Sunday, October 16, 2016

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.5 - Attack ""Evil Twin" spoofing the SSID and MAC of the AP

2.5 - Attack "Evil Twin" spoofing the SSID and MAC of the AP

- The "Evil Twin" attack consists of introducing a new AP by the attacker, sharing the same name or SSID and/or the same MAC address with the legitimate AP from the authorized network. In that way, some unaware users could connect to the malicious AP believing that it is a reliable AP. After this evil connection is done, the attacker could act as a Man-In-The-Middle (MITM), getting access to all the packets.

a) spoofing only the SSID (name of the network)

- First of all, we show information about the legitimate AP (00:25:F2:9B:91:23) and its network called "spaniard":

- The laptop "roch" (28:C6:8E:63:15:6B) is connected to the legitimate AP (00:25:F2:9B:91:23):

Next, a new and fake AP will be created, using airbase-ng command. The fake MAC address will be AA:AA:AA:AA:AA:AA, the SSID "spaniard" (imitating the legitimate one), and the working channel the 6:

- Wireshark captures broadcast Beacon frames from new AP, whose BSSID = AA:AA:AA:AA:AA:AA announcing its SSID = "spaniard":

Also,some seconds after the creation of the fake AP, the client "roch" detects the existence of this new AP, called "spaniard" as the legitimate one:

- Now, let's connect the client "roch" to the fake AP. Remember that it could be done by the attacker just deauthenticating the client (or all clients) and waiting for the client to reconnect itself, like shown at previous example 9.2. But in this case it will be done manually, for the ease of this demonstration:

- Checking what's happening at fake AP (AA:AA:AA:AA:AA:AA) with airodump-ng, we can verify that the client "roch" is connected to the attacker's new created AP. As seen at the image, the fake AP does not have any authentication (OPN = open):

- So, as a result of the creation of the fake AP "spaniard", the client or victim "roch" would not be able to difference between the good "spaniard" and the evil "spaniard" AP.

- The final deciding factor fo connecting would be the signal strength, because the client would connect to the one with higher signal strength, what depends usually on proximity. In this way, the attacker achieves the goal of having the victim connected to the fake AP, in the false believe that it is connected to the legitimate one.

b) spoofing the ESSID (name of the network) and the BSSID (MAC address)

- In previous example we used a very easy to discover MAC (AA:AA:AA:AA:AA:AA), but now it will be spoofed not
only the ESSID but also the BSSID or MAC address.

- Using again airbase-ng command, a new AP is created with both ESSID and BSSID imitating the legitimate AP:

The fake network is detected by airodump-ng, showing that it does not use encryption (OPN=open):

- But airodump-ng also detects the legitimate network, with WPA-PSK CCMP encryption:

- So, although working in different bands and channels, there are 2 networks and APs sharing same SSID ("spaniard") and same BSSID (00:25:F2:9B:91:23).

- Any client could connect to the attacker's one, being unaware of the deception.

- Also, using Vistumbler network detector, both "spaniard" networks are available, whith the same MAC address:

As it can be seen at previous screenshot, the only difference between both "spaniard" networks is the authentication type: the legitimate one uses WPA2-CCMP and the evil one uses Open authentication. Which one of both would an unware user pick up? in case his knowledge about Wi-Fi security is low, he probably would choose the open one, falling into the attacker's trap.