Greg Foss, profile picture
Uploaded byGreg Foss
PDF, PPTX10,465 views

Wi-Fi Hotspot Attacks

The document is a presentation on Wi-Fi hacking techniques aimed at web pentesters, discussing various attacks such as WEP cracking, WPA/WPA2 attacks, and man-in-the-middle strategies. It provides methods for bypassing captive portals, deauthentication of clients, and hijacking techniques, while also warning that many techniques demonstrated are likely illegal and not advisable against unauthorized targets. The document includes resources and tools for testing and defending against potential Wi-Fi security threats.

Embed presentation

Download as PDF, PPTX
Wi-Fi Hacking for Web Pentesters Greg Foss Sr. Security Research Engineer @heinzarelli
Greg Foss Sr. Security Research Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
*I am not liable for what you do with any of this information* Section 638:17 House Bill 495 - US rules against wireless hacking http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
DISCLAIMER Not a ‘Wi-Fi Security Expert’ nor a Lawyer Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
Not Discussing Wi-Fi Security Basics • 802.11 • WEP Cracking - ridiculously easy, google it • WPA / WPA2 Attacks - Reaver • WPS Attacks - Reaver • PEAP, LEAP, etc. - Out of Scope
Agenda…
it’s everywhere… enough free WiFi that it’s almost not worth the time it takes to infiltrate unless free internet’s not the goal…
Bypassing is easy… • Sometimes Tor or a VPN will simply be allowed through the captive portal, no joke • Try appending ?.jpg or ?.png to the URL • Look for Open Redirect flaws, iFrames, etc. • Tunnel out over DNS! • Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
Bypassing is easy… • On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access. • De-auth existing clients and/or DoS access points: • Aireplay-ng or Airdrop • http://www.aircrack-ng.org/ • MDK3 • https://forums.kali.org/showthread.php?19498- MDK3-Secret-Destruction-Mode
Bypassing is easy… • Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match • Works on just about any open access point, especially captive portals • CPSCAM by Josh Wright will do this for you: • http://www.willhackforsushi.com/code/ cpscam.pl
Hijacking is also easy…
The Evil Twin… source: http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
How to clone and weaponize captive portals 1. Connect to the access point and wait for the splash page to pop- up. 2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https). 3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary. 4. Change the UA string and grab the mobile version as well if it exists. 5. Replace the form processor to write a log file and pass the client through to a legitimate landing page. 6. Modify the page HTML to point to your form processor and modify parameters as necessary. 7. Deploy the captive portal (will discuss this shortly) 8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
Mobile Cloning
Mobile Cloning • HTTrack: http://www.httrack.com/
Mobile Cloning • VT View Source:
 
