ATGP - Underground Wi-Fi Hacking for Web Pentesters - Greg Foss

maybe some seats over here up in the in the very front and splash zone so you can make your way up there's maybe about it six or seven seats up here welcome we're gonna get start in a few minutes would you like a intro or anything else re good it's our first speaker today is mr. Craig Foss logarithm labs labs threat intelligence team that sounds weighty very pleased to have them is sound good excellent so again we're gonna try to leave some time for questions um if you need anything let me know and I think we're going to take it away as long as a bee is happy excellent thank you

all right you guys hear me okay all right well thanks for coming um let's get started so my name is Greg Foss i'm a senior security research engineer little there we go better all right so I'm a senior security research engineer logarithm lab a lot of research on various things one of the things did recently was some wireless testing and so I'm traditionally a web application pen tester so my approach here is going to be kind of different than traditional wireless hacking so that's kind of what the whole talk is is based on so about a year ago I wrote a blog post called Xfinity pineapple and this got you know got some people interested in this

because it's you know the reason I put this out there was I thought it affected the general population more than this vendor specifically because this is access points stood up and everyone's home that people could enjoin and essentially use to do whatever I mean granted you do have a comcast account when you're using it right but the way these things are set up makes it super easy to clone them and same with tons of other access points and tons of other captive portals out there so that's essentially what we're going to dive into today so first things first pretty much everything I'm going to talk about is a lead so I'm not liable for what you

do after this talk so right here is the rules against like wireless piggybacking stuff like that I'm also not a professional wireless security person so I do a lot of pen testing and security research but not all focused on wireless so you know take what I say with a grain of salt especially when it comes to legal terms because I'm definitely not a royer either so with that we aren't going to really have time to go into wireless basics so like you know 802 11 WEP cracking wpa all that stuff we're not going to really have time to touch on this so the agenda for today so we're going to be talking about first how to get

free Wi-Fi get free internet access through basic captive portals and then access point cloning what are ways to easily clone and weaponize captive portals for easy and rapid deployment so that you can attack users and companies and things like that and then client attacks we're going to go the next stage what do we do after we've actually popped an access point or gained access to an access point tak clients and then gonna have some fun with man-in-the-middle attacks alright so first free Wi-Fi the thing with free Wi-Fi is it's essentially everywhere so I mean there's not really even much point talking about it unless that's not the goal unless your goal isn't to just get to the internet right

maybe you want to attack a user on a certain network or something like that but there are lots of ways to bypass basic captive portals out there um cool thing is sometimes if you just use tor or VPN some of these captive portals will just allow those poor only things they block or 80 or 443 until you authenticate which is funny but it actually works you can also try pending eh ? jpg or dot PNG to the end of your strings and it'll try and render it as an image a lot of captive portal still allow this through because they go and pull images from other sites to serve on their captive portal oh look for open

redirect flaws this is where we're getting into the web application and I frames because you can use these to browse other pages from within their captive portal so you can just browse the captive portal and look for like an open redirect to actually redirect to a page you want to go and you just keep using that to view pages or find an iframe and just change the site of the client-side code sometimes this stuff just works and then tunnel over DNS this is my favorite because it always works because they never block DNS because they want you to be able to look up servers so if you just set up a server at home and then have it set up over DNS

then you can actually get to it usually so works really well and these same tricks work if your ISP actually suspends your internet access which is really cool so say some of them have like a time limit or something like that you can use these tricks to get around that so on time limited access points there's a lot of ways that you can get around these so one of the one of the easiest ways is just change your Mac once the time runs out super simple because that's mainly the only identifiers that they use so super simple or you can go and attack users that have paid for access already so you can actually deal

existing clients or deny service to that access point to knock everyone else off and then just sniff their macs and use those to gain access and just keep them off which it'll piss them off but then you get free interacts s um couple tools to do that every play ng and airdrop work really well for D authentication MDK three stands for murder death kill really cool tool both these are great some hosts offline oh yeah just essentially sit there and sniff the mac address and wait for the user to go idle and then modify your mac and IP to match so you can do this to not really tick people up wait for them to go idols they aren't actually using

