Imagine we’re sitting at a Starbucks on a Friday afternoon. The coffee shop is pretty busy and full of aspiring hipsters sipping soy lattes and typing away at their MacBooks while loudly listening to Miles Davis.Suppose we really dislike Miles Davis for some reason, and we really want to turn that music off. We could connect to the open WiFi network and perform an ARP poisoning attack, which would create a MITM situation and allow us to sniff their Spotify creds. Such attacks are easily detectable, however, and they tend to place a pretty high load on the target network.
Now suppose that the coffee shop’s WiFi network is named “Starbucks WiFi” and operates on channel 6. What would happen if we decided to spin up a soft access point using our laptop and an external WiFi card with channel set to 6 and SSID set to “Starbucks WiFi”?Providing the signal strength from our WiFi card is strong enough that every connected device would drop from the legitimate access point and connect to ours instead. At this point, we could route the traffic from our access point to another network interface, one that is connected to a valid Internet gateway.Now we have a man in the middle situation with surprisingly amazing throughput, and the creds are as good as ours. This is called an Evil Twin attack.
Let’s take our Evil Twin example a step further. Suppose we’re sitting across the room from a loud, obnoxious dude with his cell phone sitting on the table in front of him. We really want to steal this guy’s Gmail creds. Although he has his WiFi turned on, he unfortunately is not connected to a wireless network.This means that we can’t just force a connection by creating an Evil Twin of whatever WiFi network his phone is currently associated with. Are we done here? Far from it.Most 802.11 enabled devices keep a list of preferred networks, which is populated with the SSID and channel of every WiFi network it has previously connected to. These devices constantly send out probe requests, which are used to check if a preferred network is nearby.This means that if the guy’s phone has previously connected to “attwifi” on channel 1, it will constantly send out probe requests for this SSID and channel.By sniffing for probe requests coming from his phone, we can easily determine that “attwifi” is one of his preferred networks and that he connects to it on channel 1. If we were to spin up a soft access point on channel 1 with SSID set to “attwifi”, his phone would connect within seconds. We once again have our amazingly reliable MITM situation, allowing us to happily steal his creds.From a security standpoint, 802.11 is a really shoddy protocol. Although it was designed to be reliable and scalable, security was clearly not a primary consideration. For this reason, Evil Twin detection is critical to the security of any wireless network.Unfortunately, enterprise solutions to this problem can range from $400 a unit to over $4,000 for a software license. That’s a pretty steep price, which is probably why a lot of network admins on a budget don’t take these kinds of protections into consideration.Fortunately, creating a DIY alternative to Enterprise Rogue AP protection is surprisingly easy. All you need is a Raspberry Pi, a couple of cheap USB WiFI cards, and a bit of Python scripting knowledge.In my presentation at BSidesSLC on March 10th and 11th, I will discuss simple and highly effective methods of detecting and mitigating Evil Twin and Karma attacks. These techniques can all be implemented using short Python scripts and commodity hardware. The talk will include live demos of such a tool and will be accompanied by a source code release.
About the Author: Gabriel Ryan is a pentester, CTF player, and Offsec R&D. He is currently double majoring in Math and Computer Science at Rutgers University, and has worked for OGSystems and Top Hat Security. He is president of the Rutgers CTF team (RuSec) and has served as a board member of the Rutgers Undergraduate Alliance of Computer Scientists. Things that make him excited include wireless security, XSS worms, and playing with fire. In his spare time he enjoys live music and riding motorcycles.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Title image courtesy of ShutterStock