 https://play.google.com/ store/apps/details? id=com.tozalakyan.view source&hl=en
How to Deauthenticate Clients and DoS Access Points • Aireplay-ng using the —deauth flag • file2air - deauth packet injection flood tool by Josh Wright • http://www.willhackforsushi.com/code/file2air/1.1/ file2air-1.1.tgz • Spoof AP MAC, send deauth requests to clients • Target a single user, all users, or AP itself • MDK3 Deauth Amok Mode to take out all WPA AP’s
How to Deauthenticate Clients and DoS Access Points source: https://github.com/sophron/wifiphisher
How to Deauthenticate Clients and DoS Access Points https://github.com/sophron/wifiphisher
source: https://www.isecpartners.com/blog/2013/july/man-in-the-middling-non-proxy-aware-wi-fi-devices-with-a-pineapple.aspx
Wi-Fi Pineapple https://wifipineapple.com/
Generic Splash Page Pineapple Configuration /etc/nodogsplash/htdocs/splash.html
Landing Page Pineapple Configuration - JavaScript Necessities /www/[directory]/index.html
PHP Form Processor Pineapple Configuration Easier than using IPTables /www/[directory]/auth/login.php
A word of caution w/ the Pineapple…
A word of caution w/ the Pineapple…
Existing Router Ideally one supporting guest mode…
DDWRT • Flash with DDWRT, then you can use NocatSplash to configure a captive portal. • Many other ways to go about this… DDWRT is just one of the easier options. • http://www.dd-wrt.com/site/index • http://sourceforge.net/projects/ nocatsplash/
Laptop Hotspot and/or Proxy
• Kali Linux • http://www.kali.org/ • Can do just about anything to connecting clients • Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios Laptop Hotspot and/or Proxy
• Makes hacking Wi-Fi even easier! • https://github.com/SilverFoxx/PwnSTAR PwnStar - By SilverFoxx
Demo
Deploy Malware
Combine Pineapple portability with the versatility of Kali Linux • http://www.offensive-security.com/kali- linux/kali-linux-evil-wireless-access-point/
BeagleBone Black + Alfa Wi-Fi Card http://beagleboard.org/black http://www.alfa.com.tw/
BeagleBone AP Deployment Options get creative…
Going Mobile! • Nexus Device with Kali NetHunter • https://www.kali.org/kali-linux-nethunter/ • Pwnie Express Pwn Phone/Pad • https://www.pwnieexpress.com/product/ pwn-phone2014/
Going Mobile!
Going Mobile!
MITM Basic Tools • AirSSL • AirJack • Airsnarf • Dsniff • Cain • void11 • Ferret • SSLStrip • Wireshark • AirPwn • Ettercap • Etc…
You don’t even need to authenticate to attack clients
Fun with MITM • Snapception - https://github.com/thebradbain/ snapception • Love Thy Neighbors - http:// neighbor.willhackforsushi.com/ • AirPWN - http://airpwn.sourceforge.net/ Airpwn.html • Intercepter-NG - http://intercepter.nerf.ru/ • Many, many more…
Demo
Client Defense… • Always use a VPN/VPS/SSH Port Forwarding/ etc. when connected to an open access point. • Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’. • Hotspot not served up over HTTPS and other generally suspicious behavior. • Beware duplicate networks with different encryption.
Client Defense… • Use different login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit. • Turn off Wi-Fi on devices when traveling. • Exercise caution when connections suddenly drop, especially if it happens for everyone on the network. • If it just ‘doesn’t feel right’ then trust your instincts…
Resources • http://www.willhackforsushi.com/code/cpscam.pl • http://neighbor.willhackforsushi.com/ • http://www.aircrack-ng.org/ • http://www.dd-wrt.com/ • https://github.com/SilverFoxx/PwnSTAR • http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/ • http://beagleboard.org/black • http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/ • http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via- os-x/ • https://github.com/thebradbain/snapception • http://airpwn.sourceforge.net/Airpwn.html • http://intercepter.nerf.ru/
Thank You! Questions? https://github.com/gfoss/misc/Wireless/Captive-Portals/ Greg Foss
 Senior Security Research Engineer
 greg.foss[at]LogRhythm.com
 @heinzarelli

More Related Content

PPTX
Network traffic analysis with cyber security
byKAMALI PRIYA P
 
PPTX
Mobile security
byTapan Khilar
 
PDF
6 Security Tips for Using Public WiFi
byQuick Heal Technologies Ltd.
 
PDF
Ensuring Mobile Device Security
byQuick Heal Technologies Ltd.
 
PPT
Wireshark
byVijay kumar
 
PPTX
Phreaks
byFanap
 
PPT
Internet Traffic Monitoring and Analysis
byInformation Technology
 
PPTX
Mobile device privacy and security
byImran Khan
 
Network traffic analysis with cyber security
byKAMALI PRIYA P
 
Mobile security
byTapan Khilar
 
6 Security Tips for Using Public WiFi
byQuick Heal Technologies Ltd.
 
Ensuring Mobile Device Security
byQuick Heal Technologies Ltd.
 
Wireshark
byVijay kumar
 
Phreaks
byFanap
 
Internet Traffic Monitoring and Analysis
byInformation Technology
 
Mobile device privacy and security
byImran Khan
 

What's hot

PPTX
Cyber attack
byManjushree Mashal
 
PDF
Network Monitoring System ppt.pdf
bykristinatemen
 
PPTX
Software piracy
byAshraf Uddin
 
PPT
Ethical hacking
byMonika Deswal
 
PPTX
Ethical hacking
byVipinYadav257
 
PPTX
Wi Fi Security
byyousef emami
 
PPTX
TOR NETWORK
byRishikese MR
 
PPTX
Mobile security
byCyberoamAcademy
 
PDF
The Anatomy of a Data Breach
byDavid Hunt
 
PPTX
Mobile security in Cyber Security
byGeo Marian
 
PPSX
What is firewall
byHarshana Jayarathna
 
PPTX
Mobile Phone Seizure Guide by Raghu Khimani
byDr Raghu Khimani
 
PDF
Network traffic analysis course
byTECHNOLOGY CONTROL CO.
 
