Sunday, October 16, 2016

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.9 - Automating the creation of a honeypot

2.9 - Automating the creation of a honeypot

- Gerix Wifi Cracker is a software tool designed to automate attacks against Wi-Fi networks. Due to the fact that a Graphical User Guide (GUI) is available, the easiness of use is improved in comparison with command shell:

- For starting Gerix from the "kali" command shell:

- Gerix is launched:

- On the Configuration tab, and selecting wlan0 interface, clicking Enable/Disable Monitor Mode puts wlan0 in promiscuous/monitoring mode:

- The virtual interface mon0 is created. To change the MAC address, so that it cannot be recognized, Set random MAC address tab is clicked:

- Now, both mon0 and wlan0 have changed their MAC address numbers. It is important to write down the MAC address 58:6D:BC:54:58:C9, because it will be the MAC associated to the fake AP "honeypot":

Clicking the tab Fake AP, the honeypot is created without any authentication. Of course, in a real environmente, an attacker would use a less suspicious network name like "honeypot":

- Gerix announces the creation of the honeypot. Actually, it can be checked that the real command shell is airbase-ng, working behind the Gerix GUI:

- Now, "kali" detects its owned created fake AP, wich ESSID is "honeypot", and MAC address 58:6D:BC:54:58:C9. So far, no client is associated to "honeypot":

- From "roch", Vistumbler detects "honeypot" with all its features:

- Now, it is time to connect the victim "roch" to the network:

- The association is succesful:

- Gerix announces that a client with MAC 28:C6:86:63:15:6B ("roch"s MAC address) has associated to the network whose ESSID is "honeypot":

- Also, airodump-ng detects "roch" connected to "honeypot":

- So, the deception to the victim has been a success. The same attack could have been done using another AP's legitimate name.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.8 - Working at disallowed channels and exceeding power output limits

2.8 - Working at disallowed channels and exceeding power output limits

- Because every country in the world has got its own legislation regarding to the radio spectrum, it is important to know which are the channels and output power allowed in every place. Moreover, each wireless network interface has got its own default regulatory settings.  
- First of all, assuming we are in the United States (US), let's take for instance the US regulatory domain:

- This new setting is immediately detected by the log file of the system:

- In the US regulatory domain is perfectly possible to use channel 11:

- But it is not allowed channel 12:

- About the power output, maximum allowed is 27 dBm (500 mW):

- For that reason, 30 dBm ( 1 Watt) is rejected:

- Now, although being physically in the US, the regulatory domain can be changed, for instance to Bolivia (BO):

- Again, the log file records the news:

- Now, the system allows to use both channel 12 (2.467 GHz) and power 30 dBm (1 Watt), because Bolivian regulatory domains are different from the US:

- What to do for using the all over the world forbidden channel 14? the answer is to change to Japanese regulatory domain, because Japan is the only country in the world allowing channel 14:

- The log informs about the changes:

- Verifying that the wireless interface card is now working at the forbidden channel 14 (2.484 GHz):

- From this practice, we conclude that although in each country there are unlicensed wireless bands and strict power limits specified, all those regulations can be overwritten changing the regulatory domain to other country. In this way, the wireless interface card is forced to work at:
  • disallowed channels
  • more than allowed power transmission

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.7 - Discovering unauthorized clients

2.7 - Discovering unauthorized clients

- The method of discovering if there is any unauthorized client connected to an specific AP consists just on comparing the list of authorized clients with the list of the actually connected clients. There are two ways to detect what clients are connected to an specific AP:

a) checking the AP itself:

- The Access Control option allows to obtain the list of connected clients at a given instant:

- For example, in this case there are 5 clients connected to the lab's AP:

- Obviously, client "kali" shouldn't be on the authorized client list, so it could be easily considered an intruder.

b) using the airodump-ng command to explore the AP:

- It can be checked that boths ways of discovering clients yield identical output.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.6 - Bridge to a network through a rogue Access Point

2.6 - Bridge to a network through a rogue Access Point

- The purpose of this practice is to create a rogue (fake, false) Access Point at the "kali" attacker machine, whose ESSID will be "falso", and then to connect any wireless client of the AP through a bridge to the authorized network.

- So, the bridge could be used as a backdoor to the network for any attacker connected to that rogue AP. If achieved that goal, all the efforts by firewalls and Intrusion Prevention System to protect the network would render totally useless, because the access would be free.

- First of all, using airbase-ng command, it is possible to create a Rogue AP called "falso", following the same method used at 9.3:

- Now, brctl addbr command creates a bridge, for instance called "puente", between the Ethernet interface, which is a part of the authorized network, and the rogue AP:

- Adding the Ethernet eth0 and the virtual at0 interfaces to the bridge "puente":

- Bringing up the bridge on both interfaces:

Also, ensuring that the system is routing forward all received packets:

- Finally, the client "roch" is connected to the network newly created "falso":

For the purpose of demonstrating that the practise is correctly done, it is important to note that the MAC addresss of the connected client "roch"is 28:C6:8E:63:15:6B:

- Now, at the "kali" attacker machine, it can be verified that the quoted client whose MAC is 28:C6:8E:63:15:6B (actually "roch") has associated to network "falso" at 13:37:42, two minutes later than the rogue AP was created, at 13:35:38:

- What is the conclusion of the practise? with the creation of: a) the rogue AP, and b) the bridge between the authorized Ethernet network and the rogue AP, any wireless client connecting to the AP would be able to have access to the whole LAN. For instance, from "roch", connected wirelessly to the AP "false", it is possible to ping the gateway of the wired network.