the internet actively and so you can wait for that so they won't be you know immediately that you're actually riding on their session the really cool thing anyone who's ever done anything with wireless definitely heard of josh right he has tons of amazing tools out there for wireless attacks and things like that one of the really cool ones is called CP scan and essentially this does this for you it'll automatically go and hijack sessions of our users well just with go idle so it does all this in the background for you which is really cool so automates this manual process now hijacking access points can be very easy easy as well um anyway I'm here

like to fly drones yes drones are awesome but they also come with no security whatsoever so like wireless security is non-existent on these things so you can completely all you have to do is get the app and then you can hijack any camera that's surrounding any drone camera that's around you it's cool because you can take pictures you can do all sorts of stuff you can't control the drone essentially but you can control the camera which can be useful so you just have to look for like the Phantom drones they all come with the phantom underscore and then it's usually a long number this one's mine so I call it best korea drone just because it's funny but

uh oh yeah that's how you find these things now you can just hijack them super easy and then you can see what they're seeing take over pretty fun now the cool thing about free internet is a lot of times people are just willing to give this out right so here's a good example this guy just wanted he just asked someone for their isp credentials and they gave them to him so times we don't even need to go through all this work right let's get into cloning so let's talk about how we're going to actually attack some access points and attack some clients so the evil twin attack this is an attack that's been around for ages it's

a very popular attack very easy to implement I mean the why the Wi-Fi pineapple was essentially created to do these attacks works really easily let's dive into this bit so first thing you have to do is find a wireless access point there's tons of a parent tons of ways you can do this on your computer this is just one on on your android phone just Wi-Fi analyzer app really good for finding those access points simple right just drive by your target right you even have to get out especially if you get a very long antenna you can reach these from very far away so you can actually target very far away bist businesses and clone their

access points for when you're at that business later that week right so basic captive portals the cool thing about these in terms of web application security is they all are prone to basic web app vulnerabilities a lot of them are so like right here you can see this page is served up over HTTP so we could sniff the communication and then right here they're passing the mac address in plain text within the within the string right here so all of this is super easy to sniff so if you're trying to hijack someone session or something like that it's easy because it's in plain text right there you don't even have to join to find this you just have to start

sniffing at them essentially there's tons of these access points they all ask you to provide various information some of them are very complex some of our very basic this one fortunately least has htps that's better than the last one right now some of these which are very complex the way you have to clone these so you have to go through and not only just clone this first page but actually use the application and then clone every subsequent page as well if you're going after credit cards or something like that which I wouldn't recommend buy something someone could do this would be a great way to do it just clone all of this page make a whole site and I'll

show you how to stand this up essentially and attack people yes see you lots of these there's everywhere so but all these are our fun but the ones I really want to focus on are the ISPs because these give us the most bang for the buck right and these are everywhere especially one of them this one this happens to be Xfinity this is their map of Denver and it's essentially just everywhere these are the Xfinity Wi-Fi home networks that are available so these are the ones that are bridged off of access points that people own or rent from comcast and they bridge these access points off of their existing network so this is essentially a map of that and this is why I went

this route because it's such a wide attack surface so how do we do this right what are the steps to clone and weaponize access points pretty simple connect wait for the splash pages come up close this bat splash page open it in your browser is it some random page usually HTTP where it's better than HTTPS just based on the captive portal but then when the class splash page comes up clone everything download the whole page and then you use subsequent pages and then clone those as well just download them so once you get all the content you also want to change your user agent string and do the same thing so you want to change it's like an

iPhone or Android or something like that so you can get the mobile versions as well and we want to do some dynamic redirects based on the based on what what the user your clicks and everything like that and then replace the form processor this is the key part and I'll show you guys the sirs we use but essentially once you switch out the form processor then instead of you know passing them through whatever originally did you just log their credentials and then pass them through to whatever you decide to send them to next and then modify the HTML the page to point to your new form processor simple right and then deploy the captive portal and we'll