PPTX
Mobile security
bypriyanka pandey
 
PDF
Social engineering
byankushmohanty
 
PPTX
Presentation on ethical hacking
bySunny Sundeep
 
PPTX
PHISHING DETECTION
byumme ayesha
 
PDF
Mobile Security 101
byLookout
 
PPTX
Mobile Forensics
byabdullah roomi
 
PPT
Darknet
byHiro Oshikawa
 
Cyber attack
byManjushree Mashal
 
Network Monitoring System ppt.pdf
bykristinatemen
 
Software piracy
byAshraf Uddin
 
Ethical hacking
byMonika Deswal
 
Ethical hacking
byVipinYadav257
 
Wi Fi Security
byyousef emami
 
TOR NETWORK
byRishikese MR
 
Mobile security
byCyberoamAcademy
 
The Anatomy of a Data Breach
byDavid Hunt
 
Mobile security in Cyber Security
byGeo Marian
 
What is firewall
byHarshana Jayarathna
 
Mobile Phone Seizure Guide by Raghu Khimani
byDr Raghu Khimani
 
Network traffic analysis course
byTECHNOLOGY CONTROL CO.
 
Mobile security
bypriyanka pandey
 
Social engineering
byankushmohanty
 
Presentation on ethical hacking
bySunny Sundeep
 
PHISHING DETECTION
byumme ayesha
 
Mobile Security 101
byLookout
 
Mobile Forensics
byabdullah roomi
 
Darknet
byHiro Oshikawa
 

Viewers also liked

PPT
Wireless router
byroza921
 
PDF
Wireless Cracking using Kali
byn|u - The Open Security Community
 
PDF
Informationssicherheit im Übersetzungsprozess
byHans Pich
 
ODP
Easy Tutorial Step-by-Step How to use Airolib-ng
byTisya Ka
 
PPTX
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
byBrent Cook
 
PDF
Deception Driven Defense - Infragard 2016
byGreg Foss
 
PDF
Threat Intelligence Field of Dreams
byGreg Foss
 
PDF
Activated Charcoal - Making Sense of Endpoint Data
byGreg Foss
 
PPT
Caffe Latte Attack
byAirTight Networks
 
PPTX
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
byThe Hacker News
 
PPT
Configuring linksys wireless router
byanku3
 
PPTX
WiFi Pineapple - Alex R
byAlexander Rippee
 
PDF
Setting hotspot-web-proxy-mikrotik
bywayan abyong
 
PPT
Caffe Latte Attack Presented In Toorcon
byMd Sohail Ahmad
 
PDF
SecureSet WarGames - Logging and Packet Capture Training
byGreg Foss
 
PDF
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
PPT
Metasploit-TOI-Ebryx-PVT-Ltd
byAli Hussain
 
PPTX
Tranning-2
byAli Hussain
 
PDF
Penetration test
byDigicomp Academy AG
 
PDF
Webinar Metasploit Framework - Academia Clavis
byClavis Segurança da Informação
 
Wireless router
byroza921
 
Wireless Cracking using Kali
byn|u - The Open Security Community
 
Informationssicherheit im Übersetzungsprozess
byHans Pich
 
Easy Tutorial Step-by-Step How to use Airolib-ng
byTisya Ka
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
byBrent Cook
 
Deception Driven Defense - Infragard 2016
byGreg Foss
 
Threat Intelligence Field of Dreams
byGreg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
byGreg Foss
 
Caffe Latte Attack
byAirTight Networks
 
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
byThe Hacker News
 
Configuring linksys wireless router
byanku3
 
WiFi Pineapple - Alex R
byAlexander Rippee
 
Setting hotspot-web-proxy-mikrotik
bywayan abyong
 
Caffe Latte Attack Presented In Toorcon
byMd Sohail Ahmad
 
SecureSet WarGames - Logging and Packet Capture Training
byGreg Foss
 
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
Metasploit-TOI-Ebryx-PVT-Ltd
byAli Hussain
 
