All is not what it appears to be (A high school demo)

Background

Recently, I spoke to a local group of high school juniors about the “real” Internet world. It was a fun talk where I covered a variety of topics from: “Nothing is truly anonymous” to “Everything you put on the Interwebs will be around for ever”…and other things. But I didn’t want to do a PowerPoint and bore them to death. I wanted something to grab the students and kinda shake them up but in a safe way. Didn’t want to truly hack their devices or embarrass them or anything. So, I thought about the requirements for the “demo”:

  1. Had to be easily understood by non-technical people. Although most high school juniors know more about tech stuff than I, my experience is that their understanding of that gear is mainly at the “user” level. I didn’t want to spend all my time explain the OSI model and other boring CISSP stuff like that. I also didn’t have that much time to present so the demo had to be quick and 100%.
  2. Had to be real world. Didn’t want to present on some esoteric vulnerability in Lotus Notes that only worked if you had version 1.2.3 and Mars and Venus were aligned.
  3. Had to have a 1 – 2 punch. If you have been around teenagers or were ever a teenager you know one fact: Teenagers know everything. I wanted this to have a sneaky component to it so that even when they thought they knew it all, I could surprise them at the end.
  4. Had to have something they could do. I remember high school. Heck, I remember every single boring presentation/demo/meeting I’ve gone to. I didn’t want this to be that. I wanted them to come away with something they could tell their friends to do/not to do.
  5. Had to be safe. My scope for this preso was to demo the tech not to actually exploit devices or steal data. I wanted no way for this demo to accidentally cause harm.

The Setup

With those requirements, I thought about what kinds of things a teenager could relate to/appreciate. Their phones came to mind immediately. So, what about attacking them? Bluetooth? Wifi? Something else? Hmm…wifi.

I remember about the “Evil Twin” wifi attack. If only I could make it safe so I didn’t steal creds from their devices. Oh, for those that didn’t follow the link and don’t know, the evil twin wifi attack is where an attacker (moi) deploys a rogue/unauthorized wifi Access Point (AP) and then tricks your devices to attach to it. My AP will proxy your data to the Internet and steal credentials while doing so. There are other variations too but that is the main gist:

  1. Set up unauthorized AP
  2. Get victims to connect to it
  3. Proxy their traffic
  4. Steal creds

I decided this would work well. Here is what I did:

  1. I burned a bootable DVD of Kali Linux (http://www.kali.org/)
  2. Booted a laptop using the DVD
  3. The aircrack-ng application suite for attacking wifi devices is already installed in Kali. I used the airbase-ng application to set up the fake APs.
  4. I needed to put my wifi card into monitor mode for this to work so I ran airmon-ng start wlan0.
  5. I launched 2 terminals and put them side by side. One I set up an AP named “PANERA” and the other had one named “FBIBlueVan” (for fun).  The airbase commands are airbase-ng -e [APName] -v [Interface] -a [MACAddressofAP]. So for the PANERA AP: airbase-ng -e PANERA -v wlan0mon -a 00:ca:fe:c0:ff:ee

A bash script to set all this up in one terminal is:

#!/bin/bash 
echo "Putting Wlan In Monitor Mode..."

airmon-ng start wlan0 # creates interface mon0
airmon-ng start wlan0 # creates interface mon1 

echo "Starting Fake Panera AP" 
airbase-ng -e PANERA -v mon0 -a 00:ca:fe:c0:ff:ee & 
echo "Starting Fake FBI AP" 
airbase-ng -e FBIBlueVan -v mon1 -a 00:de:ad:be:ef:00 &

The (Safe) Execution

As I mentioned above, this had to be safe. I didn’t want to exploit anyone…just teach that everything is not always what you think. My solution? Set up the APs but no DHCP servers for the clients. So, their devices would connect to the APs but would not get an IP address and therefore couldn’t “talk” on the fake APs. Plus I didn’t run anything to grab creds or record traffic.

The Script

I had already started both fake APs when the students filed into the room I was in. They dutifully sat down and stared blankly at me.

“Hello everyone. My name is Micah Hoffman and I’m an information security engineer. I work as a security tester testing web applications, systems and other devices for security weaknesses. I exploit the vulnerabilities in the target systems and then write a report that I give to my customer so that they can take the appropriate actions.”

Did I see someone yawn? OMG.

“I’m guessing some of you may have MP3 players, tablets, phones or devices with you that can connect to wifi networks yes?”

At this point I received some hesitant nods from the students. Excellent.

“If you have any device that can connect to a wifi network, please take it out and look at what wifi networks are in your school.”

And now the “Are you kidding us?” looks were thrown at me. I reassured them that I was an “ethical” hacker, a good guy and, if I really had prepared for it and wanted to be “that goofy, nerdy hacker dude”, I would have taken out my DerbyCon white hat and put it on to show that I was not a bad guy. But I didn’t.

“What networks do you see that you could connect to?”

Students shouted out “PANERA” and then laughed at the “FBIBlueVan” AP. I then explained how the evil twin attack worked and also how I made this demo safe (heard some audible sighs then).

I continued into the meat of my talk which was essentially, “you cannot trust everything in the computer-world.” I explained how to protect against evil twin and other wifi attacks.

That 1 – 2 punch

So I finished my talk to the students and explained about how my laptop was being used and how others could do it at Panera and other places…blah blah blah. Then I asked them,

“Did anyone see a network called attwifi in their device?”

No one said they did. Then I explained that the attwifi network is the default for most AT&T devices (http://goo.gl/YnkbC8) and that while I was giving the presentation, I had a PwnPlug broadcasting that network to their devices (the plug had no uplink and was not configured to store creds). While I was talking, I could have stolen their data from their phones and tablets. I told them,

“However smart you are. However much you think you understand…there is always someone smarter than us and there is always more to learn.”

One thought on “All is not what it appears to be (A high school demo)

Comments are closed.

A WordPress.com Website.

Up ↑

%d bloggers like this: