Ft. Smith2600

Evil Twin Access Points:

For fun but no profit

What is it?An “Evil Twin” access point is a rogue access point* set up intentionally to trick users into connecting to it rather than the legitimate access point

Rouge Access Point Definition

Rouge access point (rap) - an unauthorized access point. They are not always someone with ill intent.

ex: A rap may be a employee who has set up a linksys routerwithout permission or enabled proper encryption, in his/her cubicle, by doing this he/she may have bypassed all of the company’s security policies and maybe broadcasting said company’s confidential data in clear text for anyone to see.

Why does it work?Primarily because many end users (CEO’s, employees, home users, etc.) don’t think that they may be a target

Who is vulnerable?Too many home users Many small businesses

Quite a few bigger institutions (Schools and corporate entities)

Vulnerable hardwareGray area : remember, your primarily tricking users, not the access points, but you may have to take the AP out in order to do so.

How does it work?Mac’s and PC’s because both automatically scan for preferred networks on startup. Some user-friendly Linux distros do this too! it probes for preferred networks when it does so, it sends the AP mac address as part of the probe packet. In comes Hotspotter or Karma!

How can I make it work?There are several ways to go about it:

Walled Garden type (fake hotspot pages like T-mobile, Starbucks, McDonald’s, etc.)

Flooding with fake SSID’s to confuse the user and have them connect to one of the many SSID’s that route back to you

Completely knocking their access point out by an association flood (or other method), and sliding in yours

ToolsAuditor – bootable Linux distro for

pen testingVoid11 – Mainly used for de-auth

attacks and to generate traffic (Prism II chipset only)

Airsnarf – My fav tool for Walled Garden type attacks (they say you can use Atheros chipset but I cant)

Hotspotter or Karma – common tools for forging SSID’s

Scenario 1 You are in a coffee shop in a major-metropolitan area (New

York City, for example) with paid, monitored, or even encrypted WiFi

Many users have laptops, PDA’s, etc. Perform a de-authentication attack to force everyone off of

their network or an association flood to crash the router. Slip your evil twin in the mix with an SSID like “$.99Wifi”, “

Un-monitored Wifi”, or even the same SSID as the encrypted WiFi just not encrypted Make sure your running dhcpd to assign ip addresses

automatically Hopefully, people will try to reconnect see that your access

point is cheaper, un-monitored, or not encrypted and connect to it instead

Have a convincing “Walled Garden” type login page

Scenario 1 (cont.)In this scenario the attacker can collect

a variety of dataLegitimate credentials (used to login

to the AP later)Credit card numbers for “$.99wifi” Since the users are on your network

browse any shares they may have. You may get private corporate data from the business man in the corner.

People’s names and addresses

Scenario 2You’re on a flight to L.A.Again, business men are working

on their notebooks.Since XP and Macs (and Linux too!)

are so friendly, they will announce their presence and look for preferred networks.

Run Karma or Hotspotter to fake them out

Scenario 2 (cont)

Use nmap to scan the host using (p0f OS detection) and use the –sV for services and version

Fire up Metasploit and drop a reverse shell (provided they were running vulnerable services, of course)

The system is backdoored. Now you can drop a rootkit and have it scan its entire netmask when it gets back and have it email it to you … or something

(/)\/\/N3[) !!!1!s

Oopps. My bad.I meant to have a live demo of one of these attacks but I got too busy and didn’t get it together in time.

maybe next time.

ConclusionThe world is a dangerous place.

An informed user may or may not be a safe user.

Only try this at home.Be good, pass it on.

Credits/PropsSimple Nomad – Hacking the Friendly

Skies (great read)The Shmoo Group @ shmoo.com (airsnarf)Remote-exploit.org (auditor and

backtrack)KoreK (chop-chop attack on WEP and cool

ass name)Fresh BeanZ ( venue for this talk and

meetings )2600.com ( the original hacker panel )

Counter Measures

Kismet set to filter out known ssid’s For windows Netstumbler can do that tooAirsnare for windowsSnort for Linux

Document all of your wireless access points

The normal stuff (use wpa, change key at reg. intervals, etc.)