Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For 802.11 and bluetooth security people alike. Latest trends, attack surface issues, and prevention. How wireless security is becoming the new vector to hacking corporate websites and applications. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Evil Twin
Posted by: jacknson
Date: March 30, 2007 01:10PM

Dear All,

I am actually doing a research on Evil Twin and other wireless threats facing our corporate world and home users as well. I was wondering if anyone has any information, research, and surveys on wireless security especially the Evil Twin. Others would help as well such as mis-configured Ap, rogue AP, rogue client, man in the middle attack, ad-hoc connection, sniffing packer and DDOS.

The whole aim of this project is make people aware of the wireless threats especially the evil twin.

Any help would be really appreciated. Any link or any surveys or any other data that you think would be of relevance, please do let me know.

many thanks
jack

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: March 30, 2007 02:14PM

Dear Group,
I am setting up an Evil Twin as part of my project. However, being new to Linux, I am actually having a very very hard time.
I want to use the full standard of the IEEE 802.11i (WPA2) with an IEEE 802.1X authentication server (the freeRADIUS to be build on Linux Suse 10.2). The freeRADIUS should also hook to MySQL.
I have installed freeRADIUS and done a radtest which is fine. Then, am stuck, as MySQL does not start!!!!. I try the www, but most sites do not give basic steps, which I desperately need. I started learning Linux >>1 week ago<<<< as windows cannot put most of the wifi adapters in monitor mode!!
Anyone who done a similar experiment or who knows the subject, I would appreciate any help you can give me. Please reply to the group or you can pm for more information.
Thanks a lot

Options: ReplyQuote
Re: Evil Twin
Posted by: id
Date: March 30, 2007 02:22PM

Take a look at the shmoo group's projects

http://www.shmoo.com/projects.html

or more specifically airsnarf http://airsnarf.shmoo.com/

-id

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: March 30, 2007 02:40PM

Hi id,

Cheers mate, very useful.

Is there anywhere i can information on how many companies or persons been affected by this threat, Evil twin or the other threats as well

thanks a lot

Options: ReplyQuote
Re: Evil Twin
Posted by: id
Date: March 31, 2007 01:11AM

I think most of the Evil Twin stuff is hype made to sell more security software. It's far easier to put up a base station that has "FREE_WIRELESS" for the SSID,then just record all the logins. I see it fairly often in San Francisco, and use it quite a bit too, but I tunnel everything over ssh, so I don't care :)

-id

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: March 31, 2007 08:53AM

Hi id,

I dont think it is a hype here in london, i think people are just ignorant, most of people i ask.

I just find out that there are wireless adapter which can act as both an AP and a wireless card. To be more clear, you can connect to an access point and at the same time, broadcast on the same wireless adapter. Have anyone heard or know which adapter can do this.

More, the enterprise mode, using RADIUS server is no secure at all. I have got a connection at my old work, it allows you to connect to the network first (which is unsecure) and then check your username and password on the database.
Once connected, you can just done net view, or run a sharefinder program and you would be surprise how many you would find.
If your lucky enough, people even share their whole C: drive
jack

Options: ReplyQuote
Re: Evil Twin
Posted by: id
Date: March 31, 2007 04:55PM

The reason I say it is hype, is because I don't think people are actively exploiting it. As I pointed out above there are easier ways, and if I'm exploiting something it's far easier to go for the low hanging fruit. I'm sure that's the same for people exploiting wireless maliciously.

-id

Options: ReplyQuote
Re: Evil Twin
Posted by: hackathology
Date: April 01, 2007 01:44AM

Well, here in UAE, there is also no one really do exploiting of wireless network. Hey id, thanks for that airsnarf software. I didnt know until i read this post. But hey is wireless N available in the states now?

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Evil Twin
Posted by: id
Date: April 01, 2007 03:00AM

Several vendors offer it, but I don't think any base implementation has been ratified. I'd wait for it here until a it has been standardized, how often does one need that much bandwidth unless you are streaming movies...

