A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Manna from Heaven; Improving the state of wireless rogue AP attacks - Dominic White & Ian de Villiers (Defcon Wireless Village 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

Manna from Heaven; Improving the state of wireless rogue AP attacks - Dominic White & Ian de Villiers

Wifi (802.11/abgn...etc) networks are increasingly the primary interface for the majority of computing devices. These devices are usually portable, following the user, and are used to connect to a plethora of both business and personal services. These services are often converged under a handful of "single sign on" accounts such as a domain user, Google, Facebook and Twitter accounts.

We will give live demonstrations and release tools that show significant improvement on the current state of attacks against client devices.

The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks [01], authentication to wireless networks can either be cracked or intercepted [02][03], and our ability to capture credentials at a network level has long been established[04][05]. Often, the most significant protection users have are hitting the right button on an error message they rarely understand [06]. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link.

This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this. Karma attacks don't work as well as they used to, and the roll out of anti-interception technologies such as HSTS and certificate pinning are making it harder to get useful credentials. This talk is an attempt to remedy this, in the hopes that making these attacks more effective will help motivate seeing the underlying vulnerabilities fixed as well as enhancing wireless and network attack toolkits.

The talk will cover two high level areas of our work: improving rogue AP attacks and improving network man-in-the-middle attacks. More specifically, this will include:
Improvements in the current KARMA [07][08] capability to improve the number of successful connections. The current implementations no longer work on most Android devices for example.
The extension of KARMA to handle pre-shared WEP and WPA2 key networks, specifically, attempting to crack the keys and present a network the victim can join.
The integration of RADIUS MITM [03] techniques into this toolset, and improvements in their effectiveness [09].
A network MITM toolset for more effectively capturing single-sign-on credentials such as; domain, Google, Facebook and Twitter credentials, with a focus on mobile devices. Prior, simple work in this area was published [10].

The talk will result in the release of new or updated point tools for each of the techniques discussed, as well as the integration of the attacks into SensePost's open source Snoopy framework [11]. The point tools will allow a much wider application of some of the techniques, for example, the network MITM tools can be used in places where layer-2 MITM is possible and is not tied to wireless networks.


Bio: Ian de Villiers is a security analyst at SensePost. Coming from a development background, his areas of expertise are in application and web application assessments. Ian has spent considerable time researching application frameworks, and has published a number of advisories relating to portal platforms. He has also provided security training and spoken at security conferences internationally.

Dominic is the CTO of SensePost, an information security company based in South Africa and London. He's worked in the industry for 10 years. He has given training at BlackHat for several years, and is responsible for SensePost's wifi hacking course (Hacking by Numbers Unplugged).

Back to Defcon Wireless Village 2014 (Defcon 22) video list

Printable version of this article

15 most recent posts on Irongeek.com:

    If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

    Copyright 2019, IronGeek
    Louisville / Kentuckiana Information Security Enthusiast