Everyone is advertising free WiFi nowadays as a way to lure customers in. What these customers might not known is if the hotspot they are connecting to is genuine. It could be a Rogue AP setup by a malicious party in order to sniff your traffic. They provide you with free internet access and you provide them with all your network traffic. Below is an example on how it can work.
You may think it would be super complex in order for these malicious parties to set this up but you would be wrong. Useful tools such as Wifi-Pumpkin make life so much easier. Below is a few steps on how you can set it up yourselves.
What you will need:
– Ethernet connection or 2nd Wireless Adapter: Connected with internet access
– Wireless adapter for the AP: I use the ALFA AWUS036NHA
– Running a Linux distro: Advised to use either Kali or Parrot OS
In this demonstration, I will be using Parrot OS which comes with a bunch of tools already installed. What it doesn’t come with is Wifi-Pumpkin but I will go through how to install. I find the easiest method is to use ‘git clone’:
git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
sudo chmod +x installer.sh
sudo ./installer.sh –install
You should then be able to start WP with: sudo wifi-pumpkin
If you jump straight to the settings tab, you can see WP does all the hard work for you.
If you want to spin up an AP quickly, you just need to give it a name (SSID) and select the wireless adapter (Not the adapter providing the internet access).
Once you are good, click Start and wait for a client to join. If you are testing at home, connect using your phone or laptop.
Once they or you have connected to the AP you will see their client under ‘Home’.
Once they have connected, you should start to see their traffic under the Monitor tab.
With SSLStrip and DNS2Proxy running, you should start to see HTTPS traffic.
SSLStrip is a very useful tool and helps break down HTTPS traffic.
How it works: https://www.youtube.com/watch?v=MFol6IMbZ7Y
The malicious party will most likely be running multiple tools instead of just WiFi-Pumpkin. They will most likely be running tools such as WireShark or Ettercap in order to sniff huge amounts of traffic. Again, if you are using Parrot or Kali, these tools are already pre-installed. The more traffic your sniff, the more likely you are to find something of worth.
This is just the basic steps to setting up a Rogue AP. If a malicious party really wanted to capture sensitive traffic, they could be using tools for captive portals, Phishing, DNS poisoning and site cloning.
It might not be just your traffic they are interested in. They might be looking to directly attack your client. If they monitor your traffic, they will start to see how your client is interacting with the web. If they are seeing Outlook, Zscaler, Symantec, McAfee traffic and any other application traffic, they can be certain your client is running that product. If they know this, they can start to look for vulnerabilities in that software in order to gain access to your data.
They may do a simple Nmap on your client in order to see open services and ports or use a vulnerability scanner such as OpenVas. This is also included in Parrot and Kali and is a free tool to use. Here is how to set it up:
Sudo openvasmd –user=admin –new-password=*Pick a Password*
Once started, open Firefox and enter: Https://127.0.0.1:9392/
You can then enter ‘admin’ and the password you chose above.
To run a quick scan, under the Tasks page there will be a purple wand. Click this for a quick scan. Enter the IP or range and let it do it’s thing.
Once ran, it should start to show you potential attack points. Again, this is very basic, there is a lot more you can do with these tools. It’s important to remember, only do this if you have been granted permission to do so or if you are attacking yourself.