Imagine this scenario. . .
You’re sat at your favourite Coffee Shop and you connect to the local Wi-Fi. You login to Facebook and see what your friends are doing, jump on amazon to buy a gift you pay with PayPal and finally open your Gmail account to see all the confirmation emails.
What would you say if i told you there is a chance that someone else just intercepted all the usernames, passwords, emails and data you were sending and receiving?
What would you say if i told you it was worse than that and now you SmartPhone or laptop are infected and belong to an attacker who starts to send Premium rate texts and sells access to your laptop so it can be used as part of a bot net that steals banking and financial information.
Both of these scenarios are real and simple for an attacker to do. In both these cases the entire attack can be automated. For those of you thinking that’s fine, i wont connect to the public Wi-Fi. This is of no concern to the attacker, He can make your phone connect to him without any interaction on your part.
And the price of this for the attacker. Well Free if he doesn’t mind sitting there with his laptop. If he wants something more discreet and something that works straight out of the box. Then for a one off payment of $99 he can be in possession of a Weaponized Pineapple.
The WiFi Pineapple Mark V is the latest generation wireless network auditing tool from Hak5. With its custom, purpose built hardware and software, the WiFi Pineapple enable users to quickly and easily deploy advanced attacks using our intuitive web interface.
Hak5 focuses on making easily accessible, affordable and infinitely expandable wireless hacking tools. Since 2008 the WiFi Pineapple has been serving penetration testers, law enforcement, military and government with a versatile wireless auditing platform for almost any deployment scenario.
From a man-in-the-middle hot-spot honeypot to an out-of-band pentest pivot box, the WiFi Pineapple is unmatched in performance, value and versatility.
As they say in their own description the designers and the community behind this device have made it incredibly simple and user friendly so that anyone with a little bit of knowledge or a couple of good search terms can have this up and running in no time at all. It is aimed at Penetration testers and those in the professional community but there is nothing stopping any Joe Bloggs picking one up and deploying it in anger.
The interface is designed to be simple one line configurations and one click starts. There are also switches that allow you to pre-configure the device. This makes it easy for our attacker to go somewhere with people, think coffee shops, large train stations airports etc and with the device turned on in his pocket or backpack he just waits for it to do its thing.
Now you are suitably concerned about your online privacy and data security whilst out in the wide world lets show you how these attacks took place, then i will show you how you can protect yourself against these attacks in the future. I am not going to explain how to set up or configure these devices im only going to show you how an attacker can use this toolkit against you.
Each of the attack methods requires one important factor before it can be of any use and that is to acquire the target i.e. your device must connect to the pineapple either by choice or by trick.
The simplest of these methods is with a little bit of social engineering. I create my own access point and name it something you would want to connect to. The image below shows some of theses access points i created.
You can use your imagination here but who wouldn’t connect to one of these?
All of these are Fake Access points and none of them really exist, they are all being generated by the Pineapple.
These steps require that you as the user choose to connect to one of these rogue access points. There is another alternative, what if i could trick your device into automatically connecting to my rogue access points? Thus removing the user from the equation.
Welcome Karma to the stage. Karma is designed to do exactly this. I’m not going to go in to the technical details of how this works but the basic idea is this.
Under normal circumstances, if you’re not connected to a Wi-Fi access point, your device will broadcast the names of any Access Points you have previously connected to and if it finds one it automatically connects to it.
This is where Karma steps in, Karma listens for your device asking and then answers as if it were the AP you asked for. Your device then automaticlly connects.
Its worth noting that recent changes to the 802.11 protocol prevent this attack. It does this in one simple way, instead of broadcasting the device name it just says im here. Its then up to the Access Point to identify itself. Not all devices have adopted this change so the old techniques still work.
This video from the creators of the pineapple over at Hak5 explain all this in a lot more details than i can in a paragraph. So if you have a spare hour its well worth a watch.
Now we have some victims connected lets look at what data we can get from them.
We are now operating in Man In The Middle mode. As this diagram shows all traffic going from and to your device to the internet goes through me first.
With all traffic flowing through our device you would be amazed at the wealth of data we can extract. Websites you visit, files you download, files you upload and more. Some of you will think so what theres not much you can do with that.
What about websites you log in to? i get to see you at all those sites as well. And if your not using HTTPS secure browsing then i have your usernames and passwords as well.
So how simple is it for the attacker to do this?
With a few clicks of the mouse all data is being recorded.
Then we simply open the pcap and search for anything that looks like we can use it. As you can see here i have captured a WordPress login, with username and password in clear. If like too many people you use the same password on multiple sites then i can potentially access more than just your wordpress blog.
This attack works for any site that runs in clear using HTTP. Most sites that hold your confidential information like Banks, Web Mail and Social media sites have switched to HTTPS only. This encrpts all your information so that anyone sat in the middle of your traffic cant see or understand any of the data.
