 Rogue access point attacks, but more like more on the defensive side I mean we go into some of the offensive stuff, but I mean pretty much a lot of that's already been done before This is more of a talk on how to like identify Rogue AP attacks and also how to some preventive measures that you can use to to mitigate them I'm Gabriel Ryan. I'm a security engineer at Gotham Digital Science. We do like pen testing and secure source review stuff like that So we're gonna be talking about like two kinds of Rogue AP attacks today We'll be talking about the evil twin attack and the karma attack So let's talk about evil twin attacks. So Suppose we're sitting downstairs and we're all connected to one of the legitimate access points for Defcon open network you know for example and and that's running on that access point is running on channel 6 and it's Has the SSID set to Defcon open Wi-Fi or whatever whatever it is if we were to spin up our own hotspot and You know with the same SSID and the same channel How would how would our connected laptops be able to tell the difference between the legitimate access point and the one? We just created well, it's kind of a trick question because actually they can't the the factor that is used in that scenario is Whatever What whatever access point has the better signal strength and the better signal to noise ratio? That is what gets connected to so, you know if we were to do this And if we were to set up our own access point with the same SSID and channel Boost our TX. So it's just ever so slightly better than the legitimate access point All these wireless clients would drop their connections from the legitimate one and connect to us and when this happens We essentially have the perfect Create the access point and then route it out to the internet and capture everything in between So There's some pretty like obvious advantages to this attack I mean one of them is that it's like really easy to perform. You just need something that's capable of making a hotspot It's also really hard to detect and we'll go over this a bit later And it's also very tight targeted if you're working in a red team situation and you only want to attack a specific network This is really good because by the fault this kind of attack only targets an access point on on on the network that you're intending to So if your scope is limited to you know def con open for example And and you spin up a hotspot for def con open You're probably only going to get clients that are that are connected to the to the target that's in scope Disadvantages well, I mean for one thing it doesn't work out of the box against like Protected networks. So if you have like a WPA protected network or something like that It's unless you have that pre-shared key, which presumably if you're doing this you probably don't Unless you have that pre-shared key. You're not actually going to Have a lot of luck the way you get around this is by you know, basically so we're in the wireless village I'm assuming you guys Okay, so show of hands who does not know how of that access point gets stored into an ordered list in your Basically in your in your device that is called your preferred networks list and your device is constantly sending out probe request To see if any of these preferred networks that you've currently that you previously connected to are nearby and if they are You'll automatically connect to it So what we can do in this situation is that we can sniff for packets for pro-request packets from devices that are currently connected to The target network we can identify one that a lot of them have in common Then we can de-auth the target network will simultaneously, you know running a rogue AP that is of that That matches that preferred network and all these devices when they drop off the de-auth network They'll connect to us instead, but it's a little more complicated, which is kind of why it's not so great against protected networks So how do we detect evil twin attacks? Well, I mean for one thing we can use whitelisting. So, you know, you can you can the standard way to do this is just to You know keep an inventory of like what axis points are belong to your network So if you have a bss ID that is not belonging to your whitelist It's not your whitelist Then at that point, you know that something you know something shady is going on So for example, you know, this guy is saying, you know I have the SSID Starbucks and your IDS system picks this up and checks the whitelist and it's not there So the bss ID is not there. So you just you know take action accordingly So this doesn't always work because a motivated attacker can simply You know use like arrow dump or something like that to create a list of all the you know to basically figure out What are all the valid bss IDs for your wireless network? So at that point, you just it's pretty easy to just spit up an AP that has the bss ID matching one of your Your legitimate access points as well, not just the SSID and channel. So this actually makes evil twins really hard to detect The way we get around this is by paying attention to signal strength, however So, you know, if I have an access point sitting up here like the front of the room, right and we have like a packet sniffer Like you know chilling over there in the corner the signal strength from from from my access point to that packet sniffer Should not change very much, you know, it should stay like within a provided You know and of course, you know with like interference and stuff like this This doesn't always hold true, but provide in most cases it should stay within a certain within a certain threshold so what this means is that you know if we if we establish a baseline TX value from our packet sniffer to to our access point, you know and and Then then listen for probe requests or probe responses should I say from from the Claim to come from our access point that have the the bss ID SSID and and and same channel is one of our legitimate access points But there's a TX value that is really noticeably different from our legitimate access point then we know that it's probably that it's probably a a Rogue AP so quick