Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ft. Smith 2600. Evil Twin Access Points: For fun but no profit.

Published byCathleen Bradley Modified over 9 years ago

Similar presentations

Presentation on theme: "Ft. Smith 2600. Evil Twin Access Points: For fun but no profit."— Presentation transcript:

1 Ft. Smith 2600

2 Evil Twin Access Points: For fun but no profit

3 What is it? An “Evil Twin” access point is a rogue access point* set up intentionally to trick users into connecting to it rather than the legitimate access point

4 Rouge Access Point Definition Rouge access point (rap) - an unauthorized access point. They are not always someone with ill intent. ex: A rap may be a employee who has set up a linksys router without permission or enabled proper encryption, in his/her cubicle, by doing this he/she may have bypassed all of the company’s security policies and maybe broadcasting said company’s confidential data in clear text for anyone to see.

5 Why does it work? Primarily because many end users (CEO’s, employees, home users, etc.) don’t think that they may be a target

6 Who is vulnerable? Too many home users Many small businesses Quite a few bigger institutions (Schools and corporate entities)

7 Vulnerable hardware Gray area : remember, your primarily tricking users, not the access points, but you may have to take the AP out in order to do so.

8 How does it work? Mac’s and PC’s because both automatically scan for preferred networks on startup. Some user-friendly Linux distros do this too! it probes for preferred networks when it does so, it sends the AP mac address as part of the probe packet. In comes Hotspotter or Karma!

9 How can I make it work? There are several ways to go about it:  Walled Garden type (fake hotspot pages like T-mobile, Starbucks, McDonald’s, etc.)  Flooding with fake SSID’s to confuse the user and have them connect to one of the many SSID’s that route back to you  Completely knocking their access point out by an association flood (or other method), and sliding in yours

10 Tools Auditor – bootable Linux distro for pen testing Void11 – Mainly used for de-auth attacks and to generate traffic (Prism II chipset only) Airsnarf – My fav tool for Walled Garden type attacks (they say you can use Atheros chipset but I cant) Hotspotter or Karma – common tools for forging SSID’s

11 Scenario 1 You are in a coffee shop in a major-metropolitan area (New York City, for example) with paid, monitored, or even encrypted WiFi Many users have laptops, PDA’s, etc. Perform a de-authentication attack to force everyone off of their network or an association flood to crash the router. Slip your evil twin in the mix with an SSID like “$.99Wifi”, “ Un-monitored Wifi”, or even the same SSID as the encrypted WiFi just not encrypted  Make sure your running dhcpd to assign ip addresses automatically Hopefully, people will try to reconnect see that your access point is cheaper, un-monitored, or not encrypted and connect to it instead Have a convincing “Walled Garden” type login page

12 Scenario 1 (cont.) In this scenario the attacker can collect a variety of data  Legitimate credentials (used to login to the AP later)  Credit card numbers for “$.99wifi”  Since the users are on your network browse any shares they may have. You may get private corporate data from the business man in the corner.  People’s names and addresses

13 Scenario 2 You’re on a flight to L.A. Again, business men are working on their notebooks. Since XP and Macs (and Linux too!) are so friendly, they will announce their presence and look for preferred networks. Run Karma or Hotspotter to fake them out

14 Scenario 2 (cont) Use nmap to scan the host using (p0f OS detection) and use the –sV for services and version Fire up Metasploit and drop a reverse shell (provided they were running vulnerable services, of course) The system is backdoored. Now you can drop a rootkit and have it scan its entire netmask when it gets back and have it email it to you … or something (/)\/\/N3[) !!!1!s

15 Oopps. My bad. I meant to have a live demo of one of these attacks but I got too busy and didn’t get it together in time. maybe next time.

16 Conclusion The world is a dangerous place. An informed user may or may not be a safe user. Only try this at home. Be good, pass it on.

17 Credits/Props Simple Nomad – Hacking the Friendly Skies (great read) The Shmoo Group @ shmoo.com (airsnarf) Remote-exploit.org (auditor and backtrack) KoreK (chop-chop attack on WEP and cool ass name) Fresh BeanZ ( venue for this talk and meetings ) 2600.com ( the original hacker panel )

18 Counter Measures Kismet set to filter out known ssid’s For windows Netstumbler can do that too Airsnare for windows Snort for Linux Document all of your wireless access points The normal stuff (use wpa, change key at reg. intervals, etc.)

Download ppt "Ft. Smith 2600. Evil Twin Access Points: For fun but no profit."

Similar presentations

Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
Wireless LAN Security Understanding and Preventing Network Attacks.

Wireless LAN Security Understanding and Preventing Network Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.

Information Networking Security and Assurance Lab National Chung Cheng University Kai, 2004 INSA1 Using Kismet to enhance the security level in enterprise.
“All your layer are belong to us” Rogue 802.11 APs, DHCP/DNS Servers, and Fake Service Traps.

“All your layer are belong to us” Rogue APs, DHCP/DNS Servers, and Fake Service Traps.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Configuring your Home Network Configuring your Home Network Jay Ferron ADMT, CISM, CISSP, MCDBA, MCSE, MCT, NSA-IAM.

Configuring your Home Network Configuring your Home Network Jay Ferron ADMT, CISM, CISSP, MCDBA, MCSE, MCT, NSA-IAM.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.

Simple ways to secure Wireless Computers Jay Ferron, ADMT, CISM, CISSP, MCSE, MCSBA, MCT, NSA-IAM, TCI.
Wireless Weaponry The Shmoo Group. Intro a.k.a. WTF is Shmoo? Howdy! Who’s who up here? What the hell are we gabbing about? “Who’s Shmoo?” takes too long.

Wireless Weaponry The Shmoo Group. Intro a.k.a. WTF is Shmoo? Howdy! Who’s who up here? What the hell are we gabbing about? “Who’s Shmoo?” takes too long.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Analysis of 802.11 Privacy Jim McCann & Daniel Kuo EECS 598.

Analysis of Privacy Jim McCann & Daniel Kuo EECS 598.
Chapter 7 Securing your Wireless Network (WIFI). Synopsis What is a wireless home network? What damage can a wireless network snoop do? Who are the snoopers?

Chapter 7 Securing your Wireless Network (WIFI). Synopsis What is a wireless home network? What damage can a wireless network snoop do? Who are the snoopers?
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Similar presentations

Ads by Google