Slaying Rogue Access Points with Python and Cheap Hardware

[Music] higher performance communication resources and faster and more reliable technology higher performance communication resources first can you all hear me yes okay so I'm I've got a confession to make I'm a real Noob when it comes to doing like Powerpoint stuff so I haven't actually gotten this to display without the little dads on the top but I mean the information's up there we have a pretty big screen so I'm just GNA kind of go with it um you're going to see me doing this a lot though because like I don't have a copy oh I have an update what's up

man I got it in fact if I just kind of like go down here I'll just take Peaks when necessary but so this is like a talk kind of about pineapples not pineapples I can't really say that but the kinds of like Wireless attacks that involve uh spinning up like a like a rogue access point that's like either like a like a spoof of of a legitimate access point or just tricking one way or the other uh some kind of 802.11 enal device to connect to a malicious AP and then pone the hell out of it so there are two kinds of Rogue access point attacks that you really see a lot uh the first one is an evil twin

attack an evil twin attack basically involves uh you know making like a like a copy of a legitimate access point and Karma attack is one that you know basically what you do is you well we'll go over that later let's go over evil twin attacks so free Wi-Fi so imagine we're in this situation right where you know we're kind of broke we really really want to use the internet though but we're really cheap and we don't actually you know want to invest like the $5 it is at Starbucks to get Wi-Fi access so you know we're sitting there and we're surrounded by people and they all you know seem to be connected and they're doing their thing and we're like

gee wouldn't it be nice if we had you know some creds for like the login portal that they had so that we could go about doing our thing uh well I whoa I'm doing the thing again with the okay I'm actually going to down down here okay imagine scenario where you know we're at Starbucks and we noticed that the uh the network at Starbucks has an SSID Starbucks Wi-Fi it's running on Channel 6 and there are all these people connected to it and they're all connected to this this this open access point on Channel 6 and uh you know what would happen if we were to spin up um our own access point uh with the same

asid and the same channel as the legitimate one well what would happen you know provided that our signal strength was as strong or stronger than the legitimate one all those connections would drop and connect to ours and what that would allow us to do is is create what that allows to do is create a man of middle situation right so all these guys have dropped off of their legitimate connection they're now connected to us uh we can start routing their packets you know using IP tables or something like that to the internet and meanwhile start you know sniffing creds and and we can get those like basically Gmail credentials anything we wanted I'm not supposed to stand in front of the

speaker but um yeah so we do that and dude that would be awesome thank you so much I was thinking like is there a way I can clone myself and just kind of put myself here and there at the same time but I think this guy s okay he is my well I guess I can stand here no feedback what's up the I think that's the either the CTF or the fencing competition stand here so it looks like there's like really really specific spot where I to stand where I'm not in front of the speaker and I'm not in front of the projector so I'm just going to plant myself here uh can we go back one

slide thanks yep perfect okay we're g to start this over because that was crap um so let's imagine a scenario a Sunday morning and you know we really want to access the internet and we're we're chilling in Dunkin' Donuts we're not actually doing anything in Dunkin Donuts we're just kind of you know loitering there and we really want to use their Wi-Fi we can't use their Wi-Fi because there's a captive portal there where you have to enter in like you know like a username and password kind of thing that you only get uh if you you know spend $5 for a cup of coffee so uh what could you do I mean you could do something where you like art poison

the router or something like that you could connect to it and then you know set up a man in the Middle with like an art poisoning attack or something like that and doing that uh start intercepting traffic and and you know steal the creds to to the captive portal that way uh unfortunately I mean that that is like a tried intestin method but you know it really it really messes up your throughput it's really really noticeable I mean if someone's doing something like that it's it's kind of loud you're setting like arqus all over the place but the point is there are better ways to do it um if you notice here I know this say Starbucks pretend

it's Dunkin Donuts but um so like let's say that Dunkin Donuts is running Starbucks Wi-Fi on channnel 6 so uh it's I don't know they're running Starbucks Wi-Fi on Channel 6 and you know what what would what would happen if you were to spin up your own access point you know using like an external like wireless card or something like that uh with your laptop also with SSID set to Starbucks Wi-Fi on Channel 6 how would those connected clients be able to tell the difference between your access point and theirs well they can't so provided that your your signal strength is is just you know like s stronger strong enough that it's more efficient for those clients to connect to you as

