Wednesday, June 1, 2011

Proof-of-Concept Evil Hotspot

So I recently built-out a new computer for the family common area, allowing me to repurpose that laptop for other nefarious tasks.  Ok, not really nefarious, i just wanted to have a decent test bed for trying out some of the latest versions of various flavors of Linux operating systems.  So the first one I'm trying is the newest Ubuntu, version 11.04.  One of the interesting capabilities that's been built into this OS for a couple of years now is Internet Connection Sharing whereby I can actually plug a device into the Ethernet port on my laptop and allow that device to piggy-back off of my laptop's existing Internet connection.  So of course I had to play around with it to see what I could do...

Enabling this functionality is actually extremely easy to do, and is well documented here.  Couple of screenshots to get the point across:
This functionality is extremely convenient in that it even pushes out a DHCP address to the connecting device.  So that's all well and good, but what can we DO with it?

Well, in my first blog post, I talked about how easy it was to spoof a legitimate hot spot's SSID, attwifi in my example, and some of the risks associated with connecting to those.  In my second post, I talked about Wireshark, and how easy it was to sniff traffic passing across the network to which you're connected.  Put 'em together and what have you got?  A method by which you can capture and view network traffic from mobile devices automatically connecting to you, trying to get Internet access.

Here's the setup: Internet connection --> Ubuntu laptop-Ethernet port --> WAN port-Asus WL-330GE Router-"Evil" attwifi network.

After you've configured Ubuntu to share out its Internet connection via the Ethernet port, and either rebooted or restarted the networking, your choice, you should find that the Internet-facing interface has reconnected back up, and the Ethernet interface will be ready to have a private address assigned to it, as per RFC 1918, once you plug in the router.  In my case, it was a 10.x.x.x address.

Now, plug in the wireless router's WAN port to the laptop's Ethernet port, and power up the router.  If it's configured to grab an IP address automatically via DHCP, it should also now have an IP address in the same subnet as the Ethernet interface of the laptop.  The wireless side of the router will now be broadcasting the new "evil" SSID, attwifi in my case.

Connect a "victim" device to the attwifi network, and you should find that you can get Internet access routed through the router --> laptop --> real Internet connection.  Now, run Wireshark on the Ubuntu laptop to capture clear-text traffic like http web traffic, smtp email traffic, telnet or ftp traffic, etc. sourced from your unwitting "victim" device.

One of the gotchas of running Wireshark on Ubuntu is that it will likely complain that there are no network interfaces to start capturing from.  This is because Wireshark needs root access to place those network interfaces into what's called "promiscuous mode," listening to all network traffic, not just that which is only intended for the system itself.  You can either "su" to root, or just "sudo wireshark" in order to get the necessary privileges to get Wireshark the access that it needs, and start capturing on the Ethernet interface of the laptop.  Done deal.

You also have the ability to do things like create a replica of a legitimate hot spot's captive portal to put up once someone connects to your "evil" one.  Then, you can capture a victim's hot spot credentials as well, in addition to their traffic once they've connected to you instead.  How easy is it?  Walk into a Starbucks, connect to their AT&T WiFi network, open up a browser, and when you get to their captive portal, from the File menu, just Save/Save Page As to pull down a copy of the site with all images and source code for your enjoyment.  Modify it to your liking, run it on your own webserver on the laptop, and you can even point to various Hotspot Services from the DD-WRT router firmware.

You can also have some more fun by creating a proxy on your laptop and causing some browsing mayhem doing something like serving up the Upside-Down-Ternet.  Watching the extremely confused looks on your victims' faces might actually be even more fun than just capturing their traffic and logon credentials, etc. :)

So the moral of the story hasn't changed, but let me summarize:

  • Disable mobile device wireless when not in use.
  • Be absolutely certain of what wireless networks you're connecting to and their legitimacy.
  • Use encrypted protocols whenever possible.
  • Don't do anything of a sensitive nature, like online banking or file transfers, when out and about using free, likely unsecured, wireless hotspots.
Like those Allstate commercials say, "Be better protected from mayhem like me.  Dollar for dollar, nobody protects you from mayhem like [gobitech]." :)

1 comment: