U might seen wilreless hotspots as they can seen anywhere, with T-Mobile,Concourse,Wayport & so on...As we know mobile user are quickly connected in public places.Some Hotspots are available for free or some require free subscription.IN public places these WI-Fi hotspot are the greater security risks which we find.

Stealing Wi-Fi Hotspot credentials:
Once in Russia a hacker used to hack username & passwords of dial accounts & used to sell them in black market & the owner of stolen credentials had to pay high charges.With the adding of public WI-Fi locations, hte threat of stealing credentials have been increased & also stealing wireless subscription credentials.
The easiest way to steal wireless subscription credentials is done by AP Phishing. Today's real & applicable method is that end-user determines dat a wireless access point is valid by recognizing the SSID and ascertaining if the site has the look and feel of the real public Wi-Fi hotspot login page.For the end-user both of these can be spoofed(u cannot create normal network connections) & u need not to carry wireless access point around for doing this.
Steps to perform this technique:
  • First of all u have to setup ur computer to look alike an actual acsess point broadcasting da appropriate SSID(T-Mobile, Wayport, etc.)
  • Now u have login page & ur PC ll display look alike original login page of provider whose signals u r broadcasting.
It is easy to make ur pc broadcast the SSID of ur Choice, so dat the user can connect to u instead of valid WI-Fi Hotspot SSID.The problem with dis method is sees dat dis is an Ad-Hoc network & they do not connect to it.Now we use Airsnarf by Schmoo Group to make da signal as it is coming from an access point, we turn our pc into access point.
Difficult part in using Airsnarf & other HostAp programs is to find a card which supports HostAP drivers.Generally we use Senao NL-2511CD PLUS EXT2 200mw PCMCIA Wi-Fi with a Rover Portable Laptop Mount 2.4GHz 5.5dBi Antenna, we can purchase them fromhttp://www.wlanparts.com/.
Airsnarf consists of a number of configurable files that control how it operates.
airsnarf.cfg file used to configure basic Airsnarf functionality
airsnarf.cgi file
With Airnsnarf configured with default settings, it will display a default login page that looks like the following:

This page takes username & password which is entered & place it in a file wer it can be read.
For making dis attack work, we have modify this login page so dat it looks same as WI_Fi hotspot provider's login.Basic html skills are required, it is not so difficult to goto a T-Mobile, Wayport, STSN, Concourse or any other hotspot provider's site u have to copy & paste their graphics to make ur fake login page look real.

After configuring Airsnarf & creating fake login page, we can launch the attack.Any public place like airport,coffee shop's, parks wer people uses their laptops it ll work.For launching dis attack we have to activate Airsnarf by typing ./airsnarf command. Below u can c wat is going to happen after launching ur attack.
Airsnarf being launched and waiting for a connection
Here we see an end-user attempts to connect to the hotspot ll c the SSID which was entered in
airsnarf.cfg file & use der pc to connect to the network.After launching der browser, they r asked to enter their username & password.
Windows Zero Config showing the T-Mobile HotSpot being broadcast by Airsnarf

Fake Walled Garden/Login Page presented by Airsnarf
If the user enter his username & password & clicks on login button, his username & password has been sent to hackers & he can utilises it.Many of us keep same username & passwords for all accounts so dat we can remember,Now if da hackers gets ur username & password can access ur email's ur online banking & so on.....

Example of credentials entered into Airsnarf AP Phishing Site and dumped to a file
U can also make variations for the aboce trick to change SSID's to "Free Public Wi-Fi",& at this point u can change login page as below.
Many users ll fall for dis trick & u can access der accounts..

Malicious Websites & Browser Exploits:
Given the knowledge of the aforementioned exploits, a creative combination could be had. What if the walled garden/login page in the previous exploit actually contained code that would exploit a user's machine? That way an attacker could gain access to an end-user system just by that user attempting to connect to what they believe is a valid Wi-Fi hotspot. An exploit that could take advantage of this is Microsoft's relatively recent Create Text Range vulnerability. All a hacker would need to do is copy the malicious code into the login page and every person who connected to that hotspot could potentially be exploited.

Part of the actual code that could be inserted into a webpage to automatically download and run a malicious executable on the victim's machine just by that user viewing the webpage.

That would be "cool," but we're going to take it a step further. What if people who were currently connected to the hotspot were "forced" to view a malicious page, regardless of the URL they entered into their browser? That would be "cooler!"
This hack contains the following steps:
  • Creating a malicious webpage and serving-it-up on a laptop
  • Redirecting traffic at a Public Wi-Fi Hotspot to that malicious webpage running on the laptop
  • As the victim is redirected and the malicious page is viewed, a browser-based exploit is run which gives the hacker a live command shell (c:\) on the victim's machine
So, the hacker goes to a Public Wi-Fi hotspot and connects to the network. He then launches Metasploit to create the malicious webpage and serve-it-up.