opposed to the legitimate access point they will and that's actually not that hard to do uh next slide please so as you see what will happen is that you know if you were to spin up that that that spoofed access point that that that clone all these clients would drop their connections and suddenly connect to your thing you can then assign them IP addresses uh start routing their traffic through like SSL strip um you know whatever and at that point you'd have your your nice little credits without having to you know purchase like a $5 beverage so let's go to the uh next one so what are the advantages to this kind of attack well it's actually

relatively easy to perform you just need something that's capable of making like a Hotpot more or less uh you can just download host APD and with with relative ease you can you can like write a script or something like that that that does this kind of thing uh it's also really targeted so this is kind of Ideal with in like a red team situation where you you don't want to attack um you know clients that are connected to some other dude's Network uh you know in this situation you can you can actually pinpoint um I want to specifically attack this open network and you won't have issues with like you know people from like I don't know the uh the

fencing competition next door coming and connecting to your to your thing um I guess next slide cool uh what are some disadvantages well out of the box it does not work against uh protected WPA networks because you know you can't without having that pre-shared key you can't really like spin up an exact copy of this thing and and these things will be Associated to this WPA Network or or even WP Network and you won't really be able to impersonate it and get them to connect to you what you can do though what you can do is you can you can snip for um well basically every single 82.1 device uh has like a list of preferred

networks right so let's say that you've connected once to um AT&T Wi-Fi Barnes & Noble you know your your your your phone now has that saved in it's list of preferred networks and then let's say you go home and then you collect to you know you connect to your Wi-Fi network uh Jimmy's Wi-Fi or whatever that that's also going to be in your in your preferred network so those prer networks so your your device is constantly going to be sending out uh like probe requests for these preferred networks which you can listen for and use this to compile a list of of um you know commonly preferred networks for basically every device around you because let's say

you're surrounded by wireless devices and they're all sending out these prob requests you can kind of find one that they all have in common and that's what you do here so if all these devices are connected to this WPA Network and and you you could just are sniffing and trying to find sniffing for their their preferred networks and you find one that they have't common you can de off the WPA Network that that you're targeting and then when they all drop the ones you know you spin up a an evil twin of this uh this common Preferred Network all the devices would connect to you and then you pone them basically uh so I guess next

slide so how do we detect this stuff well um in most cases you know there's really two cases I think we should go to the next one two I think yeah so I mean there there are two ways to like detect I mean there two scenarios right the first scenario involved someone spins up an evil towin um you know and you know they theyve set their SSID to match uh a legitimate access point on on your network and they set up their uh their channel to match a legitimate access point um on your network so they they they SPO the use an SSID and channel so you know if this happens they're going to be they're going to be sending out

probe responses to uh devices that are currently Associated or or that are you know have that have your network in their preferred network so just how devices uh send out probe requests for for networks the access points send out prob responses and you can listen to those prob responses and they'll have the um the the channel That the AP is running on they'll have the SSID as well as the bssid which is kind of like the it's like the hardware address kind of thing I mean sort of so um so you know assuming that the attacker does not spoof uh his or her her Mac address or or and and and also VSS ID um you know

and basically if an eil twin shows up and you start seeing packets uh that are that are pro responses to one of your access points and it has the uh um an SSID in channel that is you know matching yours but the bssid is not matching one in like a white list basically of of uh access points that you know are within your network then know something fishies up and if we go to the next slide there's a diagram here of how that would work so you'd have like a pack of Sniff and you're sniffing for uh you're sniffing for for probe responses from different access points and at some point you start seeing one

that you know you basically say is this bssid allowed and if it's not allowed then you kind of at that point start sending like alerts to the sisin uh and maybe like also you can start deing that that uh access point by its you know BSS ID and that would cause anything that did connect to it to drop and kind of of potentially save your your clients from uh abuse in that way uh next slide please so why doesn't this always work well there really isn't anything stopping an attacker from spoofing their BS ID to so if the attacker actually spends the time to uh you know cover their their bssid and and match they

they actually listen for they scope out your network and figure out um figure out how to like spin up an ail twin that matches one of your access points by SSID bssid and Channel at that point wh listing will not work because there's like really no way to differentiate using wh listing uh between a legitimate access point and also one that is kind of like an evil twin uh there is a way around this though and uh yes so how do we get around this paying attention to signal strength suppose that I'm have an access point right here at the front of the room and it's just kind of chilling here and you know it's serving up uh

