An easy and inexpensive method to steal wireless subscription credentials is by AP Phishing. As it stands today, the only real methods a typical end-user has to determine if a wireless access point is valid is by recognizing the SSID and ascertaining if the site has the look and feel of the real public Wi-Fi hotspot login page. Unfortunately for the end-user, both of these can be easily spoofed. Here's how it's done and no, you won't have to carry a wireless access point around to do this.
Performing this technique requires two steps:
* Setting up your computer to look like an actual Access Point broadcasting the appropriate SSID (T-Mobile, Wayport, etc.)
*Having the walled-garden, or login page that your computer will display look like the real login page of the provider whose signal you are broadcasting
It's not hard to make your computer broadcast the SSID of your choice, in an attempt to get a person to connect to you instead of a valid Wi-Fi hotspot SSID. The problem with the ‘easy way' is that the potential victim sees that this is an Ad-Hoc network and most people these days know not to connect to these. So, we employ the use of Airsnarf by the Schmoo Group to make this signal look like it's coming from an Access Point. Essentially, we will be turning the laptop into an Access Point.
The most difficult part of using Airsnarf and other HostAP-reliant programs is finding a card that supports the HostAP drivers. Personally, I use the Senao NL-2511CD PLUS EXT2 200mw PCMCIA Wi-Fi with a Rover Portable Laptop Mount 2.4GHz 5.5dBi Antenna. Both of these can be purchased from http://www.wlanparts.com/ (Thanks to Tom's Networking for detailing this hardware info a while back).
Airsnarf consists of a number of configurable files that control how it operates.
With Airnsnarf configured with default settings, it will display a default login page that looks like the following:
This default page will take the username and password that is entered and dumped into a file where it can be read.
To make this attack really work, this login page needs to be modified to look just like a real Wi-Fi hotspot provider's login. Depending upon your HTML skills, you can either get real fancy or just stick to basics. For this proof of concept, I'm going to keep it very simple. Of course, it wouldn't be difficult to go to a T-Mobile, Wayport, STSN, Concourse or any other hotspot provider's site and essentially copy-and-paste their graphics to make the login page look just like theirs.
Once Airsnarf is configured and the customer Login page is created, the attack can be launched. Any airport, coffee shop, or other public area where people utilize their laptops will work. To launch the attack, activate Airsnarf by typing the ./airsnarf command. Below is an example of what you'll see when the attack is launched.
Airsnarf being launched and waiting for a connection
An end-user attempting to connect to the hotspot will see the SSID that was entered into the airsnarf.cfg file and use their computer to connect to that network. Upon launching their browser, they will be prompted to enter their username and password.
Windows Zero Config showing the T-Mobile HotSpot being broadcast by Airsnarf
Fake Walled Garden/Login Page presented by Airsnarf
Once the user enters their credentials and hits the Login button, their credentials have been compromised and can be used by the person with ill-intent. This could be only the beginning, though. Commonly, users will utilize the same username and password for many different accounts/websites. Consequently, the username and password that were just grabbed may enable a hacker to access the user's e-mail, online banking, etc.
Example of credentials entered into Airsnarf AP Phishing Site and dumped to a file
Another variation of this above trick is to change the SSID to something like "Free Public Wi-Fi," at which point, you can change the login page to something creative, such as the following:
Without question, there will be users that will fall for this trick and you now have access to their e-mail.
Malicious Websites and Browser Exploits
Given the knowledge of the aforementioned exploits, a creative combination could be had. What if the walled garden/login page in the previous exploit actually contained code that would exploit a user's machine? That way an attacker could gain access to an end-user system just by that user attempting to connect to what they believe is a valid Wi-Fi hotspot. An exploit that could take advantage of this is Microsoft's relatively recent Create Text Range vulnerability. All a hacker would need to do is copy the malicious code into the login page and every person who connected to that hotspot could potentially be exploited.
Part of the actual code that could be inserted into a webpage to automatically download and run a malicious executable on the victim's machine just by that user viewing the webpage.
That would be "cool," but we're going to take it a step further. What if people who were currently connected to the hotspot were "forced" to view a malicious page, regardless of the URL they entered into their browser? That would be "cooler!"
This hack contains the following steps:
Creating a malicious webpage and serving-it-up on a laptop
Redirecting traffic at a Public Wi-Fi Hotspot to that malicious webpage running on the laptop
As the victim is redirected and the malicious page is viewed, a browser-based exploit is run which gives the hacker a live command shell (c:\) on the victim's machine
So, the hacker goes to a Public Wi-Fi hotspot and connects to the network. He then launches Metasploit to create the malicious webpage and serve-it-up.