-id

Options: ReplyQuote
Re: Evil Twin
Posted by: hackathology
Date: April 01, 2007 03:28AM

hahha me personally need to for range purpose and speed purpose. The thing is i dont even see a wireless N enabled laptop yet. I am still waiting.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: April 01, 2007 11:42AM

id Wrote:
-------------------------------------------------------
> I think most of the Evil Twin stuff is hype made to sell more security software. It's far easier to put up a base station that has "FREE_WIRELESS" for
> the SSID,then just record all the logins. I see it fairly often in San Francisco, and use it quite a bit too, but I tunnel everything over ssh, so I
> don't care :)

Hi id,
I am a bit confused here, a base station that has "FREE_WIRELESS", for you to capture the logins, you would present the user with a captive portal, a database hook to your base station. BUT is this not some sport of an evil twin. NO, Athough it would be best to set the SSID to some SSID that are already in use around the areas. Then it is an Evil twin!

What are the other easy ways to capture their logins, rogue APs, MIMAs or even DoS(jamming). I am trying here to make evil twin the most dangerous threat to the wireless users, any view??

Although ET, could be hard to set up, if you have a virtual interface wireless adapters (can connect to AP and broadcast), it is well easy to set up an ET.

Any views are most welcome

Options: ReplyQuote
Re: Evil Twin
Posted by: id
Date: April 01, 2007 02:33PM

In order for an Evil Twin attack to work you have to:

a. overpower a known AP
b. DOS a known AP
c. unplug a known AP
d. take your chances and hope that some users connect to your AP and not the one they intend to.

Or you could just set up the FREE_WIRELESS SSID, and not bother doing the extra work above since a ton of people will connect to it anyway. Also with the Evil Twin attack you risk detection, it's far less likely if you just sniff traffic through your own box, after all, you're giving the service your advertising...just with some extras.

I would not offer a portal, I would simply use an inline password sniffer, such as dsniff (though there are probably newer ones, I don't think its been updated in years). If you wanted to be tricky, you could offer a proxy service and do MIM attacks on encrypted sessions, but then again your run a higher risk of being detected.

Unless it is a targeted attack I don't see the point in Evil Twin, and even then if the companies wireless is set up properly it's of no value. eg: The correct way to set up wireless IMO is to put it on a DMZ that only has access to a VPN, then use the VPN to connect into the office, or if you want vendors to be able to connect as well, just leave it open and allow net access, but internal access still needs to use the VPN.

So yes, they are basically the same attack, but one requires putting in more effort and a higher risk of detection, neither of which most hackers/crackers are going to want, though there may be exceptions for targeted sites if the risk/reward is good enough. Though I have never heard a report of them being used, ,so I think it is mostly hype ;)

Also, if a AP is running WPA and is shut down, would windows/OSX attach to another network with the same SSID that wasn't using WPA? It shouldn't IMO which would pretty much just stop ET attacks, but I honestly don't know if it would.

-id



Edited 1 time(s). Last edit at 04/01/2007 02:34PM by id.

Options: ReplyQuote
Re: Evil Twin
Posted by: thrill
Date: April 01, 2007 05:54PM

The overpowering of an existing AP is a very simple thing to do.. All you need is a directional antenna. In most cases, unless the user is actually right next to the AP, your signal will be recognized as stronger and the client will connect to your AP.

I got a directional antenna and a few neighbors with their own WiFi setups.. we can give it a shot next time you're around.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: April 06, 2007 10:14AM

Hi all,

How can you differentiate between acess points?
My laptop detect two wireless Aps with the same SSID, but both are genuine, one is from the top floor.
But how can i be sure?

cheers

Options: ReplyQuote
Re: Evil Twin
Posted by: hackathology
Date: April 07, 2007 01:16AM

hey jackson, its difficult if you are saying that both are genuine. Thats a good question, how to be sure of the correct AP?

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Evil Twin
Posted by: id
Date: April 07, 2007 02:00AM

There are two ways:

1. Know the mac address
2. Figure out which one you are closer to and check the power of each.

-id

Options: ReplyQuote
Re: Evil Twin
Posted by: hackathology
Date: April 07, 2007 02:43AM

By knowing the MAC address, does it help? Since both are genuine, how canu differeniate which is the correct one? Also, how does checking the power help in figuring out the correct AP?