Tranning-2
byAli Hussain
 
Penetration test
byDigicomp Academy AG
 
Webinar Metasploit Framework - Academia Clavis
byClavis Segurança da Informação
 

Similar to Wi-Fi Hotspot Attacks

PPTX
Wireless hacking
byarushi bhatnagar
 
PDF
Advanced Wi-Fi pentesting
byYunfei Yang
 
PPTX
WiFi security
byIhor Uzhvenko
 
PPTX
DevLink - WiFu: You think your wireless is secure?
byRob Gillen
 
ODP
Wireless security beyond password cracking by Mohit Ranjan
byOWASP Delhi
 
PDF
Fundamentals of network hacking
byPranshu Pareek
 
PPTX
So you want to be a wireless hacker
byCasey Dunham
 
PDF
Howto Crack Or Hack A Wireless Network With Wired Equivalent Privacy Wep
byPraveen Kumar Sinha
 
PDF
Wi-Foo Ninjitsu Exploitation
byPrathan Phongthiproek
 
PPTX
Wifi cracking
byAbhashKumarJha
 
PPTX
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
bybarcamp.my
 
PDF
Cracking Wep And Wpa Wireless Networks
byguestf2e41
 
PDF
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
bykeyalea
 
PDF
Wireless Hotspot: The Hackers Playground
byJim Geovedi
 
ODP
Wifi Security, or Descending into Depression and Drink
bySecurityTube.Net
 
PPTX
Wireless v2
byJoshua Johnston
 
PDF
Don't Get Hacked on Hostile WiFi
byMackenzie Morgan
 
PDF
Pentesting
byHenrik Jacobsen
 
PDF
Raspberry pi 3
bySanket Kakde
 
PPTX
Wi fi hacking
byHarshitParkar6677
 
Wireless hacking
byarushi bhatnagar
 
Advanced Wi-Fi pentesting
byYunfei Yang
 
WiFi security
byIhor Uzhvenko
 
DevLink - WiFu: You think your wireless is secure?
byRob Gillen
 
Wireless security beyond password cracking by Mohit Ranjan
byOWASP Delhi
 
Fundamentals of network hacking
byPranshu Pareek
 
So you want to be a wireless hacker
byCasey Dunham
 
Howto Crack Or Hack A Wireless Network With Wired Equivalent Privacy Wep
byPraveen Kumar Sinha
 
Wi-Foo Ninjitsu Exploitation
byPrathan Phongthiproek
 
Wifi cracking
byAbhashKumarJha
 
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
bybarcamp.my
 
Cracking Wep And Wpa Wireless Networks
byguestf2e41
 
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
bykeyalea
 
Wireless Hotspot: The Hackers Playground
byJim Geovedi
 
Wifi Security, or Descending into Depression and Drink
bySecurityTube.Net
 
Wireless v2
byJoshua Johnston
 
Don't Get Hacked on Hostile WiFi
byMackenzie Morgan
 
Pentesting
byHenrik Jacobsen
 
Raspberry pi 3
bySanket Kakde
 
Wi fi hacking
byHarshitParkar6677
 

More from Greg Foss

PDF
Honeypots for Active Defense
byGreg Foss
 
PDF
Attacking Drupal
byGreg Foss
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
PDF
Security Automation and Orchestration
byGreg Foss
 
PDF
Phishing Intelligence Engine - BlueHat v17
byGreg Foss
 
PDF
Crypto Hacks - Quit your Job and Become a Crypto Farmer
byGreg Foss
 
PDF
PIE - BSides Vancouver 2018
byGreg Foss
 
PPTX
Future of Destructive Malware
byGreg Foss
 
PPTX
Cloud Crime Ops
byGreg Foss
 
Honeypots for Active Defense
byGreg Foss
 
Attacking Drupal
byGreg Foss
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
Security Automation and Orchestration
byGreg Foss
 
Phishing Intelligence Engine - BlueHat v17
byGreg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
byGreg Foss
 
PIE - BSides Vancouver 2018
byGreg Foss
 
Future of Destructive Malware
byGreg Foss
 
Cloud Crime Ops
byGreg Foss
 

Recently uploaded

PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PPTX
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
PDF
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
AI: Beyond Generative AI and LLM | Harrie de Groot (harrie.dev)
byHarrie de Groot
 
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
In this document
Powered by AI

Presentation by Greg Foss introduces Wi-Fi hacking for web pentesters with his credentials.

Legal disclaimer regarding usage of hacking skills and the illegal nature of demonstrated methods.

