SlideShare ist ein Scribd-Unternehmen logo

Wi-Fi Hotspot Attacks

Greg Foss
Greg Foss

Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.

Technologie
1 von 73
Downloaden Sie, um offline zu lesen
Wi-Fi Hacking for Web Pentesters Greg Foss Sr. Security Research Engineer @heinzarelli
Greg Foss Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
*I am not liable for what you do with any of this information* Section 638:17 House Bill 495 - US rules against wireless hacking http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
DISCLAIMER Not a ‘Wi-Fi Security Expert’ nor a Lawyer Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
Not Discussing Wi-Fi Security Basics • 802.11 • WEP Cracking - ridiculously easy, google it • WPA / WPA2 Attacks - Reaver • WPS Attacks - Reaver • PEAP, LEAP, etc. - Out of Scope
Agenda…
it’s everywhere… enough free WiFi that it’s almost not worth the time it takes to infiltrate unless free internet’s not the goal…
Bypassing is easy… • Sometimes Tor or a VPN will simply be allowed through the captive portal, no joke • Try appending ?.jpg or ?.png to the URL • Look for Open Redirect flaws, iFrames, etc. • Tunnel out over DNS! • Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
Bypassing is easy… • On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access. • De-auth existing clients and/or DoS access points: • Aireplay-ng or Airdrop • http://www.aircrack-ng.org/ • MDK3 • https://forums.kali.org/showthread.php?19498- MDK3-Secret-Destruction-Mode
Bypassing is easy… • Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match • Works on just about any open access point, especially captive portals • CPSCAM by Josh Wright will do this for you: • http://www.willhackforsushi.com/code/ cpscam.pl
Hijacking is also easy…
The Evil Twin… source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
How to clone and weaponize captive portals 1. Connect to the access point and wait for the splash page to pop- up. 2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https). 3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary. 4. Change the UA string and grab the mobile version as well if it exists. 5. Replace the form processor to write a log file and pass the client through to a legitimate landing page. 6. Modify the page HTML to point to your form processor and modify parameters as necessary. 7. Deploy the captive portal (will discuss this shortly) 8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
Mobile Cloning
Mobile Cloning • HTTrack: http://www.httrack.com/
Mobile Cloning • VT View Source:
 
