Although wireless communication technologies have matured to a great extent, their related communication protocols and stack implementations are still encumbered by a number of well known security problems.
WiFi (802.11) management packets are not cryptographically protected against eavesdropping, modification or replay attacks. WEP, WPA and WPA2 protect data only after the association has been established. At the same time, modern Operating Systems will probe for any Access Point they have associated with in the past and, most of the time, they will connect to any Access Point with a known ESSID without any warning.
In “Karma” and “Evil Twin” attacks, attackers forge “Deauthenticate” or “Disassociate” packets to disrupt existing associations. In the Karma Attack, a phony Access Point is created based on probe request frames, whereas in the Evil Twin attack, the phony Access Point is modelled by the target Access Point. In both cases, the victims will connect to the rogue Access Point, and the attacker will eventually achieve a man-in-the-middle position. At that point, common web phishing attacks can take place.
Wifiphisher is a penetration testing (and social engineering) tool that automates the above process in order to mount fast phishing attacks against WiFi networks. After achieving a man-in-the-middle position using the Evil Twin attack, wifiphisher redirects all HTTP requests to an attacker-controlled look-alike web site.
Wifiphisher is open-source software (licensed under the MIT license) and supports community-built templates for different phishing scenarios, such as:
- Router configuration pages that ask for the WPA/WPA2 passphrase due to a router firmware upgrade.
- 3rd party login pages (for example, login pages similar to those of popular social networking or e-mail access sites and products)
- Captive portals, like the ones that are being used by hotels and airports.
Common defenses for reducing the risks associated with the above attacks include Wireless Intrusion Detection & Prevention Systems, 802.1X Port Access Control for robust mutual authentication, and security awareness training.
The “Introducing wifiphisher” talk at this year’s BSides London will explain in detail how WiFi phishing attacks work and the reasons behind the success rate of Evil Twin and Karma attacks. Audiences will also find out more about the wifiphisher tool and the countermeasures that can be used against it.
About the Author: George Chatzisofroniou (@_sophron) is a security engineer at CENSUS S.A. His research interests include cryptography, WiFi hacking, web security and network security. He is the lead developer of wifiphisher, an open-source phishing tool that recently caught the attention of the wireless hacking community.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.