Description: Welcome to Part 25 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will explore the interesting world of WPA/WPA2 Honeypots. In previous videos, we have seen that if the Client profile contains an Open and No Encryption network, it is trivial to create a Honeypot and have it connect to us.
In the case of WEP, we found that it was possible to do the same thing. Also, by using the Caffe Latte Attack or the Hirte attack, one could crack the WEP key with just the client.
In the case of WPA/WPA2 PSK the case is interesting. We could create an AP with the same SSID and settings. Once the client connects to us, we get the first 2 packets of the WPA handshake. Once we have this, we could try to crack the WPA key using a dictionary attack.
Of course, the most important question - how do we know what security settings are there in the Client's probed SSID? We solve this as well in this video :)
Enjoy!
Tags: wpa-psk , wireless , wifi , security , megaprimer , pbkdf , ptk , pmk , anonce , snonce ,
OMG!
@Vivek, I am not tired of watching your videos and apparently you seem not to be tired either.
I really appreciate that you share your knowledge with us and this keeps me motivated and I am trying harder to learn all of these stuff!
Thanks again
I am wondering why AP named "Wireless Lab" has not an associated BSSID?
@Vivek, Again a great video... thanks for your hard work and sharing your knowledge!
I will try to get a ticket for Brucon in September.
Looking forward to meet you in person!
Good point on the association working with crypto on airbase but the complete handshake and data transfer not actually occurring. In Q&A that's where I was going with airbase doesn't do crypto.
Wow awesome!!! Can't wait to watch it !! Thank Vivek, from my bottom of my heart !!
Fantastic! I love the way the utter simplicity of it smacks me in the face! If you want to know what encryption the client is using for the given AP, create multiple AP's with the same name offering different schemes and see which one gets the lions share of the association. Heck, it is almost so obvious it is painful - doh! Thanks Vivek - I did not know if I should laugh or cry :-)
Just an FYI - and an idea for a subject. Here in the UK our national telephone provider offer 'free wifi' to customers of their broadband package. Basically they do it by offering traditional hotspots and piggy-backing bandwidth off the back of all their customers gateway router-modem devices (The BT HOME HUB). These are open, but captive portal. I'm sure there are other providers in the world that do similar things.
I'm just wondering how easy it would be to create an 'evil twin' captive portal, that grabs the login and then lets the victim go on to browse. Net result, not only do you get IP level access to the victim, but also credentials.
Going back to your metasploit primer, I seem to recall the SET could spoof login pages - but perhaps it would be worth taking up the subject of spoofing captive portals in a later video? I'm guessing that doing something with Apache in combination with a simple PHP script to grab the user/password - and making use of its proxying abilities may be a starting point if a tool does not exist?
@Blackmarketeer- just a response to "I'm just wondering how easy it would..." - I have seen something EXTREMELY similar to that for coffeeshop hotspots.
@Blackmarketeer - nice idea about the BT Home Hub. I have seen some nearby at home. A friend has one so I might just twist his arm to let me play around with his wireless and it'll only cost me a few bottles of beer! I wouldn't want to play around like that without the permission of the network owner :-)
@Blackmarketeer and Andrew: Vivek knows about the guys at Hak5 (http://forums.hak5.org/) and I guess that many others here do also. They have a weekly video and they've done some segments about creation of a fake AP to lure unsuspecting folks to connect, surf the 'net and enter their credentials. It might be worth checking out some of their videos. I'll see if I can find the ones that deal with this.
@Vivek: Fascinating, as usual. At around 23 minutes, I realise that the passphrase could be derived from packets 1 and 2 of the handshake if it's in the dictionary, but I was interested to hear you say something like "crack this in a reverse way". I'm sure that you will expand upon this tantalising phrase in a future video!
@Blackmarketeer no need to create evil twin captive portal and going through all that hassle.You may just get the mac address of any client connected to that ap sending heavy traffic and then simply use macchanger.Because this hotspots generally use mac filters as suggested by vivek!
im sorry Vivek ,, i cant comment alot and i cant watch your Videos all the time coz i dont have Internet connection
in my place or no wep AP near me so.. im sorry
but i want to thank you for your work ..
and want to ask you is the other primers you make is over or ?
thanks alote ..
your faithful : Feras
great work. thanks for the awesome vid ;)
hey i posted a few questions in the man in the middle attack video post. hope you guys can throw some infos at me :) im sure it would help me and alot of others. thanks vivek
OK i got one n00b question.... Will this same attack still work if we "Hide" as in don't broadcast the ssid?? Cus one thing i have noticed when playing with my pineapple is the this is vary noticeable when you see 5 dlinks in the area..
hello vivek, first of all i would like to thank you for the wonderful, in-depth and beautiful lectures and practicals!
i have a question regarding secureW2 which uses EAP-TTLS and EAP-PEAP protocols which seems to use very complicated cryptography and it also seems to prevent man-in-the middle attacks.
Is there a vulnerability or a work around this security feature ?
Thanks!
@Bonk3rZz:
Do you want to know if we are able to "deactivate" that the client will see our different APs?
I think it isn´t possible... because the autoconnect only works if the parameters of the faked AP are exactly the same as the original AP (except the mac-address).
If we change the SSID to a other value it will not work... if we stop broadcasting the ssid it doesn´t make really sense I think, because the client we want to attack probes for the specific SSID, so he then will see all of our APs... because all have the same SSID.
Correct me if I´m wrong.
@3|L060
Well i think my point is... The ssid is "dlink" just not broadcasting it so its a "HIDDEN NETWORK".... Now if you sit there motoring and someone connects we find out that the ssid was in fact "dlink".. SO.. Doesn't the probe in fact send out the ssid of "dlink" and find the hidden network "dlink" and try to connect???? Or something like that..
The reason I'm trying to find out is, If you do this type of attack on your Karpy windows box it will see all 5 "dlink" AP's and they would know something is up
@Vivek, we love you!
hope you dont mind, i thought i'd ask a few questions. i was just finishing burning ur vids to dvd and been watching all day mostly. but i had some questions.. forgive me if it's really noobish stuff
------------------------------------------------------------
#1 question: will the roaming client (iphone in your case from the video) still send probe requests for it's default auto-set wireless AP's even after it connects to a hotspot or host AP ?
#2 question: also, do iphones search for hotspots when it gets online ? and connect to whoever is there ? some people i know, have an AP they use almost all the time. would that be like verizon ? also, would i be able to see the traffic he's sending to his AP if he's in my immediate location ? and spoof the verizon AP and route his traffic to me instead ?
#3 question: another thing. im not any real type of security pentester, just to let u know :). im not a noob with computers though..anyway, i have a local server here that im pentesting on. i can sniff it all day and grab my pw's for all the ssh and ftp services on it. however. it's just a basic ubutnu 10 2.6 kernel with all services on default. metasploit doesn't seem to do the job of exploiting any service on it. so i guess if you can't get in the front door you try the back huh ? if i can't sploit any services, i might as well sniff the traffic and just wait and get any pw's or any data from the network. however, alot of different sploits in metasploit dont seem to do the job, i end up finding other ways of accessing the system. am i out of date or somethin ? maybe im just not knowlegable enough to preform any real tasks. so i thought i'd ask you what you thought about it. metasploit and my little bit of knowlege lol.
@allisonmagicelite -- my understanding is:
1: depends on implementation - i don't know on iphone, but i have seen some implementations that do. think the windows preferred list
2: iphone question -- idk
3: ubuntu users are usually patched to latest. metasploit won't have much for latest patch...they also tend to focus on MS products. there's some linux/unix stuff on there, but even then...just saying. you're not horribly out of date. wireless hijacking of whatever client and using whatever uname/password combinations for corporate stuff too is usually the cheap shot that gets you in when nothing else will. that or client sides. there are current unpatched multimedia vulns if you can get them to watch a video. of this I am SURE. they aren't in metasploit or even public exploit repos.
@albay Thanks! Its not an AP initially, its the client probing for the SSID. The bottom part of the airodump-ng shows clients.
@MamboYoyo Sounds awesome! :) Look forward to meet you my friend
@Andrew Yes, its a very essential part of the picture. The transfer can never occur without knowing the passphrase.