The talk will not cover Wi-Fi security basics like WEP cracking, WPA/WPA2 attacks, or WPS.

Discussion on the abundance of free Wi-Fi and simple bypassing techniques for accessing it.

Techniques such as MAC address modification and packet sniffing used to bypass access restrictions.

Step-by-step method to clone captive portals and mobile cloning tools like HTTrack.

Methods for deauthenticating clients and disrupting access points, particularly with Aireplay-ng. Introduction to Wi-Fi Pineapple for hacking with cautions, uses, and router configurations.

Mobile devices and tools for hacking, including Kali NetHunter, and defense strategies against MITM.

Overview of useful resources and links for Wi-Fi security testing and hacking methodologies.

Wrap-up of the presentation, inviting questions and offering contact information.

Wi-Fi Hotspot Attacks

  • 1.
    Wi-Fi Hacking for WebPentesters Greg Foss Sr. Security Research Engineer @heinzarelli
  • 2.
    Greg Foss Sr. SecurityResearch Engineer OSCP, GAWN, GPEN, GWAPT, GCIH, CEH, CYBER APT # whoami
  • 4.
    *I am notliable for what you do with any of this information* Section 638:17 House Bill 495 - US rules against wireless hacking http://en.wikipedia.org/wiki/Legality_of_piggybacking#United_States
  • 5.
    DISCLAIMER Not a ‘Wi-FiSecurity Expert’ nor a Lawyer Just about everything I’m going to demonstrate is probably illegal, don’t do any of this against unauthorized targets…
  • 6.
    Not Discussing Wi-Fi SecurityBasics • 802.11 • WEP Cracking - ridiculously easy, google it • WPA / WPA2 Attacks - Reaver • WPS Attacks - Reaver • PEAP, LEAP, etc. - Out of Scope
  • 7.
  • 9.
    it’s everywhere… enough freeWiFi that it’s almost not worth the time it takes to infiltrate unless free internet’s not the goal…
  • 10.
    Bypassing is easy… •Sometimes Tor or a VPN will simply be allowed through the captive portal, no joke • Try appending ?.jpg or ?.png to the URL • Look for Open Redirect flaws, iFrames, etc. • Tunnel out over DNS! • Same tricks work if your ISP suspends your internet access, depending on the ISP of course…
  • 11.
    Bypassing is easy… •On time-limited access points, just change your MAC when the time runs out. Or sniff MACs and ride on another’s paid access. • De-auth existing clients and/or DoS access points: • Aireplay-ng or Airdrop • http://www.aircrack-ng.org/ • MDK3 • https://forums.kali.org/showthread.php?19498- MDK3-Secret-Destruction-Mode
  • 12.
    Bypassing is easy… •Sniff MAC Addresses and wait for a user to go idle, then modify your MAC and IP to match • Works on just about any open access point, especially captive portals • CPSCAM by Josh Wright will do this for you: • http://www.willhackforsushi.com/code/ cpscam.pl
  • 13.
  • 16.
    The Evil Twin… source:http://www.breakthesecurity.com/2014/04/evil-twin-attack-fake-wifi-hack.html
  • 25.
    How to cloneand weaponize captive portals 1. Connect to the access point and wait for the splash page to pop- up. 2. Close the splash page, and open your browser. Visit any random web page (http normally works better than https). 3. When the splash page comes up, save the entire landing page. Use the splash page and save additional pages as necessary. 4. Change the UA string and grab the mobile version as well if it exists. 5. Replace the form processor to write a log file and pass the client through to a legitimate landing page. 6. Modify the page HTML to point to your form processor and modify parameters as necessary. 7. Deploy the captive portal (will discuss this shortly) 8. Use IPTables to allow the victim’s MAC through to the internet using the form processor.
  • 28.
  • 29.
    Mobile Cloning • HTTrack:http://www.httrack.com/
  • 30.
    Mobile Cloning • VT ViewSource:
 
