Recently, I spoke to a local group of high school juniors about the “real” Internet world. It was a fun talk where I covered a variety of topics from: “Nothing is truly anonymous” to “Everything you put on the Interwebs will be around for ever”…and other things. But I didn’t want to do a Powerpoint and bore them to death. I wanted something to grab the students and kinda shake them up but in a safe way. Didn’t want to truly hack their devices or embarrass them or anything. So, I thought about the requirements for the “demo”:
- Had to be easily understood by non-technical people. Although most high school juniors know more about tech stuff than I, my experience is that their understanding of that gear is mainly at the “user” level. I didn’t want to spend all my time explain the OSI model and other boring CISSP stuff like that. I also didn’t have that much time to present so the demo had to be quick and 100%.
- Had to be real world. Didn’t want to present on some esoteric vulnerability in Lotus Notes that only worked if you had version 1.2.3 and Mars and Venus were aligned.
- Had to have a 1 – 2 punch. If you have been around teenagers or were ever a teenager you know one fact: Teenagers know everything. I wanted this to have a sneaky component to it so that even when they thought they knew it all, I could surprise them at the end.
- Had to have something they could do. I remember high school. Heck, I remember every single boring presentation/demo/meeting I’ve gone to. I didn’t want this to be that. I wanted them to come away with something they could tell their friends to do/not to do.
- Had to be safe. My scope for this preso was to demo the tech not to actually exploit devices or steal data. I wanted no way for this demo to accidentally cause harm.
- Set up unauthorized AP
- Get victims to connect to it
- Proxy their traffic
- Steal creds
- I burned a bootable DVD of Kali Linux (http://www.kali.org/)
- Booted a laptop using the DVD
- The aircrack-ng application suite for attacking wifi devices is already installed in Kali. I used the airbase-ng application to set up the fake APs.
- I needed to put my wifi card into monitor mode for this to work so I ran airmon-ng start wlan0 twice to create one interface for each wifi network.
- I launched 2 terminals and put them side by side. One I set up an AP named “PANERA” and the other had one named “FBIBlueVan” (for fun). The airbase commands are airbase-ng -e [APName] -v [Interface] -a [MACAddressofAP]. So for the PANERA AP: airbase-ng -e PANERA -v mon0 -a 00:ca:fe:c0:ff:ee
echo “Putting Wlan In Monitor Mode…”
airmon-ng start wlan0 # creates interface mon0
airmon-ng start wlan0 # creates interface mon1
echo “Starting Fake Panera AP”
airbase-ng -e PANERA -v mon0 -a 00:ca:fe:c0:ff:ee &
echo “Starting Fake FBI AP”
airbase-ng -e FBIBlueVan -v mon1 -a 00:de:ad:be:ef:00 &
The (Safe) Execution
“Hello everyone. My name is Micah Hoffman and I’m an information security engineer. I work as a security tester testing web applications, systems and other devices for security weaknesses. I exploit the vulnerabilities in the target systems and then write a report that I give to my customer so that they can take the appropriate actions.”
Did I see someone yawn? OMG.
“I’m guessing some of you may have MP3 players, tablets, phones or devices with you that can connect to wifi networks yes?”
At this point I received some hesitant nods from the students. Excellent.
“If you have any device that can connect to a wifi network, please take it out and look at what wifi networks are in your school.”
And now the “Are you kidding us?” looks were thrown at me. I reassured them that I was an “ethical” hacker, a good guy and, if I really had prepared for it and wanted to be “that goofy, nerdy hacker dude”, I would have taken out my DerbyCon white hat and put it on to show that I was not a bad guy. But I didn’t.
“What networks do you see that you could connect to?”
Students shouted out “PANERA” and then laughed at the “FBIBlueVan” AP. I then explained how the evil twin attack worked and also how I made this demo safe (heard some audible sighs then). Then I went into the meat of my talk. I did explain how to protect against evil twin and other wifi attacks.
That 1 – 2 punch
“Did anyone see a network called attwifi in their device?”
No one said they did. Then I explained that the attwifi network is the default for most AT&T devices (http://goo.gl/YnkbC8) and that while I was giving the presentation, I had a PwnPlug broadcasting that network to their devices (the plug had no uplink and was not configured to store creds). While I was talking, I could have stolen their data from their phones and tablets. I told them,
“However smart you are. However much you think you understand…there is always someone smarter than us and there is always more to learn.”