talk about all the ways you can deploy this shortly and then once you deploy this you want to set up iptables in a way that once people authenticate they'll be passed through transparently and i'll show you how to do that as well so here's a basic cloned access point so this is the mobile version here here's the standard version desktop version and so this is just one of the basic xfinity Wi-Fi captive portals and so right here the logs and so you'll notice I have to log messages so the reason is I actually have them authenticate twice the first time I always have it fail and then the second time allow I allow them through

this is because in case they fat fingered or something you know I don't want to get the wrong credentials and it looks believable to them because how many times you enter captive your password and have to type it again right so I did this so we can make sure to catch the right credentials now mobile cloning a lot of times you don't have your computer with you but there's a really sweet access point that you buy that you want to clone right there's a lot of tools to actually clone a with your phone so first one is httrack which is a very cool tool you can just browse these sites and I and clone the entire thing

you can actually set it to go through and index the site too and clone everything the cool part is once you clone it it actually keeps a nice little index of all the pages that you've cloned essentially right here so super simple to go back and pull those off your phone a later time now there's another tool called VT view source this allows you to really view the source code and then you can pull the page content that way this one's not as easy to pull down it takes a little more work but you know you can pull exactly what you want when you're using this app so now that we've actually talked about how to do this let's talk about how to

attack clients how we're going to actually go after some clients with this right so how did the authenticate clients and a nice service to access points so airy play ng we can we talk about this earlier just basically pass the Diaw flag at the access point you're trying to do users from file to air another tool by Josh right really cool tool to drop connections essentially and then spoof the access point Mac good way to essentially do that so spoof it so once you knock off the real axis point you want users to connect back to you so take out the real one set up your fake one and then have everything passed through your computer essentially what

we're doing here and then MDK three is well so essentially this is what we're doing now there's a really cool tool that I found a while ago I don't get hot it's by a sophron I believe so Wi-Fi Fisher's really cool cool because it does all the things we just talked about in an automated fashion so you can go through hit clients off stand up a fake access point all that good stuff very automated which is really cool and so essentially this is what we're looking to get right so here's our little pineapples typical method to deploy this so essentially first method Wi-Fi pineapple this is a great tool and you can actually go buy one I think they

have the hak5 shop upstairs so yeah you should totally go get one of these they're awesome they're really fun it makes these type of attacks really easy to deploy and see through to the end essentially but there are some caveats to it there are some tricks that I found that you have implement within captive portal spoofing specifically to get them to work on the Wi-Fi pineapple and so I'll go over those right now so the first thing you need is a generic splash page so what we do for that is we just have this basic splash page and all it is is a redirect it just redirects the destination on the pineapple where we posted the real code and so I do this

because we're deploying different captive portals all the time so I want to make a bunch of different folders so right here we just make a directory and so we just put each different company or whatever cloning in this directory and so whatever pentest you're on you can redirect them dynamically depending on the use case so that's just why I like that uh that configuration now the landing page this is essentially whatever page you just cloned but there are two pieces of code that you'll need to get this to work on the pineapple from the first of which is this JavaScript up here so it's JavaScript essentially all this really does up here is it it grabs the auth target variable

and so we need the auth target variable to be passed through because the Wi-Fi pineapple uses no dog splash in the back end and so it needs the auth target to know where to direct users to and to know that you know once it's passed this variable through that they're actually allowed through and they can browse the internet right so the other piece you need is you actually need to gather the off target variable within the forum itself so we can pass it through so right down here we just include this little script tag and essentially we just include that off target variable within the script tag and then we pass it through so and this is just within

our basic index page for the pineapple and then the forum processor so for the pineapple is essentially the backend for what we're going to be passing the users to after they authenticate right so we're going to take their their credentials we're going to add them to this off dot log file or whatever you decide to name it so all we do is we just write all the post variables to that the nice thing about that just with taking all the post variables here is that we don't have to modify this forum processor depending on what captive portal we use we can take any for any captive portal and this forum processor work with that so it's kind of basic

just set up in that way for that reason and so once you have all this ready you want to push it up to the pineapple so you know SH in make a new directory make sure you have enough space do you store this there and then push up all your code right so pretty simple ssup it over and we're going to go in and configure karma so and there's a few different ways to do this so you want to set this up you set up your SSID to mimic the one that you want to clone and then down here we're going to use the evil porta portal pineapple bar infusion and so once we get this all up and running

there are a few other little tricks to get this running so if you if you do want to do this let me know and I can help you with the other tricks with like the no dogs splash config and stuff like that but essentially this stage you're ready to launch it and so once you click run ready to go so here's like a basic splash page solo hit that log in but be careful with the pineapple so anyone here at Def Con last year oh yeah oh nice good to know yeah so so be careful i mean like these tools are fun and stuff but i wouldn't try these attacks against like people here at v sides or def con or things

like that because I mean there's people in this room that no way more about this stuff than I do so I mean you just got to be careful right so you know make sure you know completely what you're doing before attacking people especially people that are in the same space security space you know there's a lot of sharp people here so you got to be kind of careful if you're going to start messing with these here so so the pineapples pretty easy setup you can also do this on existing router so the cool thing about this what I like about using a normal router is cloning like one of the ISP pages or something like that looks very believable because

it's air and so it's just sitting there all time but that's also a downside because if that's found out that it's fake you could be in some trouble so so just be careful the way to do this on an existing router the method I've used is just to deploy dd-wrt and then essentially deploy no no cat splash in there essentially the same thing as no dog splash just a different I think it's like the vendor version of it or something like that but essentially once you have this deployed there's a basic configuration page which allows you to configure hotspots so there's a bunch of different ones so this one this is the Buffalo dd-wrt build right here so you

have Sputnik hotspot system Wi-Fi dog chili spot I haven't used these other ones I've used this one but I haven't tried these other ones but a lot of options here so the way this works is you just do the same sort of thing you just where you want them to direct to and so this you don't need it doesn't actually pass them through because they could actually browse the internet right from hitting here but since they're hit with an authentication page they might actually enter their credentials but it doesn't lock them down in the way you can do with the pineapple so one of my favorite methods though is using your laptop and just set up a hot

spot right from here so all you need is like a external alpha wireless card or something like that and then you can deploy these things very easily like say say your computer up you know in your backpack or something like that when you're walking around or hide it somewhere get a really big antenna and then it works pretty well who catch a lot of flies that way so the way to do this is actually use kali linux and cali once you get someone going through your box and you're running cali you can do anything to them like pineapple has a lot of really cool tools but Callie has like tools so you can do so many cool

attacks once people are connected to you if they connect into your actual system so pretty fun so one of the tools I used to do this on Callie box is called pone star a really cool tool it's my Silver Fox awesome awesome cool and essentially it streamlines this whole process so by default this is the landing page it comes with its this standard Google authentication page which is it might trick some people write my trick grandma or something like that what we want to do is we wanna replace this will make this something more realistic this is why I actually work for logarithm and so what we did we actually stood up one of these attack finding

exercise for our employees at one of our big events and so we hit about for Wi-Fi pineapples throughout the event center and set up these fake captive portals and you know got our salespeople to log into them this is fun the key though you know you do something like this it's not to call anyone out or make fun of them or anything like that even though they are sales people we don't make fun of them but it's to train them to show them these kind of attacks are very real very easy to deploy and they could be deployed anywhere I mean I'm guessing right here at bsides some people are probably running some fake gay peas I'm willing to bet

but it's fun to it's fun doing this stuff so how's this work right let's see the back end of essentially estat attack using pone star

so right here we're just running IW config now we're going to plug in our external wireless card so we see it popped up right there we're going to connect it to our cali box we run IW config once more just to make sure it's connected right there we go looking good so now simple as this we just run pone star this is why I love this tool so it streamlines this whole process makes it super easy super fast I thing so what we're going to do where there's a ton of different attacks you can do here but we're going to go down to the advanced menu and from here we're going to use the captive portal attack