This is not good for the attacker, but luck is on his side. The Pinapple comes with something called sslstrip. This small software package is designed to do one thing. Look for HTTPS Sessions and if it finds one it sets up a special type of Proxy that allows the site to establish a secure connection but allowing us to intercept all the data and unless the user pays very close attention he is unaware his data is being intercepted.
Since this kind of attack was first announced and the software to automate it all was released the internet of things took steps to secure itself. This was done by implementing something called HTTP Strict Transport Security (HSTS). Supported by Modern browsers and implemented by an increasing number of Websites (But not all of them) HSTS stops this attack method by forcing your browser to only interact via HTTPS.
Now that HSTS prevents us from intercepting credentials the simple way the attacker has to come up with some new methods. This next option is equally simple to set up and uses a bit of social engineering to trick the user in to handing over their credentials.
Most people have at some point used Public Wi-Fi at some point and are familiar with the concept of a ‘Captive Portal’. This is that first landing page that tells you which Access Point you’re connected to and then asks you to login, pay or just accept the TOS before continuing online.
As with all the other options all that’s required is for the attacker to turn his device on and click a couple of buttons.
In this next example I created a Captive Portal of my own. This is a basic example just to illustrate the method and with very little effort a realistic portal can be created and served to the user.
Any credentials entered in to this browser are saved to the device and the user is allowed to continue accessing the internet as normal. Setting up a captive portal like this gives the attacker a couple of options. He could set up something like i have that harvests user names and passwords. Or he could add create a portal that charges people to use the service. This could be something as simple as a paypal button that asks you to pay £2.50 for “Unlimited Lifetime Access For Any Device Anywhere Any Time”. Sounds reasonable, and as you enter your PayPal username and password to pay for it the attacker also steals those.
The Evil Portal tries to trick the victim in to entering their real credentials in to our fake site. Some users would do this, some however would not and would enter fake details or just refuse outright. For these events there are other things we can try.
If you dont want to enter your username and password in to my login page, what about putting them in to a page that looks like the real thing. Using a normal browser and under a minute in a text editor i had cloned the popular Facebook.com website. A minute later and i have it running on my device. Now all i need to do is get you to enter your details.
I cant just replace every page with my new fake facebook, if you type in amazon and suddenly find yourself at facebook you will know something is wrong. For the attacker the pineapple has something to help in exatcly this type of situtation. DNS Spoofing.
As you’re connected to my device and im in the middle of all your traffic we have seen how easy it is for me to modify your traffic, I do the same thing with your DNS traffic.
For those of you who have no idea what DNS is. At its simplest level its like a phonebook for the internet. You want to go to a website you need its IP Address. Numbers are hard to remember and so instead you have a name like google.com or in our case facebook.com. When you type the name in to a browser your device looks up the IP for the name and away you go.
All we do is intercept that IP lookup, and instead of giving you Facebooks IP address I give you my own IP address.
Now anytime you try going to facebook you will end up at my version of the site. Would you be able to tell which one is fake?
Once you enter your details and press the login button these details are recorded on my device before sending you on to the real site, as far as your concerned you didn’t enter your password correctly and if you try again you log in to the real site.
In less than an hour i had set up and configured the pineapple to DNS Spoof and intercept credentials for the following sites.
With the following results recorded on the Pinapple.
September 7, 2014, 11:28 am -- http://www.facebook.com/facebook.html -- email@example.com -- mysupersekritpasswird September 7, 2014, 3:17 pm -- http://paypal.com/PayPal.html -- firstname.lastname@example.org -- paypalpass September 7, 2014, 3:18 pm -- http://amazon.com/Amazon.htm -- email@example.com -- amazonpassword September 7, 2014, 3:22 pm -- http://twitter.com/Twitter.htm -- firstname.lastname@example.org -- twitterpassword September 7, 2014, 3:26 pm -- http://email.google.com/Gmail.htm -- email@example.com -- gmailpassword
We have seen that we can redirect users to any web page we like. We can also use a technique known as code injection as a method to gain more information or to silently install malware on devices.
One of the ways an attacker can use code injection is to use similar techniques to banking Trojans like Zeus and SpyEye. This malware type adds new forms to your online banking that steal more information. The Pineapple can achieve the same results without installing anything on your device, which means there is no malware for Antivirus to detect. This PayPal example shows the kind of tricks attackers can achieve.
These examples like the Evil Portal and page spoofing require a certain level of user interaction, If you as the victim choose not to enter any details then there isnt a lot i can do about it. This leaves me with one final option. I can install malware directly on to your device. This way when you get home and connect to your trusted home network i can perform all the same techniques above and more. I can steal all your passwords, all your documents, turn on your webcam, install ransom ware try to blackmail you, I’m limited only by my evil imagination here. And to achive this level of access all i need you to do is open a browser window when you are connected to my WiFi device. No fake logon pages, no attempts to spoof pages or break ssl. I simply allow you free access to the internet via my hotspot. . .
. . . And inject one simple line of code in to every page.