you want to work on this. Uh Of course, you are welcome to do. So, it's not if you want to contribute to an open source project, that's a very very easy way to do it. You don't need to have uh a lot of knowledge in programming. So, if you know HTML or CSS, you can help us design phishing pages. If you do know Python, you can help us implement feature or tackle bugs. So, yes, there's a page on GitHub, or feel free to contact me for helping us. Similar tools. There is this tool called Linset that to be honest, I didn't know

the existence of this tool when I started writing Wi-Fi Phisher. The reason is that this tool is written in Spanish, and uh all the release notes, all the comments are in Spanish, and uh actually, no one even no no one no one it's not promoted enough, so it's not well known. This is a bash script by Security That Wireless. And it's uh it's performing an evil twin attack in order to obtain the WPA or WPA2 passphrase. So, it it only has one template and one scenario, getting the WPA or WPA2 password. And a similar hardware tool is the Pineapple. This is this is a well-known tool. Uh [Music] this comes with its own hardware, supported by Hak5.

And uh there are plugins called infusions that you can customize your attack and make it more like evil twin, for example. Now, what can we do to protect ourselves? Wireless intrusion detection and prevention systems. What what an organization has to do is to put sensors everywhere in the area, and these sensors will scan all the spectrum and send the data to the server for analysis. And the server will then the server will be able to determine if an attack is going on or not. He will do that by comparing the MAC addresses. You see, yes, an attacker can spoof the MAC address, but this is not a this is not a choice for the attacker

because if the attacker spoofs his MAC address to the same one as the victim's, then whenever the attacker tries to deauthenticate users, he will deauthenticate himself as well. So yes most common detection and prevention systems in wireless are doing a a MAC address comparison. And of course, then the system will provide specific information uh to the to the responsible staff. Another thing is the 802.1X port access control. So, this provides mutual authentication for the station and the access point. That means that the station will authenticate the access point, but the the access point will also authenticate all its clients. Uh So, what happens there is that the client provides credentials that could be either username and password, and

then the server will compare the credentials. For example, will check if the credentials are valid to an LDAP server or something like that. Or the client can provide a certificate. More secure. Uh on the other on the other hand, uh it is recommended to use EAP-TLS or PEAP to validate the server signature. The client may have stored a CA signature a CA certificate somewhere, so it can verify server signature. So, the client will actually authenticate the server, and the server authenticates the access point. It's it's like a web of trust. Last but not least, employees need to have a solid understanding of phishing attacks. Okay? And that that needs training. Employees need to be trained to this

kind of attacks. Conclusions. We we we saw how 802.11 specification leaves a lot of room for different standard behavior, and network managers will prefer usability over security all the time. And we can be sure that Karma and evil twin will be for us for a lot of time. That's all from me. Any questions?