demo of how that this works. I'm actually gonna spin up Please don't see me deaf con So we're gonna right here. I'm so I'm spinning up a server here, and there's going to be a web interface on Here and we're gonna see like an alert pop up when this happens and Now we're starting up our packet sniffer and it's just kind of chilling here and If the demo be gods are merciful life when I spin up this this wrote this pseudo rogue access point We should see something Yes, here it is so we have the alert show up on the screen so this is like a really really cheap way to easily spot these rogue AP attacks and it literally can be done like a few lines of Python code, so I'm gonna kill host APD really fast because it's not it's not quitting all right So karma tax so the second kind and this is actually like the later evolution of your rogue AP attack is the karma tech Remember how we mentioned that you know all your 802 11 devices You know constantly send out probe requests for networks that are on their preferred networks list. Well, so There are two ways there they approach this, you know in some cases You know and the better way for device to do this is for them to listen passively for probe respond for probe responses coming from nearby access points Unfortunately, there's still a lot of clients out there that actively actually will will broadcast their a lot of clients that will broadcast their existence By by actively probing for nearby access points so What this means is that you know if we set up a rogue access point Or some kind of access point and just have it, you know gratuitously respond to every single probe request that it receives So for example, you know, I'm the access point and you know some some client over there So, you know sends out a probe request for for for links us and you know if I if I just if I see that and I respond You know saying yeah, I'm links us go ahead and connect that device will automatically connect You know and then you know if from the same access point we send out another Another prover, you know, we receive another pro request for a different as a city, you know AT&T Wi-Fi and the rogue AP sends out a probe request The rogue AP actually sends a response to that For AT&T Wi-Fi then the second client will connect as well So what you have a situation where you have a single rogue single access point that is responding to every single probe request They received regardless of whether or not it's a probe request for itself or it or some or some other thing So the you know, this is the kind of attack that you often see like with a lot of these I can't really name brand names, but for example these very fruity kind of like tropical looking fruit name devices that you tend to buy it on at Security conferences, this is how they work, you know You just set one up and then you just listen for pro requests and and respond to all of them And then the device thinks that it's a legitimate AP and connects And as as those of you who may have purchased these devices, you may know It's a relatively automatic process you turn it on the script runs and you just start pointing the shit out of everything nearby So they're they're fast, you know, there's minimal supervision or recon required And you can still target nearby AP's the problem with these kinds of attacks But they're really easy to spot and you know because I've been in Vegas all week and you know I've been in a lot of bars and we use a bar analogy so suppose that you walk into a bar and You know, you're looking for the student named Jake So like you you walk in the bar and you say hey, is anyone here named Jake and then some like sketchy-dew to ski mask And a Def Con badge stands up in the back and it's like yeah. Yeah, I'm Jake So you might be actually inclined to believe him because like, you know, why this guy be making this up Well, let's rewind a bit and suppose that we're in the business of a bullshit detection. So, you know So, you know, this time we have a little notepad a pen and paper with us We walk into the bar and say hey, is anybody here named Jake, you know sketchy guy And the Def Con badge stands up and asserts that his name is Jake. You write down as that guy says is Jake Immediately step back out of the bar and you step back into the bar Say is anybody here named Katie and Jake says now is saying that he's Katie Well, the same principle can be applied to rogue access points, you know, if you see if you send out a probe request For for some random hashtring and you get a response Well, I mean that that itself should tell you that something shady is going on You know, like if I'm looking for ESS ID, oh, whatever that says on the yeah I probably shouldn't receive a probe response for it, but you know, suppose we do okay We can go with that We sent another one for a second, you know randomized hashtring Well, I mean when that happens if we if we get a single BS ID a single, you know piece of hardware Responding for both of these that's probably a good indication that, you know, it resembles one of these citrus like devices that we've been seeing a lot and Back in that case you can try to locate it or D off it or whatever So for the sake of time, I'm gonna skip the demo for that one. Also. I don't have a pineapple. I can't say that Yeah, you know what I mean with me But let's talk about some like existing solutions to like, you know preventing and detecting rogue AP attacks So a Rubin networks makes this thing called an airwave last I checked the price list It's like three thousand bucks and it's awesome and it can detect a lot of this stuff Unfortunately, it's a little out of the the reach of the kind of network admin that is going to be the target of this You know, you know prime if I want to steal like 50 credit card numbers or 500 credit card numbers I'm not gonna be going after an enterprise network I'm gonna be setting up in a coffee shop You know and in Harlem or something like that and and seeing seeing who like or on the subway and seeing like You know who I can actually ensnare that way You know Cisco makes Another really really awesome product actually in the references of these slides which I'm gonna be releasing online There's a reference to their to their to their their slick sheet about like how these things work and it's frankly genius But they're also like probably out the price range of your of the kind of network admin that's gonna be working on a network That's gonna be the target of this kind of thing so The same is true with the fluke with the other example of this You know fluke networks they they have an analyzer that is like 4,000 bucks for software license It's great once again, but it's not really something that you know your your your your typical your typical network I'm in is going to be able to afford So I think I think to do is to ask ourselves What are the bare minimum resources needed for effective rogue AP mitigation? So if you if you have to open an open Wi-Fi network Case in point actually we did this at B sides earlier in the week This is pretty much how we handle our wireless security, but if you have to run an effective You know if you have to open if you have to open if you have to run an open Wi-Fi network and You know you need to provide rogue AP protection, you know, how do you do this? what is the minimum cost here and Frankly, you know using using these algorithms that we just described you can do this with you know just a Raspberry Pi and you know about 500 lines of Python code a little more if you want to get into fancy client service stuff and Just like a cheap like $10 TP link adapter and that that should pretty much cover So that brings the cost of rogue AP protection down to about 45 bucks a you know per unit so if you um Another thing I mean this if you know math statistics or physics really well that that TX single strength thing that we did earlier I mean it works pretty well, but like it's not great. It was built using pretty much hacker math But if you know math math and I want to contribute to this project You know feel free to send out an email to your research at gdssecurity.com because we'd love to actually Have someone who can do math Helping with this And if you want to mess around the source code It's at github.com slash solstice slash sentry gun and you can get the server which the client thing he's talked to at solstice slash sentry guns dash server and There will be a read me up there in an hour and That's it basically Any questions so the TP link TLW and 722 and is a External Wi-Fi adapter that you can that you can get on On Amazon it's just one of many that pretty much do the same thing, but it's it's basically an external network adapter that can It's really good sniffing packets What's that dude? So I when I when we started working on this initially I kind of thought that you need two separate cards for sniffing and D off turns out you don't With the atheroscards with the ones I plug in right here actually you do I don't know why Multi-channel see this guy knows Wi-Fi. I know Python, so it's What's up dude with the with the with the leave me on OS X I Don't know. I mean most of this is hand-rolled and starting on Linux. I Don't I don't think so, but don't quote me on it. Any any other questions? What's up? Yeah Good question. Good question. So and and this question comes up a lot So the question he asked it's a really good one is why don't you just change your BS? I did between probe requests or pro response and you can do that But remember that if you're if the entire attack revolves around you spinning up a rogue axis point and and somebody Connecting to you in order to maintain that connection in order to actually have a valid AP you need a valid BS I D so if you're constantly changing your BS ID This kind of becomes a problem because how do you you know handle all these people connecting to you? And then you can only have a BS ID up for more than you know a little bit And you know not to mention each time that you change your BS ID You pretty much have to like take the event You know you pretty much have to bring the whole network interface down change it Restart the software bring it back up again, and you know it's it's just kind of like pretty much unfeasible You know I had someone actually tell me that it sounds as if like there's probably a way to do it with str I don't know because I don't know str But you know as of right now like it's pretty much if you want to go down that route Better approach would be to just kind of like you know actually go the evil twin and just try to like intelligently, you know find find a a bunch of a Pretty much like a common network that a lot of people nearby have connected to and it will pretty much have a similar effect Anything else? What's up, man? Yes, so you mean you mean have some way of so having evil twin that is able to Figure out what the threshold Yeah That that is the problem so you know for example if you do want to look for it this way If you start so there is this calibration phase that this thing has to use and if you're able to you know Send out your own packets during that thing. Yeah, it's gonna mess it up. Yeah Right, so it actually becomes a bit of a physical like a physical security problem at that point You know if you're for example like what we did at b-sides all building was pretty much closed off You know we've calibrated it and then let everybody in but if you're not able to do that You know if you can't you can't really do it on the fly one thing that that's been talked about is is Instead of like using just you know like establishing a statistical norm to like maybe use you know like some kind of Machine learning or something like that to kind of figure it out But then again you I mean machine learning algorithms are still you know prone to a poisoning. So that's a that's another issue So awesome question. What's up? That's that's also a really good idea Actually, do you want to so so what he asked is is why not send a known good packet out and listen for that? And then you know the transmit And you can kind of like listen for the packet that you just send out and record that and this is an open source project So if you want to add that Anything else? What's up? I never feel safe Any other questions am I missing or said it all right well, yeah