This is misleading. When using WPA the client and access point perform mutual authentication. This means that if you don't know the password, you cannot set up a rogue access point that "copies the target access point's settings". Because you don't know the password! And if you'd use a random password, the client will refuse to connect to the rogue AP.
The tool is actually creating a second, unencrypted network. On Windows it will give you a warning that the configuration of the network has changed. On Android you'd have to manually reconnect to the unencrypted network. So their method doesn't automatically perform a man-in-the-middle attack. A decent setup will warn you about this. Sure, if a user ignores all OS warnings, connects to an unencrypted network anyway, and feels the need to type his password in random fields s/he never saw before, then this will work [3].
What would be more interesting is to jam the target network, using an actual jammer [1], and then perform a KARMA man-in-the-middle attack [2]. The idea is to listen for probe requests to unencrypted networks, and then clone that unencrypted network. In this case the user would automatically connect, making the attack more likely to succeed...
Or setup an exact replica of the targeted device's (WPA-protected) home AP, and then tunnel the raw encrypted 802.11 frames back to that AP over the Internet. Ta-da - your target now has absolutely seamless remote access to their own home Wi-Fi, with mutual authentication and end-to-end hardware accelerated AES encryption. :P
Only "drawback" (if you're of a malicious nature) is that you can't do any evil. The only thing you'll see is the raw encrypted Wi-Fi traffic, flowing straight through your "rogue AP" and into the Wi-Fi over IP tunnel. :)
Disclaimer: That's what http://anyfi.net does and I'm on the team that built it.
agree. However it is a crafty mix between a classic attack (the deauth-part) and social engineering (the password part).
The KARMA way is more elegant, however you still might have to crack the actuall pre-shared key. I'd put it in as another helpful tool that might ease your pentest approach, besides Reaver, maybe.
This was my thought, too - and those that do would recognize the fake control panel.
I think it's becoming more and more common for the PSK to come on a sticker from the all-in-one router/modem your ISP sends you. So, the user never sets a passphrase, never sees the control panel, and has the key ready to hand out by just looking at their "internet box." This attack is perfect for that.
Yes, Because it generates and unecrypted wifi with the same SSID as your access point. If you connect to that, it will server you the site and you enter your "password" wich is actually your WPA/WP2 Pre Shared Key.
If you want to be save against this special kind of attack, you could use a RADIUS-based authentification, where every user gets a certificate and Username/Password instead of one general shared key.
It is a little tricky, but if you are running a NAS from a vendor like synology or qnap you could use their RADIUS packages to set it up.
This looks really cool. However, when I first read the words "social engineering", I expected it to create another access point encrypted the same way, and get the code direct from the victim. This way seems less fool-proof.
Is my suggestion at all possible, or is the code transmitted while connecting useless unless you already have it? (Well it's not useless, as it can be brute-forced by aircrack-ng locally. I'm wondering if what's transmitted is like a hash of the passphrase, which isn't useful, or encrypted with a one time key sent by the access point, in which case my idea is much better.)
The code is never trasnmitted. The data is encrypted with the code and only the code on the other side can be used to decrypt it.
Most brute-force systems work by capturing packets to hard drive and then attempting to decrypt them offline. Or you can upload your captures to the cloud: https://www.cloudcracker.com/
The key (nor a hash of the key) is sent over the air. It's a challenge. Since both sides should know the key they can challenge each other by saying things like "encrypt the word 'horse' using our secret key" ... then they can compare the result.
Your method sounds to me like a pretty standard PSK crack: deauth client, collect auth handshake, repeat until you have enough packets to crack the passphrase. But collecting enough packets to crack the PSK becomes more difficult as the number of clients disconnecting/reconnecting goes down and the complexity of the PSK goes up. If you're trying to connect to a home AP with a halfway-decent passphrase, it can take days (or weeks) to collect enough auth packets.
Man-in-the-middle, on the other hand, takes almost no time at all - just a gullible user with the passphrase. This method seems like it would be especially effective against most home APs, which is the same case that is less-than-ideal for the other method.
I wondered why the deauth in step 1 works, it sure looks like that's one of the shortcomings in WPA and there is just no workaround - except going with WPA2.
It'll work against WPA2 as well, the link you provided is confusingly worded. There's currently no technical way of preventing deauth attacks as 802.11 management frames are always unencrypted / unsigned.
A bit off-topic - I have noticed that python is used way more on the hacker/security community than other scripting langs (Perl,Ruby), anyone know why?
From what I know, python is usually the first language that newbies get pointed to when they ask where to start. It's easy to read, understand, and has a ton of libraries.
Plus python is older, and I think gained more popularity than ruby (before rails came along).
Isn't Python, in general, significantly more widely used than Perl and Ruby outside their narrow popularity domains (sysadmin for Perl, RoR web apps for Ruby)? Just a guess.
Neat idea, but why can't it spoof the Wifi authentication page/popup? Can't it dress up as a new device and try to connect to the wifi network, and then see what kinds of authentication page is returned by the router? Then just copy that.
