Ft' Smith - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Ft' Smith

Description:

Auditor bootable Linux distro for pen testing. Void11 Mainly used for de-auth attacks and to generate traffic (Prism II chipset only) ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 19
Provided by: shy22
Category:
Tags: smith | testing

less

Transcript and Presenter's Notes

Title: Ft' Smith


1
  • Ft. Smith
  • 2600

2
Evil Twin Access Points
  • For fun but no profit

3
What is it?
  • An Evil Twin access point is a rogue access
    point set up intentionally to trick users into
    connecting to it rather than the legitimate
    access point

4
Rouge Access Point Definition
  • Rouge access point (rap) - an unauthorized
    access point.
  • They are not always someone with ill intent.
  • ex A rap may be a employee who has set up a
    linksys router
  • without permission or enabled proper encryption,
    in his/her cubicle, by doing this he/she may have
    bypassed all of the companys security policies
    and maybe broadcasting said companys
    confidential data in clear text for anyone to
    see.

5
Why does it work?
  • Primarily because many end users (CEOs,
    employees, home users, etc.) dont think that
    they may be a target

6
Who is vulnerable?
  • Too many home users
  • Many small businesses
  • Quite a few bigger institutions (Schools and
    corporate entities)

7
Vulnerable hardware
  • Gray area remember, your primarily tricking
    users, not the access points, but you may have to
    take the AP out in order to do so.

8
How does it work?
  • Macs and PCs because both automatically scan
    for preferred networks on startup. Some
    user-friendly Linux distros do this too! it
    probes for preferred networks when it does so,
    it sends the AP mac address as part of the probe
    packet. In comes Hotspotter or Karma! ?

9
How can I make it work?
  • There are several ways to go about it
  • Walled Garden type (fake hotspot pages like
    T-mobile, Starbucks, McDonalds, etc.)
  • Flooding with fake SSIDs to confuse the user and
    have them connect to one of the many SSIDs that
    route back to you
  • Completely knocking their access point out by an
    association flood (or other method), and sliding
    in yours

10
Tools
  • Auditor bootable Linux distro for pen testing
  • Void11 Mainly used for de-auth attacks and to
    generate traffic (Prism II chipset only)
  • Airsnarf My fav tool for Walled Garden type
    attacks (they say you can use Atheros chipset but
    I cant)
  • Hotspotter or Karma common tools for forging
    SSIDs

11
Scenario 1
  • You are in a coffee shop in a major-metropolitan
    area (New York City, for example) with paid,
    monitored, or even encrypted WiFi
  • Many users have laptops, PDAs, etc.
  • Perform a de-authentication attack to force
    everyone off of their network or an association
    flood to crash the router.
  • Slip your evil twin in the mix with an SSID like
    .99Wifi, Un-monitored Wifi, or even the
    same SSID as the encrypted WiFi just not
    encrypted
  • Make sure your running dhcpd to assign ip
    addresses automatically
  • Hopefully, people will try to reconnect see that
    your access point is cheaper, un-monitored, or
    not encrypted and connect to it instead
  • Have a convincing Walled Garden type login page

12
Scenario 1 (cont.)
  • In this scenario the attacker can collect a
    variety of data
  • Legitimate credentials (used to login to the AP
    later)
  • Credit card numbers for .99wifi
  • Since the users are on your network browse any
    shares they may have. You may get private
    corporate data from the business man in the
    corner.
  • Peoples names and addresses

13
Scenario 2
  • Youre on a flight to L.A.
  • Again, business men are working on their
    notebooks.
  • Since XP and Macs (and Linux too!) are so
    friendly, they will announce their presence and
    look for preferred networks.
  • Run Karma or Hotspotter to fake them out

14
Scenario 2 (cont)
  • Use nmap to scan the host using (p0f OS
    detection) and use the sV for services and
    version
  • Fire up Metasploit and drop a reverse shell
    (provided they were running vulnerable services,
    of course)
  • The system is backdoored. Now you can drop a
    rootkit and have it scan its entire netmask when
    it gets back and have it email it to you or
    something
  • (/)\/\/N3) !!!1!s

15
Oopps. My bad.
  • I meant to have a live demo of one of these
    attacks but I got too busy and didnt get it
    together in time.
  • maybe next time.

16
Conclusion
  • The world is a dangerous place.
  • An informed user may or may not be a safe user.
  • Only try this at home.
  • Be good, pass it on.

17
Credits/Props
  • Simple Nomad Hacking the Friendly Skies (great
    read)
  • The Shmoo Group _at_ shmoo.com (airsnarf)
  • Remote-exploit.org (auditor and backtrack)
  • KoreK (chop-chop attack on WEP and cool ass name)
  • Fresh BeanZ ( venue for this talk and meetings )
  • 2600.com ( the original hacker panel )

18
Counter Measures
  • Kismet set to filter out known ssids
  • For windows Netstumbler can do that too
  • Airsnare for windows
  • Snort for Linux
  • Document all of your wireless access points
  • The normal stuff (use wpa, change key at reg.
    intervals, etc.)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Ft' Smith" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!