@m0ei , chao-mu Thanks!
@Blackmarketeer, @Ignatius, sarafnikit Thanks Guys! Regarding the "free wifi", yes, it is very easy to orchestrate these attacks. I dunno if they use a captive portal over SSL or something, but if they do the Wireless SSL MITM i had shown a while back is your best friend. Of course, similar looking "phish" scams can also happen. But as I will advise, please don't do this even for fun to do something wrong. I know both of you are matured but sometimes the adrenaline rush rakes over :)
@Ksa.Hacker sorry to hear you don't have access buddy. I hope the videos are easy to follow even without the hardware with you to try.
@allisonmagicelite Thanks buddy! I will be posting a new video to request questions from everyone, please re-post it there as well. I want to dedicate a full video to just answering questions about stuff covered till now.
@BoNk3rZz, 3lL060 You could disable SSID Broadcasting but some clients might have a problem and never be able to connect. If I remember well Windows 7 had some issues at some point. The easy way out of this is to create one fake AP at a time and see if the client connects to you. This will reduce the exposure area. Also, note that the client automatically connects and the user might be totally unaware that this happening.
The next video has been posted: http://www.securitytube.net/video/1921
Enjoy!
Andrew wicked. thanks alot bro :D
vivek, thanks alot bro. that's awesome :D you guys are a great help!
i understand what your sayin andrew, a good way is to get into the air and get on their network, do some ip level attacks to gain access by getting infos from the air(whatever is passed through)
@Vivek
Thx for your response. I did try it and my Iphone did nothing with the hidden ssid but my XP Box did try to auto connect but it seem to be vary hit or miss so ill just stick to not trying to hide the fact im missing with people... Also you should play with a wifi pinapple as seen on HAK5 its a fun little toy
@Vivek: indeed, that's why I said that I would play around with a friend's BT Home Hub with his permission. *If* I had wanted to try something "dodgy" and without permission, I could do so at home as I have seen some nearby.
This has been a great video series. I wish you all the luck in the world for Securitytube and yourself. You are a great person and a magnificent teacher. Again, thank you!
I've been trying to replicate the method in the video. However I'm having some problems.
I can launch the 4 fake AP's and the airodump-ng to monitor the process. When i try to deauth the victim PC it immidiatly reconnects to the real AP. However the laptop hosting BT gets deauthed as well and connects to the fake AP.
I can't seem to figure out what the problem is. I've tried moving the Alfa card right next to the victim PC so the signal should be strong than the AP.
Does anyone have an idea what could be wrong?
Regard Blom
Hello !
To start => Thanks a lot Vivek ! your video is so amazing!
I am a student and I learn so much with this !!
I have try rogue ap with WEP. it work my android connect to it with any problem.
But my android is also looking too for wifi with 802.1x EAP. I have try lots of WPA2 option but i have any good responce :(
What kind of security is 802.1x EAP ? can i imitated this security with airbase ?
Thanks a lot again !
Hi Vivek and hi all!
I gave this a try and did not succeed very well.
I used an AP with WPA2 with a short password and a NC10 (XP SP3 not very up to date) with built-in WiFi for testing. The connection between both works fine. For testing I powered off the AP.
In airodump-ng I can see the NC10 roaming for the AP. Then I set up airbase-ng like in the video and I have two things that make me wonder:
1) The client connects to the fake AP with WPA instead to fake WPA2 AP, unless I give the real AP's MAC to the fake WPA2 AP. I have tried it with just the fake WPA2 up ... no chance unless the real MAC is used. I guess this is some security from Windows... right? In both cases I can capture a handshake - this leads us to:
2) The handshake I capture is not crackable with air crack-ng. Wether the "wrong" one from the client connecting to the fake WPA AP nor the one connecting to the fake WPA2 AP. Aircrack-ng only tells me "Passphrase not in dictionary" if I try. To avoid stupid errors I captured a handshake from the client connecting to the real AP - everything fine.
I tried it with my iPhone 4 far away from it's know AP and after that with another pair of AP / Client with exactly the same results every time.
Can anyone give me a hint what is going wrong, so that a handshake is captured but cannot be cracked?
Thanks a lot!!!