Commands to use Microsoft's Create Text Range vulnerability and to select the option of creating a reverse shell back to the hacker once the exploit is executed
The setting of various options for the exploit
With all options set properly, the web page is served-up and ready to exploit the machine by running the "exploit" command
Now that there's a machine on the hotspot network running a malicious webpage, it's necessary to redirect traffic destined for the Internet to that website.
Run the arpspoof command to redirect traffic destined for the Internet to the malicious webpage.
Running dnsspoof, you can see that a user attempted to go to foxnews.com but was redirected to the malicious webpage.
This is the page that contains the malicious content that will enable a hacker to connect to the victim machine via Netcat. This page appears regardless of the URL entered by the end-user. This page could look like and say anything.
The hacker then launches Netcat. The C:\ is on the victim's machine which is real bad news for the victim. FYI - Windows XP Firewall and Symantec AV were running the entire time.
If you didn't want to go to a public Wi-Fi hotspot and serve-up the webpage, you could just host the website somewhere and send out e-mails trying to convince people to go to the site. With Metasploit, for example, the payload doesn't have to be a reverse shell, you can have the malicious webpage download and execute a malicious file. Perhaps that malicious file would install a Trojan, Keylogger, or other Malware.
Examples of possible Metasploit Payloads for ie_createtextrange exploit.
Now that we've seen the "cool" and illegal hacks, let's talk about the real purpose of this article - Prevention!
Preventing the Hacks
There are basically two things to combating the previous hacks:
Taking measures to ensure a hotspot is valid
Protecting the machine against browser-based exploits
Ensuring a Hotspot is Valid
Validating a hotspot is extremely difficult for an end-user to do. In fact, the only realistic method to do so is to use a wireless client designed to work with various hotspots that can use some sort of WISPr check to help ensure the Hotspot is what it says it is. I used T-Mobile in the above example in large part because they are one of the few providers that can utilize this type of functionality. In fact, the best solution I know for enterprises to protect against public hotspot AP Phishing for their mobile users is to use a client such as Fiberlink's e360. Using a client such as this provides two areas of protection:
The hotspot signal itself can be validated
The end-user doesn't enter their credentials into a webpage which can be faked. They select a signal with the client and enter the credentials in that client.
Note that in the below graphic, a valid T-Mobile HotSpot is displayed as "Fiberlink Wireless Premium Powered by T-Mobile" as opposed to just "tmobile." That is because the client has determined that the particular hotspot in question is, in fact, a valid T-Mobile HotSpot. If it were not valid a valid hotspot, the SSID would simply be displayed as it is being broadcast.
Client-based solution that helps mitigate risk by helping to validate a hotspot.
As mentioned in the second point, the user enters their credentials into the client not into a web-based form. For many obvious reasons, this is significantly more secure. With this particular client, both the username and password are immediately encrypted with 256-bit AES.
The entering of credentials into a client as opposed to an easily spoofed webpage.
Protecting the Machine Against Browser-based Exploits
As with many exploits, the key is to have the mobile device be protected at all times. To protect against these exploits, the mobile device needs to:
Have the latest security patches installed. This is increasingly difficult to do for corporations as laptops are spending less and less of their time connected to the corporate LAN. This is bad, since many corporations can only push patches to machines when they are on the LAN. Consequently, corporations need to employ solutions that can push patches down to mobile devices anytime they are connected to the Internet and without end-user interaction.
Be restricted from surfing the Internet or connecting wirelessly if they do not have the latest patches. This makes sense. If you are not secure enough to surf the Internet or connect to wireless hotspots, because you do not have a necessary patch, you shouldn't be able to do so. In essence, you need to protect yourself from yourself. For corporations, they are beginning to look at functionality such as Cisco NAC to help with this. Unfortunately, Cisco NAC only quarantines on the LAN or Post-VPN. It won't analyze the security posture of the mobile device or quarantine it if it doesn't have the necessary patches until it is essentially too late. That's why corporations need to implement solutions that will quarantine and remediate devices while the device is mobile, not just when they are VPNing into the corporate network. The logic for assessing the security posture and for quarantining needs to be on the endpoint itself!
Employ a program to protect against Zero Day type of attacks such as a Personal Firewall with IPS capabilities. As an example, even if the above machine weren't patched, ISS' Proventia would protect a machine against the aforementioned browser exploit.
Conclusion
I hope you've seen how easy it is to trick and exploit users when they are in a wireless environment. I also hope that in seeing how these exploits actually take place and seeing how to help prevent them, you and your corporation are better protected.
Special thanks to the Metasploit Project and Schmoo Group. The use of your tools in explaining how the exploits are performed and the work you have put into the development of these tools is invaluable and appreciated.
Be sure to create and account on EthicalHacker.net to automatically be informed via e-mail of new articles by this author.
