Who knows how many times we have seen – in shops, clubs or public parks – signs indicating the presence of free WiFi networks or accessible through a simple “like” on Facebook. In all likelihood, each of us has used these services at least once, either out of necessity or simply for what is now a natural attitude to stay connected to the internet.
So why don’t these networks have a good reputation? And how are they exploited by malicious users? In the rest of the article we will analyze and create a typical potential scenario with the aim of intercepting sensitive information entered by the unsuspecting user. In short, the classic username / password combination.
Since the possibility of intercepting traffic and interesting data in clear text – therefore not encrypted by the well-known HTTPS protocol – by means of network sniffers (such as wireshark , xplico , ferret ) are rather scarce due to the increasingly stringent security policies adopted by browsers and operating systems, we will work in a much more effective phishing attempt: on the other hand it is well known, the weak link of a computer system is always in front of the screen!
Once again, we specify that carrying out the practices shown below outside of simulated environments or towards non-consenting subjects, may mean incurring the requirements referred to in articles 616 , 615- ter , 615-quater , 617-sexies , 640-ter of our Criminal Code.
Let’s start by configuring one of the most famous frameworks in the field of wireless attacks on our Linux distribution, namely the wifiphisher project:
git clone https://github.com/wifiphisher/wifiphisher.git cd wifiphisher sudo python setup.py install
We find the tool already pre-installed in WifiSlax , an excellent operating system of Catalan origins dedicated to the pentesting of WiFi applications. We must then equip our system (even as a virtual machine) with at least a second WiFi network card that allows packet injection and monitor mode . If we are using VirtualBox as a virtualization platform, just click on the appropriate menu and check the device:
We launch the program in its basic use with the command:
A first method provides for the possibility of cloning an Access point – and creating the so-called Evil twin – by sending packets in order to deauthenticate all clients connected at that moment and then force them to reconnect to the AP created by ours script. After changing the MAC address of the attacking network card to ensure a minimum of anonymity, we select the target network to be cloned from those proposed in the menu:
Four possible scenarios are made available with which to lure the victim client; in this case, we select the number 4 – OAuth login Page :
An interesting aspect of this attack method is that everything happens automatically and rather hastily: the victim will see a window of their browser – both desktop and mobile – appearing, which requires the insertion of credentials in order to continue browsing ( in this case those of Facebook):
And here’s how the program’s terminal will return the victim’s email address and password:
If we wanted to be even more diabolical and increase the chances of success, we could modify the HTML tags of the web page to our liking, perhaps inserting a more captivating title in Italian or making the URL generated by the web server even more credible. We find the folders of the HTML pages of the server at the path:
A second very effective method of the framework, instead, provides for the creation from scratch of an open WiFi hotspot to be left active while waiting for an unfortunate user looking for an internet connection. Furthermore, the wifiphisher community has worked to expand the number of scenarios of the latter type of attack, making available the following material:
We copy the downloaded folders to the path indicated above and relaunch the initial installation script to also have these operational add-ons. So let’s run the program with the following syntax, specifying the name of the network to be used as a trap and that of the web page of the desired scenario (parameter -p):
sudo wifiphisher --noextensions --essid "FREE WIFI ICT SECURITY MAGAZINE" -p oauth-login -kB
The victim will detect a new network from their device: as you can see from the following screenshots, the fake login mask appears in the foreground even with Android devices:
After seeing what a potential attacker can do, we ask ourselves what we can do as a conscious internet user to avoid nasty surprises. In this case, the world of software only partially gives us a hand: it is possible that some antivirus generically warns of the danger of a new network detected, but it certainly will not stop the user entering credentials. Not even a VPN protects us from malicious interception: the encapsulation of internet traffic will only take place after connecting to the Access point, and therefore when we have already entered our precious data.
On the other hand, it is certainly useful to keep your browsers updated and pay attention to the automatic compilation that they often propose in front of new forms: various URLs and pop-ups must always be examined with due expertise, pressing enter only when we are sure to send our data to legitimate recipient. Finally, for the most sensitive sites it is advisable to implement the double authentication mechanism via SMS or six-digit disposable token generated by smartphone applications.