some arbitrary network name free Wi-Fi we'll call it that and it's running on channel two um so you know let's say some some sketchy dude in like a like a Defcon t-shirt or something like that kind of rolls into the parking lot outside the uh you know outside the convention center has like gets out this really huge like High Gain antenna you know makes this starts making this uh this you know evil twin of my access point right and he actually takes the care to uh spoop it by bssid SSID and channel well you know if I was like listening for packets right we had a packet sniffer in the corner of the room there um and we established like that

the the signal strength coming from my access point should be radically different from of from the signal strength coming from the attacker's access point so in other words the signal strength coming from you know access points don't move around very much I mean sometimes I guess like hypothetically someone could grab one and try to like walk off with it but uh yeah access points don't move much so if we if we listen um if we we have a fixed access point and a fixed uh packet snipper like that's kind of being used as ads and we we can we can establish a baseline signal strength from the sniffer to that access point um over time and then when someone pick you know

basically spins up a an evil twin of it you'll start seeing packets that you know deviate from that from that threshold by like a certain amount and that's how you know that something fishy is up at that point I guess you can't really you can't really like start you know launching the off packets and stuff like that but what you could do is you could at this point know that something something strange is going on and you could actually take action accordingly so I guess the next I guess I kind of blw path those didn't I uh guess next slide too yeah little more a little more demo time okay so let's try this out

yeah he's he's going to go uh oh okay so this is going to be interesting okay yeah you do that so so for this what we're going to be doing is we're going to be using a kind of like a gutted version of this uh it's it's a it's a pretty encorus uh Suite of tools for running um uh Rogue AIS Point attack it's called the Mana framework and we've kind of removed the stuff that would make this actually pone stuff it'll it'll spin up an access point point and it will behave like kind of like a like a very very almost Rogue access point kind of thing uh but it's it's not actually going to do that so we're g

to and we're also going to run a tool that actually kind of follows this algorithm that we just described and I'm going to do something where I move this over

here there bear with me okay yeah I lost my mouse too oh there's my mouse cool bump F size can you see that can anybody not see that easily little small okay I'll uh realistically I just need a longer neck

I'm I'm actually like pretty wired in heavily here you know what I'm going to do I'm actually going to spin up two new terminals and I'm going to just kind of start this over really fast I'm so

sorry yeah just I can't see it me do that thing so so if we run this

thing so uh two hackers walk into a bar and

uh and one of them has a Rog access point

yes

cool so what we're now doing is we have a um we're running this this snipper here and it's it's searching for um uh I lost my mouse okay so hypothetically this is this is technical demo worst case scenario um what would be happening is that uh suppose that there was an evil twin up here what would be happening is you'd start seeing um some some output on there that would say uh you know it would say um blah blah blah evil twin detected and uh oh my god um so it say evil twin detected and it would um start like Theo thing it basically um so having AB issues at the moment so it's probably

this is not going to really go back to it we'll just go back to the PowerPoint slides so let's uh talk about Karma attacks want to try it again all right so uh let's talk about Karma attacks so karma attacks are kind of the um it's a slightly more sophisticated kind of Rogue access point attack the way a car attack works is that um you know we talked about how if you have an um a wireless device is constantly sending out requests for his preferred networks um Pro requests you know you know saying basically saying are you there can I connect to you so what a what a rogue AP will do if it's launching a Karma attack

is it will respond to all these requests promiscuously it will you know let's say that you know I'm I'm a rogue AP and I'm doing a Karma attack if I receive of a uh request for a probe request for Starbucks Wi-Fi I'm going to say yes I'm Starbucks Wi-Fi if I receive a probe request for uh ATT Wi-Fi I'm going to be like yes I am at Wi-Fi and I'm going to respond to these no matter what what um you know SSID and channel I get so uh the result of this is that any any device nearby it's kind of like like a frag grenade I guess like in terms of like Wireless things you just turn this

thing on um and any device nearby that's sting out these Pro requests uh and and in theory what happens is that these things connect to you uh because you're responding to the other Pro requests these way this way so uh right so here we have the diagram basically you're you have this uh this client one it you know sends out this request I'm looking for lynxis the Rogue AP is like yes I'm lynis go ahead and connect to me and then uh client 2 is like I'm looking for at Wi-Fi so the Rogue AP at that Point's like yeah that's me I'm at Wi-Fi connect to me bro so then the client two connects uh