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: April 07, 2007 08:07AM

When cloning an access point, the evil one will have all the setting of the genuine one, including MAC address. This is also called jack

Options: ReplyQuote
Re: Evil Twin
Posted by: hackathology
Date: April 07, 2007 08:50AM

That is why i don't think MAC will be one of the elements to determine a real AP.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Evil Twin
Posted by: id
Date: April 07, 2007 10:45AM

You would have to know the MAC beforehand, either by physically looking at the WAP (some have it printed on the bottom), or having seen one before the other and know which it was.

For the power thing, you can use Netstumbler and just check which you are physically closer to by the power output.

-id

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: April 07, 2007 12:12PM

id Wrote:
-------------------------------------------------------
> You would have to know the MAC beforehand, either
> by physically looking at the WAP (some have it
> printed on the bottom), or having seen one before
> the other and know which it was.

id,
this is one of the hardest way. We have more than one APs, when users want to access the wireless network, there are more than one (same) network detected. How could they be sure that one of them is an evil twin. All the APs are genuine because with their wireless card, they can detect the APs uptairs and one next to the reception as well.

It would be not feasible and also they wont have the permission to climb and check the MAC of the AP.

Is there another way

jack

Options: ReplyQuote
Re: Evil Twin
Posted by: hackathology
Date: April 07, 2007 12:13PM

Frankly speaking, i cant think of a way. What id had thought, i already have it in mind.

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Evil Twin
Posted by: thrill
Date: April 07, 2007 02:42PM

At one of my last employers I was asked to lead a team to find a solution for securing the wireless network. The solution we came up with was using 802.1x authentication along with using a Radius server for logging in the user. Some of you may have already heard of the technology, it's using the Odyssey client by Funk Software, along with their Steel Belted Radius. Using Cisco APs we were able to enable rotating WEP keys that were only given to the client if their Certificate could be authenticated, once they were connected to the wireless network, they then needed to authenticate their user/password via the radius which pointed to the LDAP portion of AD.

Another way of going about this is setting up your AP on a DMZ which does NOT have a real world IP address, and then you can point a VPN server to a machine that is listening ONLY on the DMZ. The attacker setting up an evil twin will not have access to your DMZ, so when you bring up your VPN client trying to reach, let's say 172.16.3.49, you will not have access to it.

Very little information leaked at that point.. just an attempted VPN connection to an internal IP address which the attacker would not know is set up on a DMZ with no access to the internal network.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: April 07, 2007 03:16PM

thrill Wrote:
-------------------------------------------------------
> Using Cisco APs we were
> able to enable rotating WEP keys that were only
> given to the client if their Certificate could be
> authenticated, once they were connected to the
> wireless network,
>

hi thrill,

thanks, i will try the DMZ.

you said here, that you are using a rotating WEP keys to get connected or can we said associate to the AP. Can you elaborate a bit more on how this is done pls.

My work are although they are using 802.1x with radius, for authorisation. (Second step). The first step is wide open, they broadcast their SSID to everyone with encryption disabled. this is done to facilitate the large bunch of users to connect without problem. then they are ask for their username and pass.(RADIUS)

But my point is once the users or anyone on the street can connect to the network. they would have an IP and can do lot of scanning, or if there is an unpatched pc, the latter could be compromised.

keyloggers could be installed or and the username and passw could be captured.

jackn

Options: ReplyQuote
Re: Evil Twin
Posted by: thrill
Date: April 07, 2007 04:10PM

@jacknson

The trick for rotating SSID/WEP keys is using a certificate to authenticate to the actual AP. The AP is set up to point to a radius server which has the certificate on it, then the client sends the AP the supplication requesting the SSID/Key, the AP forwards the request to the Radius server which authenticates the certificate and sends an OK to the AP, who in turn sends the client the SSID/Key to authenticate.