noticed there's all you can deploy exploits and stuff like that directly from this tool makes it really easy the attack clients so yes we'll be giving internet access and we're going to define e 0 0 as our access point and WN 1 is our wireless card so super simple it's like paint by numbers to hack people it's awesome so right here we're just going to randomize our mac this is one of the most important things you can do if you ever do wireless pen testing is change your mac we catch people all the time because they don't change their mac so it's it's a very very common thing that people just over so right here we're just setting all the

variables here's we're getting our IP we just set the access point channel and now we're going to do the bullseye attack so the bullseye attack is where we're going to spoof 11 access point these other ones like black hole we can spoof all of them both we can spoof all of them and have our one access point that we that we stood up but we're just going to go for the one access point and so we plug the next video Wi-Fi to someone we're going to be spoofing and so now it's launching all the tools we need in the back end so surrounding air base no I'm showing us all of our of our configuration settings

and so right here we're going to choose simple now by default the simple hotspot looks like that one I showed a screenshot of earlier but we actually replaced that with our fake with our new captive portal so we just have it point there instead and so there's a few configuration items in the back end with poem star as well so if you want to set this up just just let me know and I can show you kind of some of those tricks so essentially we have everything running now we just have to set up our tools so we can actually sniff traffic once they're connected also because credentials are good but we also want to

see what else is going on we want to capture other other data so start ferret start ssl strip start all the all the good tool now i'm not going to tail any of these right now because they're just going to write out we'll look at those later the one file we are going to tail is our log file so the one that we're regenerated for the captain quarter washed it we're standing up so looks like we're good to go now we'll just tail our logs and wait for some people to come and join our access point right so let's switch over to client I decided to do a mobile client for this one just cuz it's fun and want to figure out how

to record on my app on my phone so we've just joined this X my fly access point right so now we're connected now let's try and browse somewhere I'm going to go to the DC 303 page I could type it right there we go so there we go there's our splash page and so we got the mobile version so you know this is working right you can see it's going to our directory X and then our index Pedro fake our fake page and say sign in but it doesn't work right I invalid username yeah that's totally believable and so they entered it again sure enough they're allowed through now and then we redirect them back to the

real access point drop out page so there we go so now they're passing through our access point I mean as simple as that right and now they can go back to their their original page so simple right so how's this look on the back end so as we can see right here we'll see some queries starting to run here and essentially this is all the apps on my phones back in just calling out from the second I connected this thing so you can see how much data your phone to just from this little demo so right here you see there's a amazon calling out right there they're trying to hit DC throw three and they're getting

redirected to this X directory which is all of our cloned files right and so now you can see they've logged in one time so there's their first attempt and then login one more time and now they're passed through essentially all the way through the access point so simple its impact but very effective so now you can take this a step further you can actually launch browser attacks and things like that once they actually connect through and now that I mean we don't have too much time to go into how to do all that but you know essentially once you once you own their connection you can do anything you want to them I mean look at like the dark hotel attack

this is how they deployed malware to targets that visited specific hotels they own the access points um so you get a lot of potential once you own the access point so now the problem with bringing your computer around everywhere though to do this is it's big its bold it's you know it's a dead giveaway that you're up to no good like I had my antenna hooked up right now it probably wouldn't be taken too kindly so you know you have to be aware of that so so the best way to get around that is actually use a BeagleBone or raspberry pi or something like that to combine the versatility of Kali Linux with the portability of something like a Wi-Fi

pineapple so you have that whole wealth of tools right there that you can deploy and hide very easily so the one I use I just use the BeagleBone black and then just a basic alpha Wi-Fi card and there's smaller ones that you can get now so they can be even even more stealthy once you do once you set one of these up this is kind of what it looks like and you want to get creative with these things you know you can tape it together you want to make it look like something that's supposed to be there if you're going to deploy this within some organization somewhere and hide them somewhere where it's not too easy to

find right so next thing though so you want to take it to the next step and actually do this from your phone directly so anyone here mess with net hunter very cool is so much potential within that hunter you can essentially do all these Sam attacks right from your phone you can actually install pwned star on on net hunter as well so it works really well the other option is also Pony Express they have some really cool tools like the poem phone and stuff like that they're actually even more extensible you can do like Bluetooth attacks and stuff that are very cool from the phone phone so essentially usual it looks like this is actually a few versions older yeah