client one at the bottom actually should say client three I don't know why that says client one but let's pretend it's client three so client one or client 3 says I'm looking for NS surveillance fan so you know yeah the Rog P says yeah that's me where's White Castle let's go so the connection happens and in this case scenario all three of these clients would get pwned um because they they' connect to it so uh let's go to next slide and so the advantages of of these kinds of attacks uh over over evil twin attacks are that you know for one thing you know they're really easy to run you just start up the script all you need is

a script that does this kind of thing um it brings it up and you have this this thing running a kch and it's just at that point you can just fire and forget it's you just kind of like run this thing and you can just kind of be driving down the road or something like that with your device cough cough pineapple um and and things will nearby will start being forced into connecting to your device and you know magic happens uh the disadvantages is that it's messy you know it's it's really difficult to Target a specific network with this kind of thing um if we go to the next slide it's uh you can't really do that that way um

unfortunately uh that that is that is a downside because you can't if you have a w protected Network and this is one argument for having you know using WPA or something like that is that it's not really as susceptible to that uh you you aren't really able to do this kind of thing what you can do though is you can uh Force client connected clients to disassociate with the WPA key and at that point uh you can have something spinning if you know what their preferred networks are you can spin up a spoof of that or even in this case when you're when you're doing a Karma attack if they're disassociated from whatever it is that they were connecting to think

all the times you've been dropped from the wi-fi at some security conference um basically what will happen at that point is that it will just kind of like connect to whatever is available in this case your your pineapple or or Rogue AP script or whatever but um the disadvantage to this is that well it's easy to detect you know for for one thing a um you know an access point should not respond to prob requests for multiple you know IDs that that just shouldn't happen um so if you look for that it's really easy to uh to see if we go to the next slide uh like actually brings us to how to detect these things so um basically let's say

that you want to look for um uh for for devices that are doing Karm attacks a really good scenarios to think about is like I mean so if you were walk into a room just imagine you walk into a bar because we like bars um so you walk into a bar and you're looking for this guy named Jason and you walk in you just kind of shout out hey is anybody here named Jason and this sketchy dud in the deathcon t-shirt in the back just kind of like yeah I'm Jason and uh you might be inclined to believe him because like why would he lie about that but let's say that you're not actually going in

there looking for a guy named Jason you're a professional detector this is what you do so let's say you know back out you walk back to the bar again and you're like hey is anybody here named Jason guy says yes I'm Jason so you're like kind of write it down this guy says he's Jason then you do it again ises anybody here named Bob yeah I'm Bob says the same guy well now you know something's up because this guy has responded to the same question what is your name or is there anybody here name named this person the same answer and it's contradictory and the same is true with Rogue access point attacks or Rogue

access points if you have a rogue access point that's running a car attack um it will respond to uh arbitrary you know requests for pro request for for networks for for various SES and what this means if we go to the next slide uh you know let's say we can have like an IDs like a little device or something like that that sends out um a probe request for some random ESS ID just a string or something like that and the Rogue access point at that point would would respond yes that's me even though it's like this nonsensical acis idea which probably would you never see um at that point your your your device can

send out another arbitrarily crafted um probe request for another one meanwhile keeping not that this this thing has responded to the previous one the Rogue AP at this point would respond in exactly the same way at this point you have overlap where there shouldn't be you have a device that has responded uh to requests for two different SS IDs at this point you just take down the name of the bssid and and and uh and channel and you can just de off it until it no longer works so time for another demo so we saw how well the last one went so uh we could do a live demo does anybody want to be a

Karma no we're not going to do that so I guess uh go to next slide see what's up with that so existing Solutions um so if we go to so like air um AR Ruba networks makes this thing called an airwave it the list price for it is uh well it's a software license for 20 you can put it on 25 devices and it will kind of do this kind of thing uh really cheaply did I say cheaply I'm sorry I didn't mean to say cheaply it will do this thing really well but it's as you can see it's probably like out of the price range of someone who just I mean I mean think about it how many