Depending on the encryption type they are using to authenticate to the Radius (PAP, MSCHAP, etc.), those username/password combinations could be very easily hijacked. Using a VPN solution in this case would be a lot more secure than what they currently have since the IPSEC VPN authentication is based on a much stronger encryption.

And yes, I agree with you about the allowing anyone to connect to the network. Simply disabling the broadcasting of the SSID could increase the level of security, and setting up some sort of authentication via WEP/WPA, while not exactly secure either, could keep lesser informed people out of the network.

If your work insists on using the Radius server for authentication, you'd definitely be better off using certificates for authentication rather than username/passwords. And using OpenSSL could save your company money by signing your own certificates rather than paying some CA $500 for a server certificate.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Evil Twin
Posted by: jacknson
Date: April 07, 2007 05:38PM

thrill Wrote:
-------------------------------------------------------


> And yes, I agree with you about the allowing anyone to connect to the network. Simply disabling
> the broadcasting of the SSID could increase the
> level of security, and setting up some sort of
> authentication via WEP/WPA, while not exactly
> secure either, could keep lesser informed people
> out of the network.

thrill,
cheers, any ideas you have on the type of authentication. we cannot disable SSID as there are so many users and it will be a hell lot of work to give each user the setting

Also any idea any idea on how to diffentiate between 2 genuine APs

jackN

Options: ReplyQuote
Re: Evil Twin
Posted by: thrill
Date: April 07, 2007 07:25PM

One scenario that might help in your situation would be using the same technology that is available in most public areas that provide free WiFi, and that's to route all traffic through a proxy that authenticates users via a web page. Until this process is completed all packets go to a black hole and the user is not allowed out of the network. But then this too relies on user education and letting them realize that if they don't see the proxy login they are not on the local network. At least this will keep outsiders from using your resources.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Evil Twin
Posted by: hackathology
Date: April 08, 2007 04:13AM

thrill, can u explain more on the VPN area? you said:

"Another way of going about this is setting up your AP on a DMZ which does NOT have a real world IP address, and then you can point a VPN server to a machine that is listening ONLY on the DMZ. The attacker setting up an evil twin will not have access to your DMZ, so when you bring up your VPN client trying to reach, let's say 172.16.3.49, you will not have access to it.

Very little information leaked at that point.. just an attempted VPN connection to an internal IP address which the attacker would not know is set up on a DMZ with no access to the internal network."

In this manner, how is the connection going to be made from a legit user? Do you mean that all users who want to access the internet have to go through the VPN server first in the DMZ?

http://hackathology.blogspot.com

Options: ReplyQuote
Re: Evil Twin
Posted by: thrill
Date: April 08, 2007 01:09PM

hackathology Wrote:
-------------------------------------------------------
> In this manner, how is the connection going to be
> made from a legit user? Do you mean that all users
> who want to access the internet have to go through
> the VPN server first in the DMZ?

Yes. The wireless in this sense is just a dumb connection to a network that goes no-where. The only thing available from this network is a single port open on a machine that is not advertised. Anyone connecting to this network would not be able to find anything unless they ran a subnet/port scan.

So if you are the user, you know this fact and you bring up your VPN client so that you can connect to not only internal services, but also to the internet. This allows you the luxury of having the SSID broadcast and no WEP/WPA security whatsoever, which is how jacknson's network was described. And as a bonus, your traffic is encrypted on the wireless side.

And while I call it a DMZ, it is not necessarily one. It could be an extra network card you put on this one machine that is only going to have itself and the AP connected to it. The trick is to not allow routing through this interface, and to set up a VPN server on that machine listening ONLY on that interface. And maybe a DHCP server on that interface as well. This is how this network becomes secure, and someone setting up an Evil Twin wouldn't be able to duplicate. And even if they did, the VPN client can be set up to authenticate a server side certificate easy enough.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Evil Twin
Posted by: thrill
Date: April 08, 2007 04:48PM

So I did a little write up on this and created a very basic visio diagram to describe it, which is here:



The write-up, which I pretty much just re-state everything I put here is at:

Securing Your Wireless

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill



Edited 1 time(s). Last edit at 04/08/2007 04:49PM by thrill.

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.