 https://play.google.com/ store/apps/details? id=com.tozalakyan.view source&hl=en
How to Deauthenticate Clients and DoS Access Points • Aireplay-ng using the —deauth flag • file2air - deauth packet injection flood tool by Josh Wright • http://www.willhackforsushi.com/code/file2air/1.1/ file2air-1.1.tgz • Spoof AP MAC, send deauth requests to clients • Target a single user, all users, or AP itself • MDK3 Deauth Amok Mode to take out all WPA AP’s
How to Deauthenticate Clients and DoS Access Points source: https://github.com/sophron/wifiphisher
How to Deauthenticate Clients and DoS Access Points https://github.com/sophron/wifiphisher
source: https://www.isecpartners.com/blog/2013/july/man-in-the-middling-non-proxy-aware-wi-fi-devices-with-a-pineapple.aspx
Wi-Fi Pineapple https://wifipineapple.com/
Generic Splash Page Pineapple Configuration /etc/nodogsplash/htdocs/splash.html
Landing Page Pineapple Configuration - JavaScript Necessities /www/[directory]/index.html
PHP Form Processor Pineapple Configuration Easier than using IPTables /www/[directory]/auth/login.php
A word of caution w/ the Pineapple…
A word of caution w/ the Pineapple…
Existing Router Ideally one supporting guest mode…
DDWRT • Flash with DDWRT, then you can use NocatSplash to configure a captive portal. • Many other ways to go about this… DDWRT is just one of the easier options. • http://www.dd-wrt.com/site/index • http://sourceforge.net/projects/ nocatsplash/
Laptop Hotspot and/or Proxy
• Kali Linux • http://www.kali.org/ • Can do just about anything to connecting clients • Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios Laptop Hotspot and/or Proxy
• Makes hacking Wi-Fi even easier! • https://github.com/SilverFoxx/PwnSTAR PwnStar - By SilverFoxx
Demo
Deploy Malware
Combine Pineapple portability with the versatility of Kali Linux • http://www.offensive-security.com/kali- linux/kali-linux-evil-wireless-access-point/
BeagleBone Black + Alfa Wi-Fi Card http://beagleboard.org/black http://www.alfa.com.tw/
BeagleBone AP Deployment Options get creative…
Going Mobile! • Nexus Device with Kali NetHunter • https://www.kali.org/kali-linux-nethunter/ • Pwnie Express Pwn Phone/Pad • https://www.pwnieexpress.com/product/ pwn-phone2014/
Going Mobile!
Going Mobile!
MITM Basic Tools • AirSSL • AirJack • Airsnarf • Dsniff • Cain • void11 • Ferret • SSLStrip • Wireshark • AirPwn • Ettercap • Etc…
You don’t even need to authenticate to attack clients
Fun with MITM • Snapception - https://github.com/thebradbain/ snapception • Love Thy Neighbors - http:// neighbor.willhackforsushi.com/ • AirPWN - http://airpwn.sourceforge.net/ Airpwn.html • Intercepter-NG - http://intercepter.nerf.ru/ • Many, many more…
Demo
Client Defense… • Always use a VPN/VPS/SSH Port Forwarding/ etc. when connected to an open access point. • Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’. • Hotspot not served up over HTTPS and other generally suspicious behavior. • Beware duplicate networks with different encryption.
Client Defense… • Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit. • Turn off Wi-Fi on devices when traveling. • Exercise caution when connections suddenly drop, especially if it happens for everyone on the network. • If it just ‘doesn’t feel right’ then trust your instincts…
Resources • http://www.willhackforsushi.com/code/cpscam.pl • http://neighbor.willhackforsushi.com/ • http://www.aircrack-ng.org/ • http://www.dd-wrt.com/ • https://github.com/SilverFoxx/PwnSTAR • http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/ • http://beagleboard.org/black • http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/ • http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via- os-x/ • https://github.com/thebradbain/snapception • http://airpwn.sourceforge.net/Airpwn.html • http://intercepter.nerf.ru/
Thank You! Questions? https://github.com/gfoss/misc/Wireless/Captive-Portals/ Greg Foss
 Senior Security Research Engineer
 greg.foss[at]LogRhythm.com
 @heinzarelli

Empfohlen

Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing TechniquesRaza_Abidi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Hacking
HackingHacking
HackingPaidi Dinesh
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Melissa Virus
Melissa VirusMelissa Virus
Melissa VirusCpavtsJoshA
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Database forensics
Database forensicsDatabase forensics
Database forensicsDenys A. Flores, PhD
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 

Empfohlen

Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing TechniquesRaza_Abidi
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Hacking
HackingHacking
HackingPaidi Dinesh
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Melissa Virus
Melissa VirusMelissa Virus
Melissa VirusCpavtsJoshA
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Database forensics
Database forensicsDatabase forensics
Database forensicsDenys A. Flores, PhD
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application SecurityMarketingArrowECS_CZ
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Foundation of Digital Forensics
Foundation of Digital ForensicsFoundation of Digital Forensics
Foundation of Digital ForensicsVictor C. Sovichea
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and securityImran Khan
 
E mail forensics
E mail forensicsE mail forensics
E mail forensicssaddamhusain hadimani
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics Tjylen Veselyj
 
WiFi Pineapple - Alex R
WiFi Pineapple - Alex RWiFi Pineapple - Alex R
WiFi Pineapple - Alex RAlexander Rippee
 
Easy Tutorial Step-by-Step How to use Airolib-ng
Easy Tutorial Step-by-Step How to use Airolib-ngEasy Tutorial Step-by-Step How to use Airolib-ng
Easy Tutorial Step-by-Step How to use Airolib-ngTisya Ka
 

Weitere ähnliche Inhalte

Was ist angesagt?

Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxBhupeshkumar Nanhe
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Foundation of Digital Forensics
Foundation of Digital ForensicsFoundation of Digital Forensics
Foundation of Digital ForensicsVictor C. Sovichea
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and securityImran Khan
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 

Was ist angesagt? (20)

mobile application security
mobile application securitymobile application security
mobile application security
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
F5 Web Application Security
F5 Web Application SecurityF5 Web Application Security
F5 Web Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
L6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptxL6 Digital Forensic Investigation Tools.pptx
L6 Digital Forensic Investigation Tools.pptx
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Incident response process
Incident response processIncident response process
Incident response process
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Foundation of Digital Forensics
Foundation of Digital ForensicsFoundation of Digital Forensics
Foundation of Digital Forensics
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
 
E mail forensics
E mail forensicsE mail forensics
E mail forensics
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics
 

Andere mochten auch

Easy Tutorial Step-by-Step How to use Airolib-ng
Easy Tutorial Step-by-Step How to use Airolib-ngEasy Tutorial Step-by-Step How to use Airolib-ng
Easy Tutorial Step-by-Step How to use Airolib-ngTisya Ka
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
Caffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconCaffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconMd Sohail Ahmad
 
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News
 
Wireless router
Wireless routerWireless router
Wireless routerroza921
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingGreg Foss
 
Setting hotspot-web-proxy-mikrotik
Setting hotspot-web-proxy-mikrotikSetting hotspot-web-proxy-mikrotik
Setting hotspot-web-proxy-mikrotikwayan abyong
 
Configuring linksys wireless router
Configuring linksys wireless routerConfiguring linksys wireless router
Configuring linksys wireless routeranku3
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseGreg Foss
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Greg Foss
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdAli Hussain
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessHans Pich
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleBrent Cook
 

Andere mochten auch (20)

WiFi Pineapple - Alex R
WiFi Pineapple - Alex RWiFi Pineapple - Alex R
WiFi Pineapple - Alex R
 
Easy Tutorial Step-by-Step How to use Airolib-ng
Easy Tutorial Step-by-Step How to use Airolib-ngEasy Tutorial Step-by-Step How to use Airolib-ng
Easy Tutorial Step-by-Step How to use Airolib-ng
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
 
Caffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconCaffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In Toorcon
 
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
 
Wireless router
Wireless routerWireless router
Wireless router
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
SecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture TrainingSecureSet WarGames - Logging and Packet Capture Training
SecureSet WarGames - Logging and Packet Capture Training
 
Setting hotspot-web-proxy-mikrotik
Setting hotspot-web-proxy-mikrotikSetting hotspot-web-proxy-mikrotik
Setting hotspot-web-proxy-mikrotik
 
Configuring linksys wireless router
Configuring linksys wireless routerConfiguring linksys wireless router
Configuring linksys wireless router
 
DerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven DefenseDerbyCon 5 - Tactical Diversion-Driven Defense
DerbyCon 5 - Tactical Diversion-Driven Defense
 
Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016Deception Driven Defense - Infragard 2016
Deception Driven Defense - Infragard 2016
 
Wireless Cracking using Kali
Wireless Cracking using KaliWireless Cracking using Kali
Wireless Cracking using Kali
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-Ltd
 
Penetration test
Penetration testPenetration test
Penetration test
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im Übersetzungsprozess
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
 
Webinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia ClavisWebinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia Clavis
 

Ähnlich wie Wi-Fi Hotspot Attacks

Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and VarlinkJeremy Brown
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Using Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain TransparencyUsing Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain TransparencyHorea Porutiu
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team ApocalypseBeau Bullock
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNCERT
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHorea Porutiu
 

Ähnlich wie Wi-Fi Hotspot Attacks (20)

Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
 
What is being exposed from IoT Devices
What is being exposed from IoT DevicesWhat is being exposed from IoT Devices
What is being exposed from IoT Devices
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Using Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain TransparencyUsing Blockchain to Increase Supply Chain Transparency
Using Blockchain to Increase Supply Chain Transparency
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Encode polkadot club
Encode polkadot club Encode polkadot club
Encode polkadot club
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)Pichman privacy, the dark web, & hacker devices i school (1)
Pichman privacy, the dark web, & hacker devices i school (1)
 
Hyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain WeekHyperleger Fabric Workshop - Denver Blockchain Week
Hyperleger Fabric Workshop - Denver Blockchain Week
 

Mehr von Greg Foss

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime OpsGreg Foss
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive MalwareGreg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerGreg Foss
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Greg Foss
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and OrchestrationGreg Foss
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 

Mehr von Greg Foss (9)

Cloud Crime Ops
Cloud Crime OpsCloud Crime Ops
Cloud Crime Ops
 
Future of Destructive Malware
Future of Destructive MalwareFuture of Destructive Malware
Future of Destructive Malware
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto FarmerCrypto Hacks - Quit your Job and Become a Crypto Farmer
Crypto Hacks - Quit your Job and Become a Crypto Farmer
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
Security Automation and Orchestration
Security Automation and OrchestrationSecurity Automation and Orchestration
Security Automation and Orchestration
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 

Kürzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Kürzlich hochgeladen (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Wi-Fi Hotspot Attacks

  • 1. Wi-Fi Hacking for Web Pentesters Greg Foss Sr. Security Research Engineer @heinzarelli
  • 2. Greg Foss Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
  • 3.
  • 4. *I am not liable for what you do with any of this information* Section 638:17 House Bill 495 - US rules against wireless hacking http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
  • 5. DISCLAIMER Not a ‘Wi-Fi Security Expert’ nor a Lawyer Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
  • 6. Not Discussing Wi-Fi Security Basics • 802.11 • WEP Cracking - ridiculously easy, google it • WPA / WPA2 Attacks - Reaver • WPS Attacks - Reaver • PEAP, LEAP, etc. - Out of Scope
  • 8.
  • 9. it’s everywhere… enough free WiFi that it’s almost not worth the time it takes to infiltrate unless free internet’s not the goal…
  • 10. Bypassing is easy… • Sometimes Tor or a VPN will simply be allowed through the captive portal, no joke • Try appending ?.jpg or ?.png to the URL • Look for Open Redirect flaws, iFrames, etc. • Tunnel out over DNS! • Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
  • 11. Bypassing is easy… • On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access. • De-auth existing clients and/or DoS access points: • Aireplay-ng or Airdrop • http://www.aircrack-ng.org/ • MDK3 • https://forums.kali.org/showthread.php?19498- MDK3-Secret-Destruction-Mode
  • 12. Bypassing is easy… • Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match • Works on just about any open access point, especially captive portals • CPSCAM by Josh Wright will do this for you: • http://www.willhackforsushi.com/code/ cpscam.pl
  • 13. Hijacking is also easy…
  • 14.
  • 15.
  • 16. The Evil Twin… source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. How to clone and weaponize captive portals 1. Connect to the access point and wait for the splash page to pop- up. 2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https). 3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary. 4. Change the UA string and grab the mobile version as well if it exists. 5. Replace the form processor to write a log file and pass the client through to a legitimate landing page. 6. Modify the page HTML to point to your form processor and modify parameters as necessary. 7. Deploy the captive portal (will discuss this shortly) 8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
  • 26.
  • 27.
  • 29. Mobile Cloning • HTTrack: http://www.httrack.com/
  • 30. Mobile Cloning • VT View Source:
 
 https://play.google.com/ store/apps/details? id=com.tozalakyan.view source&hl=en
  • 31.
  • 32. How to Deauthenticate Clients and DoS Access Points • Aireplay-ng using the —deauth flag • file2air - deauth packet injection flood tool by Josh Wright • http://www.willhackforsushi.com/code/file2air/1.1/ file2air-1.1.tgz • Spoof AP MAC, send deauth requests to clients • Target a single user, all users, or AP itself • MDK3 Deauth Amok Mode to take out all WPA AP’s
  • 33. How to Deauthenticate Clients and DoS Access Points source: https://github.com/sophron/wifiphisher
  • 34. How to Deauthenticate Clients and DoS Access Points https://github.com/sophron/wifiphisher
  • 37. Generic Splash Page Pineapple Configuration /etc/nodogsplash/htdocs/splash.html
  • 38. Landing Page Pineapple Configuration - JavaScript Necessities /www/[directory]/index.html
  • 39. PHP Form Processor Pineapple Configuration Easier than using IPTables /www/[directory]/auth/login.php
  • 40.
  • 41.
  • 42.
  • 43.
  • 44. A word of caution w/ the Pineapple…
  • 45. A word of caution w/ the Pineapple…
  • 46. Existing Router Ideally one supporting guest mode…
  • 47. DDWRT • Flash with DDWRT, then you can use NocatSplash to configure a captive portal. • Many other ways to go about this… DDWRT is just one of the easier options. • http://www.dd-wrt.com/site/index • http://sourceforge.net/projects/ nocatsplash/
  • 48.
  • 49.
  • 51. • Kali Linux • http://www.kali.org/ • Can do just about anything to connecting clients • Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios Laptop Hotspot and/or Proxy
  • 52. • Makes hacking Wi-Fi even easier! • https://github.com/SilverFoxx/PwnSTAR PwnStar - By SilverFoxx
  • 53.
  • 54.
  • 55. Demo
  • 57. Combine Pineapple portability with the versatility of Kali Linux • http://www.offensive-security.com/kali- linux/kali-linux-evil-wireless-access-point/
  • 58. BeagleBone Black + Alfa Wi-Fi Card http://beagleboard.org/black http://www.alfa.com.tw/
  • 59. BeagleBone AP Deployment Options get creative…
  • 60.
  • 61. Going Mobile! • Nexus Device with Kali NetHunter • https://www.kali.org/kali-linux-nethunter/ • Pwnie Express Pwn Phone/Pad • https://www.pwnieexpress.com/product/ pwn-phone2014/
  • 64.
  • 65.
  • 66. MITM Basic Tools • AirSSL • AirJack • Airsnarf • Dsniff • Cain • void11 • Ferret • SSLStrip • Wireshark • AirPwn • Ettercap • Etc…
  • 67. You don’t even need to authenticate to attack clients
  • 68. Fun with MITM • Snapception - https://github.com/thebradbain/ snapception • Love Thy Neighbors - http:// neighbor.willhackforsushi.com/ • AirPWN - http://airpwn.sourceforge.net/ Airpwn.html • Intercepter-NG - http://intercepter.nerf.ru/ • Many, many more…
  • 69. Demo
  • 70. Client Defense… • Always use a VPN/VPS/SSH Port Forwarding/ etc. when connected to an open access point. • Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’. • Hotspot not served up over HTTPS and other generally suspicious behavior. • Beware duplicate networks with different encryption.
  • 71. Client Defense… • Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit. • Turn off Wi-Fi on devices when traveling. • Exercise caution when connections suddenly drop, especially if it happens for everyone on the network. • If it just ‘doesn’t feel right’ then trust your instincts…
  • 72. Resources • http://www.willhackforsushi.com/code/cpscam.pl • http://neighbor.willhackforsushi.com/ • http://www.aircrack-ng.org/ • http://www.dd-wrt.com/ • https://github.com/SilverFoxx/PwnSTAR • http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/ • http://beagleboard.org/black • http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/ • http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via- os-x/ • https://github.com/thebradbain/snapception • http://airpwn.sourceforge.net/Airpwn.html • http://intercepter.nerf.ru/
  • 73. Thank You! Questions? https://github.com/gfoss/misc/Wireless/Captive-Portals/ Greg Foss
 Senior Security Research Engineer
 greg.foss[at]LogRhythm.com
 @heinzarelli