Enterprise networks do you know I mean when the last time I went to a security conference and they actually had like actual Rogue AP protection they don't because you know it's it's priced at at a point where it's almost a luxury item you know there's so much stuff that has to come first um if we look at uh cisos they have the aeronet 600 series they're actually like wireless access points that will kind of like also be able to detect this kind of thing once again it's it's doable if you're like a large Enterprise and you can afford this kind of thing uh but it's out of the hands of like your average you know just kind of

like small assisted men or n ad men or whatever um and fluke networks they make the thing called an air air magnet Wi-Fi analyzer Pro if you ever seen it see somebody like kind of like nervously walking around with a spectrum analyzer and on their tablet or something trying to find access points that's probably what they're using that's like $4,000 for a software license so it's honestly pretty unaccessible to a lot of people but you know what are the bare minimum resources needed for Effective Rogue access point mitigation well um basically you can use the the scripts that we were totally able to run today um you know they're available online you can try them out but uh you can use the scripts

that we were totally able to run today uh and run like on a on a Raspberry Pi or something like that and you know at that point you you've basically taken your cost of Rog AP protection down to um like $60 a unit the cost of actually putting one of these things together uh and and and that's a really good thing because it means that if you have um this this kind if if you kind of take this do-it-yourself approach you can uh open up Rog a protection to uh well nonprofit conferences stuff like that so uh there are totally awesome proof of the next slide it's the yeah so that's the next one right so if you want to try out this

stuff because we all saw how like awesome it works and stuff uh it's on GitHub um currently is having some some some issues compiling on certain dis rows and stuff like that but I'm working on that but uh yeah it's you can you can do this kind of stuff with know 400 lines of python that's all it takes really and that's that's basically it yeah any questions what's

up I um actually couldn't hear you sorry the um antenna strength for the uh for what um it seems to be sufficient actually especially when you consider that the uh you can basically use the same Hardware to to launch a Rog AP attack uh you know you actually there's just common misconception that um so you might want a more high powered antenna some in some situations so for example like to strap a yagi antenna on or something that's actually less directional and kind of go from there but yeah it should be anything else it

is

yeah so um it dep it depends on what you're looking for if you're looking for karma attacks it will actually use that algorithm that we described uh it will it will uh craft uh Pro you know kind of like nonsensical uh probe requests and send them out and if it starts seeing responses to that it'll take action it'll notify you uh do the offs stuff like that uh for evil twins um it will actually uh you know do the thing with the signal strength it will it will also uh you know you can you can make a whit list so you just like literally just load up a bunch of like you know BSS IDs

into a text file and it reads that and then you just run it and that's it so what's up uh so for that what it does is that it um establishes so you run it for about like a couple minutes and establishes a baseline single strength um coming from the device on which you're running it to the particular AP that you're running or that you've listed in there and then if suddenly it starts receiving packets that are supposedly coming from your access point but the signal strength is deviating by a certain certain threshold by and you can set the threshold but it shouldn't move around too much from that from that from that Baseline then you know

something fishies up and that's how it detects that what's

up yes big shout out to scapy scapy is an amazing python library for networking uh Wireless all of it it basically allows you to craft arbitrary packets uh and that's that's amazing I mean you can literally encapsulate like an art packet inside of like a TC like or encapsulate do do things backwards basically I mean it doesn't doesn't have to make sense you can do it um also using uh multiprocessing you know it's actually a library called multiprocessing but that's it basically not not too many external stuff but two major major external libraries uh anything else nothing

yes bad weather bad weather so you know it's kind of a proof in the proof of concept uh stays right now but I I think that one thing that would be really good to add and if it's open source if anyone wants to contribute to this uh actually knows anything about kind of calculating for this kind of thing um there there should be some way to to to compensate for environmental factors that that you could add but yeah yeah definitely works pretty well inside though which is

cool

sure

huh that's super cool I wonder if it's copyrighted but uh yeah so what's

up

um because well for one thing uh that's a good question and what you'll notice that if you if you actually open up like a packet analyzer or just even them just like run like a dump or something like that um the TX values or you know basically your single strength is going to fluctuate uh between each request so the question at that point becomes how much leeway do you want to give these packets in terms of like a variation in single strength um you know how do you how do you know what the single strength should be and then how much leeway do you want to give it you know because if if it's if if if you're running an

access point and the um the signal strength is fluctuating by like you know maybe like 10 DBI or something like that how do you know it's going to be that it could be something different depending on the scenario so the problem is like there's always variation and you never really know it's it's it's really hard to know up front how much variation is going to occur what's up that's super exciting

awesome

yeah you sir sound like an engineer and this excites me because you want to contribute to this [Laughter] so I'm just gonna say yes to that what's up someone

I I would have to huh that's a really good point I would actually have to talk to somebody who knows more about bpn and stuff because I really but I'm gonna guess you do so case and point or um moral here use a VPN if you're connected to open networks always anything else that's it no problem