Without the password, it can't quite MitM yet. It presumably makes sure that they user connects to it because it doesn't have WEP/WPA enabled, so the client OS automatically connects to the AP with the same name, but doesn't warn the user that WPA is no longer enabled. It can't spoof the WPA connection because it doesn't have the password yet.
I don't see how this tests the security of a setup if it is relying on a user submitting the password themselves. There is no way to protect against your own or the stupidity of others.
It does not, but Kali is designed for pentesters, so it already contains a lot of dependencies. It's based on Debian, so with a little fiddling you should get it running on most other distributions.
You need, however, a wifi card capable of packet injection. Some of them need special drivers or patches, so it makes sense that the author uses a distribution for securtiy/pentesting.
[+] [-] gipsies|11 years ago|reply
The tool is actually creating a second, unencrypted network. On Windows it will give you a warning that the configuration of the network has changed. On Android you'd have to manually reconnect to the unencrypted network. So their method doesn't automatically perform a man-in-the-middle attack. A decent setup will warn you about this. Sure, if a user ignores all OS warnings, connects to an unencrypted network anyway, and feels the need to type his password in random fields s/he never saw before, then this will work [3].
What would be more interesting is to jam the target network, using an actual jammer [1], and then perform a KARMA man-in-the-middle attack [2]. The idea is to listen for probe requests to unencrypted networks, and then clone that unencrypted network. In this case the user would automatically connect, making the attack more likely to succeed...
[1] http://people.cs.kuleuven.be/~mathy.vanhoef/papers/acsac2014...
[2] http://www.theta44.org/karma/
[3] Perhaps I'm a bit cynical, but I suppose it might actually work some of the time... :(
[+] [-] vletmixutechre|11 years ago|reply
[+] [-] bjornsing|11 years ago|reply
Only "drawback" (if you're of a malicious nature) is that you can't do any evil. The only thing you'll see is the raw encrypted Wi-Fi traffic, flowing straight through your "rogue AP" and into the Wi-Fi over IP tunnel. :)
Disclaimer: That's what http://anyfi.net does and I'm on the team that built it.
[+] [-] HackinOut|11 years ago|reply
[+] [-] jagermo|11 years ago|reply
The KARMA way is more elegant, however you still might have to crack the actuall pre-shared key. I'd put it in as another helpful tool that might ease your pentest approach, besides Reaver, maybe.
[+] [-] ytjohn|11 years ago|reply
[+] [-] drinkyouroj|11 years ago|reply
I think it's becoming more and more common for the PSK to come on a sticker from the all-in-one router/modem your ISP sends you. So, the user never sets a passphrase, never sees the control panel, and has the key ready to hand out by just looking at their "internet box." This attack is perfect for that.
[+] [-] HackinOut|11 years ago|reply
[+] [-] leke|11 years ago|reply
[+] [-] jagermo|11 years ago|reply
If you want to be save against this special kind of attack, you could use a RADIUS-based authentification, where every user gets a certificate and Username/Password instead of one general shared key.
It is a little tricky, but if you are running a NAS from a vendor like synology or qnap you could use their RADIUS packages to set it up.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] ikeboy|11 years ago|reply
Is my suggestion at all possible, or is the code transmitted while connecting useless unless you already have it? (Well it's not useless, as it can be brute-forced by aircrack-ng locally. I'm wondering if what's transmitted is like a hash of the passphrase, which isn't useful, or encrypted with a one time key sent by the access point, in which case my idea is much better.)
[+] [-] ytjohn|11 years ago|reply
Most brute-force systems work by capturing packets to hard drive and then attempting to decrypt them offline. Or you can upload your captures to the cloud: https://www.cloudcracker.com/
[+] [-] chrisfarms|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] drinkyouroj|11 years ago|reply
Man-in-the-middle, on the other hand, takes almost no time at all - just a gullible user with the passphrase. This method seems like it would be especially effective against most home APs, which is the same case that is less-than-ideal for the other method.
[+] [-] ikeboy|11 years ago|reply
[+] [-] spacefight|11 years ago|reply
http://security.stackexchange.com/questions/20219/preventing...
[+] [-] willidiots|11 years ago|reply
802.11w aims to address this by authenticating management frames but is slow in coming to market and plagued with interop issues: http://en.wikipedia.org/wiki/IEEE_802.11w-2009
[+] [-] Scarbutt|11 years ago|reply
[+] [-] urbannomad|11 years ago|reply
Plus python is older, and I think gained more popularity than ruby (before rails came along).
[+] [-] hartator|11 years ago|reply
[+] [-] eliben|11 years ago|reply
[+] [-] eliben|11 years ago|reply
[+] [-] pyre|11 years ago|reply
[+] [-] leke|11 years ago|reply
[+] [-] maxerickson|11 years ago|reply
[+] [-] dionyziz|11 years ago|reply
[+] [-] scottydelta|11 years ago|reply
[+] [-] xanderjanz|11 years ago|reply
[+] [-] jagermo|11 years ago|reply
You need, however, a wifi card capable of packet injection. Some of them need special drivers or patches, so it makes sense that the author uses a distribution for securtiy/pentesting.
[+] [-] Zardoz84|11 years ago|reply