Commands to use Microsoft's Create Text Range vulnerability and to select the option of creating a reverse shell back to the hacker once the exploit is executed
The setting of various options for the exploit
With all options set properly, the web page is served-up and ready to exploit the machine by running the "exploit" command
Now that there's a machine on the hotspot network running a malicious webpage, it's necessary to redirect traffic destined for the Internet to that website.
Run the arpspoof command to redirect traffic destined for the Internet to the malicious webpage.
Running dnsspoof, you can see that a user attempted to go to foxnews.com but was redirected to the malicious webpage.
This is the page that contains the malicious content that will enable a hacker to connect to the victim machine via Netcat. This page appears regardless of the URL entered by the end-user. This page could look like and say anything.
The hacker then launches Netcat. The C:\ is on the victim's machine which is real bad news for the victim. FYI - Windows XP Firewall and Symantec AV were running the entire time.
If you didn't want to go to a public Wi-Fi hotspot and serve-up the webpage, you could just host the website somewhere and send out e-mails trying to convince people to go to the site. With Metasploit, for example, the payload doesn't have to be a reverse shell, you can have the malicious webpage download and execute a malicious file. Perhaps that malicious file would install a Trojan, Keylogger, or other Malware.
Examples of possible Metasploit Payloads for ie_createtextrange exploit.

Now that we've seen the "cool" and illegal hacks, let's talk about the real purpose of this article - Prevention!

Preventing the Hacks:There are basically two things to combating the previous hacks:

  • Taking measures to ensure a hotspot is valid
  • Protecting the machine against browser-based exploits
Ensuring a Hotspot is Valid:
Validating a hotspot is extremely difficult for an end-user to do. In fact, the only realistic method to do so is to use a wireless client designed to work with various hotspots that can use some sort of WISPr check to help ensure the Hotspot is what it says it is. I used T-Mobile in the above example in large part because they are one of the few providers that can utilize this type of functionality. In fact, the best solution I know for enterprises to protect against public hotspot AP Phishing for their mobile users is to use a client such as Fiberlink's e360. Using a client such as this provides two areas of protection:
  1. The hotspot signal itself can be validated
  2. The end-user doesn't enter their credentials into a webpage which can be faked. They select a signal with the client and enter the credentials in that client.
Note that in the below graphic, a valid T-Mobile HotSpot is displayed as "Fiberlink Wireless Premium Powered by T-Mobile" as opposed to just "tmobile." That is because the client has determined that the particular hotspot in question is, in fact, a valid T-Mobile HotSpot. If it were not valid a valid hotspot, the SSID would simply be displayed as it is being broadcast.
Client-based solution that helps mitigate risk by helping to validate a hotspot.
As mentioned in the second point, the user enters their credentials into the client not into a web-based form. For many obvious reasons, this is significantly more secure. With this particular client, both the username and password are immediately encrypted with 256-bit AES.
The entering of credentials into a client as opposed to an easily spoofed webpage.
Protecting the Machine Against Browser-based Exploits:
As with many exploits, the key is to have the mobile device be protected at all times. To protect against these exploits, the mobile device needs to:
  • Have the latest security patches installed. This is increasingly difficult to do for corporations as laptops are spending less and less of their time connected to the corporate LAN. This is bad, since many corporations can only push patches to machines when they are on the LAN. Consequently, corporations need to employ solutions that can push patches down to mobile devices anytime they are connected to the Internet and without end-user interaction.
  • Be restricted from surfing the Internet or connecting wirelessly if they do not have the latest patches. This makes sense. If you are not secure enough to surf the Internet or connect to wireless hotspots, because you do not have a necessary patch, you shouldn't be able to do so. In essence, you need to protect yourself from yourself. For corporations, they are beginning to look at functionality such as Cisco NAC to help with this. Unfortunately, Cisco NAC only quarantines on the LAN or Post-VPN. It won't analyze the security posture of the mobile device or quarantine it if it doesn't have the necessary patches until it is essentially too late. That's why corporations need to implement solutions that will quarantine and remediate devices while the device is mobile, not just when they are VPNing into the corporate network. The logic for assessing the security posture and for quarantining needs to be on the endpoint itself!
  • Employ a program to protect against Zero Day type of attacks such as a Personal Firewall with IPS capabilities. As an example, even if the above machine weren't patched, ISS' Proventia would protect a machine against the aforementioned browser exploit.

conclusion: I hope you've seen how easy it is to trick and exploit users when they are in a wireless environment. I also hope that in seeing how these exploits actually take place and seeing how to help prevent them, you and your corporation are better protected.

I hope you've seen how easy it is to trick and exploit users when they are in a wireless environment. I also hope that in seeing how these exploits actually take place and seeing how to help prevent them, you and your corporation are better protected.
Special thanks to the Metasploit Project and Schmoo Group. The use of your tools in explaining how the exploits are performed and the work you have put into the development of these tools is invaluable and appreciated.


Leave a Reply