 https://play.google.com/ store/apps/details? id=com.tozalakyan.view source&hl=en
  • 32.
    How to DeauthenticateClients and DoS Access Points • Aireplay-ng using the —deauth flag • file2air - deauth packet injection flood tool by Josh Wright • http://www.willhackforsushi.com/code/file2air/1.1/ file2air-1.1.tgz • Spoof AP MAC, send deauth requests to clients • Target a single user, all users, or AP itself • MDK3 Deauth Amok Mode to take out all WPA AP’s
  • 33.
    How to DeauthenticateClients and DoS Access Points source: https://github.com/sophron/wifiphisher
  • 34.
    How to DeauthenticateClients and DoS Access Points https://github.com/sophron/wifiphisher
  • 35.
  • 36.
  • 37.
    Generic Splash Page PineappleConfiguration /etc/nodogsplash/htdocs/splash.html
  • 38.
    Landing Page Pineapple Configuration- JavaScript Necessities /www/[directory]/index.html
  • 39.
    PHP Form Processor PineappleConfiguration Easier than using IPTables /www/[directory]/auth/login.php
  • 44.
    A word ofcaution w/ the Pineapple…
  • 45.
    A word ofcaution w/ the Pineapple…
  • 46.
    Existing Router Ideally onesupporting guest mode…
  • 47.
    DDWRT • Flash withDDWRT, then you can use NocatSplash to configure a captive portal. • Many other ways to go about this… DDWRT is just one of the easier options. • http://www.dd-wrt.com/site/index • http://sourceforge.net/projects/ nocatsplash/
  • 50.
  • 51.
    • Kali Linux •http://www.kali.org/ • Can do just about anything to connecting clients • Unlimited attack potential and plenty of drive space to build elaborate landing pages and believable scenarios Laptop Hotspot and/or Proxy
  • 52.
    • Makes hackingWi-Fi even easier! • https://github.com/SilverFoxx/PwnSTAR PwnStar - By SilverFoxx
  • 55.
  • 56.
  • 57.
    Combine Pineapple portability withthe versatility of Kali Linux • http://www.offensive-security.com/kali- linux/kali-linux-evil-wireless-access-point/
  • 58.
    BeagleBone Black +Alfa Wi-Fi Card http://beagleboard.org/black http://www.alfa.com.tw/
  • 59.
    BeagleBone AP DeploymentOptions get creative…
  • 61.
    Going Mobile! • NexusDevice with Kali NetHunter • https://www.kali.org/kali-linux-nethunter/ • Pwnie Express Pwn Phone/Pad • https://www.pwnieexpress.com/product/ pwn-phone2014/
  • 62.
  • 63.
  • 66.
    MITM Basic Tools •AirSSL • AirJack • Airsnarf • Dsniff • Cain • void11 • Ferret • SSLStrip • Wireshark • AirPwn • Ettercap • Etc…
  • 67.
    You don’t evenneed to authenticate to attack clients
  • 68.
    Fun with MITM •Snapception - https://github.com/thebradbain/ snapception • Love Thy Neighbors - http:// neighbor.willhackforsushi.com/ • AirPWN - http://airpwn.sourceforge.net/ Airpwn.html • Intercepter-NG - http://intercepter.nerf.ru/ • Many, many more…
  • 69.
  • 70.
    Client Defense… • Alwaysuse a VPN/VPS/SSH Port Forwarding/ etc. when connected to an open access point. • Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’. • Hotspot not served up over HTTPS and other generally suspicious behavior. • Beware duplicate networks with different encryption.
  • 71.
    Client Defense… • Usedifferent login details and passwords for public wifi. Test false-credentials first, if it lets you through it’s not legit. • Turn off Wi-Fi on devices when traveling. • Exercise caution when connections suddenly drop, especially if it happens for everyone on the network. • If it just ‘doesn’t feel right’ then trust your instincts…
  • 72.
    Resources • http://www.willhackforsushi.com/code/cpscam.pl • http://neighbor.willhackforsushi.com/ •http://www.aircrack-ng.org/ • http://www.dd-wrt.com/ • https://github.com/SilverFoxx/PwnSTAR • http://www.offensive-security.com/kali-linux/kali-linux-evil-wireless-access-point/ • http://beagleboard.org/black • http://www.armhf.com/boards/beaglebone-black/bbb-sd-install/ • http://grinninggecko.com/2013/09/13/kali-linux-on-headless-beaglebone-black-via- os-x/ • https://github.com/thebradbain/snapception • http://airpwn.sourceforge.net/Airpwn.html • http://intercepter.nerf.ru/
  • 73.
    Thank You! Questions? https://github.com/gfoss/misc/Wireless/Captive-Portals/ Greg Foss
 SeniorSecurity Research Engineer
 greg.foss[at]LogRhythm.com
 @heinzarelli