splash page here but you can essentially have pone start up and running on your phone now when people connect through here it's going to be pretty slow so you know you're going for credentials essentially if you're going this route but you know at least you got the credentials now tons of other ways to do this lots of tools out there definitely check out the Pony Express guys they have some really cool tools for deployment in this kind of scenario check it out a tp-link access cards are very good as well so definitely look into those so now what about man in the middle now that we've covered kind of how to build these attacks how to clone some webpages how

to actually do some stuff against clients what about actually getting into man in middle how do we actually get usable data out of this right there's tons of tools out there for man in the middle these are just a few of my favorites that I've listed here but essentially I maybe we could do a whole talk on just man in the middle lane traffic especially once you own the access point but the cool thing about captive portal based access points if you're after a client you don't even need the captive portal to attack the clients the captive portal just blocks you from accessing the internet it doesn't block you from accessing other people's computers and that's something

that's a big gap of seeing with company as we talk to about this kind of thing is they don't realize that oh you can actually access my system when I'm on this access point even though you didn't authentic to it so I mean that's a big it's a big target right there so if you know someone's on an open access point you don't even have to have credentials go after that person right now without some fun with man-in-the-middle anyone ever messes snap snap ception this is a fun tool essentially what this does is it takes snapchat pictures and it actually decodes them and shows them on the screen so as people are uploading snapchat images and stuff like that it

just pops them out of the network work and shows them to you so it's funny because people think oh no one's gonna see this but you can right there love thy neighbors this is a really fun project this is also by Josh right really cool tool essentially you can do some evil people like progressively blurred images on pages you can like send them the cat facts and sit like it it's really there's all sorts of fun stuff err pone it actually came out at DEFCON like a long time ago you can actually still use this to do some fun attacks interceptor angie is actually one of my favorite little tools just for using on the phone essentially it has an Android

application there's also Linux client app application for it as well we're really cool because it makes it super tight jack people just by sniffing their traffic and aren't poisoning all that good stuff and there's tons of other things you can do but so let's take a look at interceptor ng because I really like this one it's a fun one so first we're going to spin it up got my little android phone here it's my wife's iphone right here so right now we're just getting the network we're going to find the IPS so now we're going to pick her phone out and then we'll just select that one and so now we're going to go over in addition

we're going to spin up we're going to select resurrection as cell strip lock screen off so so we can set this up and lock your phone and it'll keep running in the background we don't have all this stuff running we're gonna save a pcap do all that good stuff so right now we are are poisoning my wife's phone and she's going to visit amazon have to refresh it again you think a recording it would be better but so now we can see her phone's traffic is going through our phone and she's browsing amazon and just like that we still want our cookies as because the Amazon does some requests over HTTP that do send the cookies sometimes you can

see we're logged into your account we just select it now we can log in this is why I like interceptor ng so much so easy to use super simple tool very effective to essentially hijack session tokens no but I mean Amazon's aware of this because that's why they have you authenticate to do anything that actually has value you know you have to react then Takei if you're going to change your card or update your your info stuff like that so they are aware of this so how do we defend against this I mean this is kind of the whole point of why we're talking about all this stuff in the first place right um you want to pry

like if you do have to use an open access point you do want to try and VPN your traffic you know use a VPN VPS ssh port forwarding something like that so you're tunneling your traffic so it's not as easy for someone to intercept but I mean as you guys saw the second you connect to an access point you're already leaking info so I mean this isn't an end-all be-all um when you're somewhere like let's make sure you turn off all your wireless cards turn off bluetooth turn off all that stuff like airports things like that very crowded areas you want to turn off all of the stuff because even when your computer's asleep sometimes it will still be trying

to be canal when a hot spots not served up over HTTPS when they aren't encrypting your traffic that's something to definitely be aware of right and then duplicate networks with different encryption so say there's one network that has wpa2 encryption and then one network that has no encryption but same name that's something you definitely want to be aware of and you want to avoid the one that is the hell that is open use different login details and passwords for public Wi-Fi you