- Of course, once any client has got access to the authorized network, subsequent attacks could be launched for accessing valuable data and files. So, this would be just the first step on a full penetration attack, actually the "wireless" step of the whole potential attack.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.5 - Attack ""Evil Twin" spoofing the SSID and MAC of the AP

2.5 - Attack "Evil Twin" spoofing the SSID and MAC of the AP

- The "Evil Twin" attack consists of introducing a new AP by the attacker, sharing the same name or SSID and/or the same MAC address with the legitimate AP from the authorized network. In that way, some unaware users could connect to the malicious AP believing that it is a reliable AP. After this evil connection is done, the attacker could act as a Man-In-The-Middle (MITM), getting access to all the packets.

a) spoofing only the SSID (name of the network)

- First of all, we show information about the legitimate AP (00:25:F2:9B:91:23) and its network called "spaniard":

- The laptop "roch" (28:C6:8E:63:15:6B) is connected to the legitimate AP (00:25:F2:9B:91:23):

Next, a new and fake AP will be created, using airbase-ng command. The fake MAC address will be AA:AA:AA:AA:AA:AA, the SSID "spaniard" (imitating the legitimate one), and the working channel the 6:

- Wireshark captures broadcast Beacon frames from new AP, whose BSSID = AA:AA:AA:AA:AA:AA announcing its SSID = "spaniard":

Also,some seconds after the creation of the fake AP, the client "roch" detects the existence of this new AP, called "spaniard" as the legitimate one:

- Now, let's connect the client "roch" to the fake AP. Remember that it could be done by the attacker just deauthenticating the client (or all clients) and waiting for the client to reconnect itself, like shown at previous example 9.2. But in this case it will be done manually, for the ease of this demonstration:

- Checking what's happening at fake AP (AA:AA:AA:AA:AA:AA) with airodump-ng, we can verify that the client "roch" is connected to the attacker's new created AP. As seen at the image, the fake AP does not have any authentication (OPN = open):

- So, as a result of the creation of the fake AP "spaniard", the client or victim "roch" would not be able to difference between the good "spaniard" and the evil "spaniard" AP.

- The final deciding factor fo connecting would be the signal strength, because the client would connect to the one with higher signal strength, what depends usually on proximity. In this way, the attacker achieves the goal of having the victim connected to the fake AP, in the false believe that it is connected to the legitimate one.

b) spoofing the ESSID (name of the network) and the BSSID (MAC address)

- In previous example we used a very easy to discover MAC (AA:AA:AA:AA:AA:AA), but now it will be spoofed not
only the ESSID but also the BSSID or MAC address.

- Using again airbase-ng command, a new AP is created with both ESSID and BSSID imitating the legitimate AP:

The fake network is detected by airodump-ng, showing that it does not use encryption (OPN=open):

- But airodump-ng also detects the legitimate network, with WPA-PSK CCMP encryption:

- So, although working in different bands and channels, there are 2 networks and APs sharing same SSID ("spaniard") and same BSSID (00:25:F2:9B:91:23).

- Any client could connect to the attacker's one, being unaware of the deception.

- Also, using Vistumbler network detector, both "spaniard" networks are available, whith the same MAC address:

As it can be seen at previous screenshot, the only difference between both "spaniard" networks is the authentication type: the legitimate one uses WPA2-CCMP and the evil one uses Open authentication. Which one of both would an unware user pick up? in case his knowledge about Wi-Fi security is low, he probably would choose the open one, falling into the attacker's trap.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.4 - Denial of Service by deauthenticating clients

2.4 - Denial of Service attack by deauthenticating clients

- First of all, let's see the process to deauthenticate one client; airodump-ng informs about clients connected to the AP, whose MAC address is 00:25:F2:9B:91:23:

- The station 28:C6:8E:63:15:6B ("roch") is connected:

- Using aireplay-ng with option --deauth it is possible to deuthenticate the 28:C6:8E:63:15:6B station ("roch"): computer). Option 1 means just "1 client":

- Now, "roch" is disconnected from the AP:

- The concept or Denial of Service implies to render unavailable a system. One instance would be to deauthenticate all the clients connected to an AP. The difference with the previous aireplay-ng command is the option "0", which acts as a "broadcast deauthentication" for all clients:

- Wireshark constantly captures deauthentication packets from the victim to the AP, and from the AP to the client:

- After this attack, no client would be able to reconnect to the AP, while the attack is happening. Anyway, as soon as a client is disconnected, it will try to connect back immediately. For this reason, to have a successful DoS attack like this, it needs to be done in a steady way for some time, no letting clients to reconnect. The effect of this easy attack is devastating, because the whole network renders unavailable during the time the attack is being performed.

WI-FI PT / 2 - ATTACKS AGAINST INFRASTRUCTURE / 2.3 - Default accounts and credentials on APs

2.3 - Attack against default accounts and credentials on APs

- When a customer acquires an Access Point, the device usually has got default credentials provided by the manufacturer. For instance, for the Motorola AP used in this lab, the default username = admin, and password = motorola, as anybody can learn at the device's User Guide.

- It is a very important measure of security to change the default credentials of the AP, because the AP is the key element of a wireless network to be protected. Malicious access to the AP could result on the loss of the whole network.

- The process of introducing new credentials should be always done via Ethernet or wired connection, because otherwise a potential attacker could sniff and capture those credentials from the air. Actually, the User Guide provides guidelines for protecting the AP changing the default credentials:

- Moreover, in case of physical access to the AP, a malicious attacker could just reboot manually the device, resetting all the possible configuration introduced by the administrator. Then, default credentials would be working again, and access to the AP open for anybody knowing that information.